In 2021, ransomware attacks worldwide almost doubled from the previous year, with North America facing around 53% of the attacks. While these ransomware attacks targeted private companies such as Apple (April 2021) and Kronos (December 2021), they also attacked 14 of 16 American critical infrastructure sectors. The most prevalent of these attacks occurred in May 2021 with the Colonial Pipeline Ransomware attack by DarkSide Ransomware, which shut down the main fuel pipeline between Texas and New York. However, despite ransomware’s prevalence in 2021, ransomware attacks have increased so far in 2022. As of June 1, 131 ransomware attacks were reported, compared to the previous year’s record of 120. It is assessed that this increase results from the ransomware market’s evolution, professionalization, and profitability.
Before late 2021, ransomware gangs typically built and launched ransomware attacks against targets. However, in late 2021 and early 2022, ransomware gangs turned to licensing out their pre-built ransomware, as it is more lucrative and provides a level of protection to the developers. This trend, known as Ransomware-as-a-Service (RaaS), operates as a business model between ransomware developers and affiliates who may lack the time or skill to build ransomware. In the RaaS model, the developers develop their ransomware, promote it, and recruit affiliates on forums. The developers then provide affiliates with victim payment portals and may allow the affiliates to customize their ransomware packages. RaaS revenue models can take the shape of monthly subscriptions, profit sharing, or one-time license fees. The affiliates then use the developed ransomware to launch attacks and demand ransoms from the victims. Since ransomware is easier to get a hold of and the affiliates do not have as developed skills, threat actors are more common and have targeted a wider range of industries, from K-12 and collegiate education systems to the Costa Rican government.
While the RaaS model has allowed developers to make money from affiliates, it has also allowed developers to update and improve their ransomware. As a result, ransomware has become more sophisticated, with reports indicating that ransomware attacks take only four days on average to encrypt data rather than the nearly ten days on average in 2021. The depreciation of encryption time is significant as RaaS developers, such as LockBit 2.0, BlackCat, Hive, CL0P, and Conti, continue to promote and push out their ransomware to the black market.
With the continued growth and deployment of RaaS against the United States, defenders need to be prepared for potential attacks. If you are a Hive-IQ® user, join TeamWorx Security on July 12, 2022, as TeamWorx Security staff and panelists Scott Barnabo, Cyber Threat Intel Specialist at US Army Europe; and Jimmie Collins, Branch Chief of Planning and Operations at the Hawaii Office of Homeland Security, discuss current ransomware trends, the future of ransomware, and how we can safeguard our organizations against these attacks.
Alex is an Intelligence Analyst at TeamWorx Security. He has experience in the history/museum world researching, writing, and breaking down large pieces of information on complex topics into understandable bits for a general audience. His experience analyzing the past to better understand the present is a great asset in his intelligence research and writing.