Not a day goes by without learning of a new ransomware attack, we all perceive the damage caused by these attacks, but it is always difficult to explain to companies and their managers what the economy behind this criminal practice is and why it is legitimate to believe. that the worst is yet to come.
The factor that has contributed most of all to the success of ransomware operations in recent years is the use of the ransomware-as-a-service model which reached its highest levels in 2021. In this model, a criminal group provides its own code ransomware to a network of affiliated gangs that distribute it. The proceeds of the redemptions are then divided with percentages that are a function of the different gangs and the amounts of the redemptions (for high redemptions the percentage to be given to the main group is reduced, an incentive to attacks against large organizations able to pay large amounts) .
According to a report released by blockchain analytics firm Chainalysis, organizations that were victims of ransomware attacks paid a whopping $ 602 million in ransoms in 2021. This is a slight drop from last year’s total in which organizations paid $ 692 million. in cryptocurrencies to the different gangs, however Chainalysis warns that the estimate for this year is to be considered provisional because other payments could be identified in the coming weeks. In fact, the estimates seem decidedly downward if we cross the data of the report with those published in recent months by other companies that deal with blockchain analysis such as Elliptic and that let us predict an annus horribilis regarding ransomware attacks.
“There is a slight delay in the ransomware data, so we expect that when these numbers are updated in a few months, 2021 will have higher numbers than 2020.” reads the relationship of Chainalysis.
We also add the difficulty in tracking the totality of payments, sometimes due to negotiations with the victims conducted completely privately, which would bring the total to much higher figures. You may be wondering then which of the criminal gangs has been the most effective in recent months, and the answer provided by the report is the Conti gang whose revenues in 2021 reached an incredible 180 million dollars extorted from victims. The Conti group implements a Ransomware-as-a-Service (RaaS) extortion model and has been active in the threat landscape since December 2019. The group manages a network of affiliates to which it offers its malware and its services, withholding from the ransoms paid to affiliates a percentage of about 20-30%. According to the American Cybersecurity and Infrastructure Security Agency (Cisa) and the Federal Bureau of Investigation (Fbi), the Conti gang is linked to over 400 attacks on companies in the United States and around the world.
In the ranking of the gangs with the highest profits we also find Darkside, the group that hit Colonial Pipeline last May, with a total of ransom proceeds of approximately 85 million dollars. It should also be said that since July 2020 the group has been renamed to BlackMatter and continues to be present in the ranking of the top 10 criminal organizations with the highest profits in 2021.
Another worrying figure to emerge from the report is the increase in ransom amounts, a trend that has emerged since 2018. The average amount of ransomware ransomware payments in 2021 was over $ 118,000, while in 2020 it was 88,000 and 25,000. in 2019.
“One of the reasons for the increase in ransom amounts is the attention of ransomware gangs to carry out highly targeted attacks against large organizations.” The report continues. “This ‘big game’ strategy is made possible in part. by using tools provided by third-party criminal groups to make their attacks more effective “.
Ransomware attacks are profitable activities in the criminal ecosystem, and for this reason the number of ransomware gangs increased in 2021. Chainalysis observed at least 140 ransomware groups receiving payments from victims in 2021, while in 2020 the groups were 119 and 79 in 2019. Another interesting aspect is the persistence of the ransomware operations of the various gangs, most of which were active at intervals and only for short periods, with some exceptions, such as the Conti group which remained constantly active throughout 2021.
The report also highlights that although most ransomware attacks appear to be economically motivated, actors working for governments use this practice for multiple purposes, including diversion, espionage, sabotage, and fundraising. Many operations are suspected to be linked to state actors linked to Iran, Russia, China and North Korea. The data provided by the reports provide us with a single certainty, ransomware attacks will continue to increase in the coming months, and new groups will emerge on the international scene. In light of this consideration, it is crucial not to be caught unprepared and to dedicate the necessary investments to defense in order to avoid important consequences for our organizations and national critical infrastructures.