The evidence for this phenomenon includes a report from security company SonicWall, which recorded 236.1 million global ransomware attempts in the first half of 2022, a 23% drop compared to the same period in 2021.
The figure for the April-to-June 2022 quarter was 106 million attempts. That’s a huge number, but still the fourth quarter in a row where the volume of attacks has dropped. According to the company, the peak for ransomware volume was Q2 2021, which recorded 189 million attempts.
SonicWall is only one view on ransomware, of course, but it is a sizable global company selling a range of security appliances which catch attempted malware attacks, so its figures probably point to a trend.
It’s also not the only company reporting drops in volume. U.K. security company NCC Group also recently reported a drop in attacks for May 2022 (attacks being, arguably, a more important indicator than the volume of attempts). Likewise KELA, which saw a 40% drop in attacks in Q1 2022 compared to the previous quarter.
This sounds like good news, but is it as positive as it appears to be, and will it continue?
The first thing to say, as already noted, is that volumes are not necessarily the best indicator of malware activity. For example, bulk spam is still a huge problem by volume, but its impact is small compared to the early 2000s heyday of this type of hazard. Greater than 99% of spam is filtered before it reaches anyone’s Inbox.
What matters more is the victim count, and by any measure ransomware is still a serious menace, compromising an unknown but large number of organizations every month across the world.
The second caveat is context. While ransomware attacks have fallen in volume recently, SonicWall’s figures for the first half of 2022 show they’ve already surpassed the yearly totals for 2017, 2018, and 2019. Put more starkly, the significant decline comes after a staggering increase during the pandemic.
The interesting question is why attacks might be falling at all, when the chances of success and profit remain so high.
SonicWall mentions several factors, including the volatility of cryptocurrency and more stringent requirements for ransomware insurance driving a trend toward better disaster recovery. It suggests that this might have cut the number of ransoms being paid, lowering returns for attackers.
However, the biggest factor is probably the war in Ukraine, which has caused a range of problems for the largely Russian-based ransomware industry. This theme was covered by this blog some months ago, and the figures suggest it might not be unsupported speculation.
Russia’s bad actors, it seems, have been disrupted by the war, especially sanctions taken by the U.S. against the cryptocurrency exchanges on which it depends to launder ransoms.
If we assume ransomware has been dented as the figures suggest, the first takeaway might be that a significant part of the ransomware problem is really a Russia problem. Without the country’s government turning a blind eye to criminals (the occasional police action aside), ransomware would still exist, but at much lower levels.
The second is that ransomware’s story is not simply one of increasing volumes, but of constant evolution. Despite setbacks for the criminals, this will continue. That’s why nobody would be surprised if the volume of attacks ticks upward again in a few months. The challenge for us remains the same as it has always been—evolve faster than the defenders.