Cybercrime Trends: Ransomware, BEC, and Data Theft
Moving beyond the growth of fraudulent funds transfer, let's check in on a few other trends in cybercrime.
Percentage change in proportion of Corvus claims between H2 2021 and H1 2022
Here we’re looking at a comparison of the second half of last year to the first half of this year. The first takeaway: third party risk is growing. We can see a significant 66% increase in the share of third-party breaches, including a 20% increase in third-party ransomware attacks. This has been a growing trend with a few high-profile examples that made news headlines. The idea is that threat actors can increase their leverage if they attack a software provider and can imperil the provider’s customers, be it through exposing sensitive data or interrupting business operations. One victim can suddenly become dozens or hundreds. For this half-year-over-half-year view we also looked at a broad "business email compromise" (BEC) category that includes fraudulent funds transfer claims. (Nearly all FFT claims are the result of BEC, but there are other potential outcomes of BEC, such as email account takeovers without funds transfers, W2 scams, and gift card scams). Looking at this category of claims, the impact of BEC is evident: it produced more than 4 in 10 cyber claims in H2 2021, rising about 10% to reach 45% of claims in H1 2022. Once again, it’s important to note that while ransomware dominates the headlines, BEC and FFT remain consistent workhorses of cybercrime. While ransomware has seen its share of the claims pie fall from historic highs, threat actors are no less rapacious when they do succeed in an attack. In the first half of this year, the percentage of ransomware claims where a ransom was paid was unchanged (34% of ransoms were paid) and the average dollar amount of ransom paid ticked up by 4%, to $255,000. And even though there were fewer ransomware claims in the first half of this year, a larger percentage of them involved data exfiltration, a tactic used to increase leverage over the victim.
Data Theft: The Evolving Face of Extortion
At nearly 50%, a historic high, rates of data exfiltration (theft), mean that many victims will have a more difficult time standing down their attackers. If data is stolen, the threat is not limited to the victim's IT system — it spreads to their brand reputation and liability for exposure of sensitive information. The rise of exfiltration, with an increase of 25% from H2 2021 to H1 2022, underscores how extortion tactics are alive and well, and how the genre we came to know as ransomware could mutate into a broader "extortion economy" over time.
The evolution in law enforcement and sanctions (see next section) means that we anticipate threat actors will be forced to be more creative. It's worth remembering that ransomware is only one form of extortion. Other forms, relating to the threat of releasing sensitive data or information, may turn out to be effective for threat actors while attracting less attention from authorities. While at Corvus we have yet to see exfiltration of data be the sole tactic of an attack, reports of the Lapsus$ gang's activity from earlier this year noted that they focused almost exclusively on stealing sensitive data as the primary lever for extortion. We're keeping a close eye on how threat actors approach the proposition of extortion with an evolving set of tactics.
Ransomware Geography: Where is it happening - and why?
In this report we’ve discussed how fraudulent funds transfers have risen, seemingly at the expense of ransomware. For that to happen on a broad basis, many threat actors must be thwarted in their ransomware efforts, or otherwise decide not to take action with what has been a highly profitable enterprise. So what’s driving the decline in ransomware frequency?
It's worth noting that the ecosystem behind most ransomware attacks is populated by highly organized groups, which over time have increased in size and developed many of the hallmarks of regular business enterprises, such as HR departments. Achieving scale increases these groups’ efficiency and effectiveness, but also puts a target on their backs.
We’ve seen the downside of that notoriety rear up in law enforcement action and sanctions activity, mostly coming from the U.S. Federal Government. Since last year, and particularly since the outbreak of war in Ukraine, we’ve observed a divergence between global and U.S. based ransomware activity. Globally, after a brief dip in January and February this year, ransomware rates returned to the historically high levels seen throughout 2021. But that activity is gradually being pointed toward targets outside the U.S. By May 2022, U.S. targets made up just one third of all reported ransomware attacks, down more than 30% from a high a year earlier close to 50%.
In the past year, the U.S. has demonstrated that it can impact ransomware actors if they are bold enough, and public enough, in their efforts. The Conti group recently disbanded and is putting its efforts into collaborating with smaller ransomware actors. It is believed that pressure from law enforcement and the threat of Western sanctions contributed to the decision. Plus, in 2021 The Office of Foreign Assets Control (OFAC) announced sanctions that specifically target intermediary businesses that enable ransomware operations, like certain cryptocurrency exchanges.
But it’s not just that certain groups who focused on U.S. targets have been clamped down: the most active groups have actually shifted their targets. This phenomenon is clearly seen in the activity of the most prolific ransomware group of the past year, Lockbit (figure 7). (This data predates the recent arrest of a Lockbit associate in Canada). The accumulation of skills specific to attacking U.S.-based companies means that it's unlikely any group would be able to flip a switch and radically shift their geography overnight. But the figures from Lockbit show a steady shift underway. Will this create a vacuum that gets filled by other, ambitious threat actors? Time will tell.
On top of these targeted efforts, there’s now also a wall of sanctions levied against Russia since its invasion of Ukraine. Since Russia harbors several of the most prolific ransomware groups, the sanctions may have caused collateral damage. Rob Joyce, the U.S. National Security Agency’s (NSA) director of cybersecurity, recently said that since the invasion of Ukraine the NSA has seen “the criminal actors in Russia complain that the functions of sanctions and the distance of their ability to use credit cards and other payment methods to get Western infrastructure to run these [ransomware] attacks have become much more difficult.”
Ransomware is affected by dozens of overlapping factors, and the resulting picture is complex — to say nothing of the opacity that's inherent in an ecosystem of shadowy, semi-anonymous figures. For now it appears that targets have shifted from the U.S. elsewhere, but we're cautious to project forward. The next wave could be brewing.