- There were over 1200 ransomware attacks in 2020 in which data stolen from victims was posted to ransomware operator blogs, and the victim ‘named and shamed’.
- Cybercriminals using ‘double extortion’ tactics, threatening both the availability of an organisation’s IT and the confidentiality of private data.
- With organisations paying ransoms with alarming frequency, the report calls for a greater debate to counter ransomware threat.
A new RUSI report argues that ‘cyber criminals continue to exploit victims and cause disruption with impunity’. Ransomware attacks ‘have a significant impact on businesses and organisations across the globe, resulting in high levels of cost and disruption’. Entitled ‘Ransomware: A Perfect Storm
’ and authored by James Sullivan and James Muir, the report explores the lifecycle of a ransomware attack and presents recent case studies.
Using BAE Systems’ Threat Intelligence capability, the report explores the methods, impact and mitigation of ransomware attacks in detail.
The report describes a modern ransomware assault ‘as a “denial of business” attack’ where ‘organisations across all sectors have fallen victim to this type of compromise’. It reveals that in 2020 there were a total of over 1,200 ransomware attacks by operators of 16 different ransomware strains using the double extortion technique, with victims from 63 countries.
Researchers saw a peak of eight new victims being named on ransomware operator blogs per day during October 2020, with a 200% increase in victim blog publications between June and October 2020. Additional data from 2021 victim blogs suggests that 500 victims have been targeted so far this year. One possible explanation for the increase could be the boom in remote working thanks to the Coronavirus pandemic which has increased the potential attack surface into target organisations.
The report analyses the threat from ransomware, the scale of the problem and the ‘perfect storm’ of factors that have led to an increase in profits from this type of cybercrime.
Victims have been medium-sized enterprises (SMEs) through to household name multinationals. Cyber criminals are known to scale their ransom demand based on victim revenue.
The research found that a majority of ransomware victims are based or headquartered in the US, which make up approximately 60% of victims. Conversely, the using data gathered by researchers, the report reveals no victims in Russia and many other post-Soviet countries. Most of the ransomware operators in this dataset are believed to be based in Russia.
While the report acknowledges that ransom payment may be a regrettable ‘last resort’ for some victims and a ‘quick solution’ for others, it argues that all ransom payments fuel the cybercriminal cycle.
By calling for a debate on global ransomware policy choices, the report concludes by offering a set of policy options for policymakers to consider. They range from introducing legislation to ban ransom payments, to technical interventions such as tackling the use of penetration testing tools used in ransomware attacks, to national and international-level mechanisms to bolster preparedness for a ransomware attack.
James Sullivan, Director of Cyber Research at RUSI said:
‘The current model to tackle ransomware is ineffective. This research highlights the uncomfortable victim’s experience from the surge in ransomware attacks over the past twelve months. Ransomware criminals are acting with impunity. It is time for policymakers to get a grip and urgently introduce some new measures to deter ransomware attacks before it gets worse.’
James Muir, Threat Intelligence Research Lead, BAE Systems Applied Intelligence, said:
‘Ransomware operators use a range of methods to compromise victims, and use off-the-shelf tools to their advantage. The ‘double extortion’ technique has proved popular for adding extra pressure on victims. Tracking this activity demonstrates the scale of the problem, and incident response engagements show that organisations are often insufficiently prepared.’
Notes to editors
- ‘Ransomware: A Perfect Storm’ is a RUSI Emerging Insights paper by James Sullivan and James Muir
- James Sullivan is head of Cyber Research at RUSI. James Muir leads on thematic and technology threat research at BAE Systems Applied Intelligence
- Access the paper here: https://rusi.org/publication/emerging-insights/ransomware-perfect-storm
- RUSI is the world’s oldest independent defence and security think tank. Its mission is to inform, influence and enhance public debate on a safer and more stable world. RUSI is a research-led institute, producing independent, practical and innovative analysis to address today’s complex challenges. Established in 1831, RUSI was named ‘Think Tank of the Year’ by Prospect magazine in December 2020
- For further information, or interviews, contact Saqeb Mueen, email@example.com, RUSI +44 795878030 or Nick Haigh, firstname.lastname@example.org, Head of External Communications, BAE Systems Applied Intelligence +44 (0) 7525 390 982
About BAE Systems Applied Intelligence
At BAE Systems Applied Intelligence, we help nations, governments and businesses around the world defend themselves against cybercrime, reduce their risk in the connected world, comply with regulation, and transform their operations. For further information about BAE Systems Applied Intelligence, please visit www.baesystems.com/ai