As the ransomware industry has expanded over the last decade, so have the number of sources attempting to track the phenomenon in all its financial and human horror.
Today, keeping up with either has become a full-time job. Ransomware has become ubiquitous, but so have the mainly private sector security companies queuing up to tell everyone how bad things have got.
The point of these reports, analyses, and surveys is to give organizations a wider perspective and perhaps early warning. So, what does the latest data tell us?
If only it was easy to tell. According to security vendor Zscaler, the number of attacks blocked by its cloud security service in the year to April 2023 rose a hefty 37% compared to the previous year.
Alternatively, a Sophos 2023 survey of 3,000 global IT and security professionals found that the number reporting an attack on their organization had remained static at 66%.
Meanwhile, according to Thales, an identical number of IT professionals put the number experiencing ransomware attacks at only 22%.
The contrasts here underline a problem—each report is gauging ransomware using different measurements and data sets.
Zscaler measured attacks detected against customers, something which might tend to increase over time anyway. What matters more is the number of successful attacks, but this is impossible to know without mandatory reporting, hence Sophos and Thales falling back on subjective surveys.
Even the FBI’s widely cited Internet Crime Complaint Center (IC3) annual report only measures the minority of incidents and losses organizations bother to report.
Threat Group Surge
This confusion over what’s meaningful can sometimes obscure more significant aspects of ransomware evolution. A good example from Zscaler’s report is how Ransomware as a Service (RaaS) seems to have more than doubled the number of active ransomware groups from 19 in 2021 to 44 in 2023.
This is a notable rise in just two years. More groups result in more innovation and perhaps less predictability with a growing number of “encryptionless” incidents using data release as the sole extortion tactic. As Zscaler’s researchers point out:
“This tactic results in faster and larger profits for ransomware gangs by eliminating software development cycles and decryption support.”
Assuming incidents aren’t reported, encryptionless incidents are also harder to detect because there’s less malware to track.
“Therefore, encryptionless extortion attacks tend to not disrupt their victims’ business operations—which subsequently results in lower reporting rates,” said Zscaler.
This in turn makes it even harder to know whether ransomware is getting better, worse, or staying about the same.
A fairer assessment is that whatever the numbers show at any one moment, we’re still in the middle of the ransomware era with some way to go. Many organizations are better protected, which has driven attackers to target those which aren’t. Attackers are also aiming for more spectaculars, including in the supply chain.
Perhaps the best measurement of what this means for organizations is simply the abstract one of risk. Difficult to quantify, there’s no doubt that risk is high and will remain so for years to come.