In a universe where cyber dangers appear all-pervading, a recent study has uncovered some surprising positive information: ransomware assaults on state and local administrations have decreased by 51% in 2024. Nevertheless, this reduction does not indicate the termination of the ransomware menace, nor should it prompt a sense of contentment. As the essence of ransomware advances, so do its repercussions, expenses, and ramifications for businesses and vital infrastructure.
What lies beneath the decrease in ransomware attacks? And what does it imply for the future of cybersecurity? Let’s delve into this matter.
The figures backing the decline
The registered 51% decline in ransomware attacks on state and local governments can be linked to several causes. Some specialists propose that the reduction is due to fewer administrations agreeing to ransom demands, rendering them less appealing targets for cyber perpetrators.
In the past, local governments were frequently targeted and inclined to meet ransom demands to restore crucial services. However, the scenario has transformed. Presently, only around 20% of state and local governments surveyed complied with the ransom requests, a substantial decrease from past years. This reluctance to comply has affected the profitability of ransomware operators and has made other sectors, potentially less resilient to ransom payouts, more enticing targets.
The influence of law enforcement and internal struggles within threat groups
Law enforcement has played a significant part in disrupting major ransomware operators, thereby contributing to the decrease. In late 2023 and early 2024, global law enforcement agencies, including the FBI, undertook coordinated operations against the BlackCat/ALPHV and LockBit ransomware collectives. These operations did not eradicate the groups entirely but struck severe blows to their activities by dismantling their infrastructure and identifying key members.
As the pressure escalated, internecine disputes among ransomware collectives were exposed. For example, the LockBit collective experienced a widely publicized conflict between one operator and an affiliate over compensation, further undermining trust within the group. Conversely, BlackCat vanished in a probable exit scam, abandoning its affiliates without support. These disruptions, both externally from law enforcement and internally from discord, have caused an exodus of ransomware affiliates away from these prominent brands.
Reasons behind the decline in ransom payment by governments
The downturn in ransomware attacks is mainly connected to a fundamental shift in how governments are addressing these incidents. In previous years, many municipalities promptly yielded to ransom demands to regain access to their systems. This practice sustained the financial motivation of ransomware groups. Currently, increased awareness of the dangers of yielding to ransom demands, along with augmented assistance from the Cybersecurity and Infrastructure Security Agency (CISA), has resulted in a more cautious strategy.
CISA’s involvement has been crucial in helping governments recuperate from ransomware attacks without fulfilling ransom demands, demonstrating that agencies have alternatives apart from yielding to extortion. This transition has considerably reduced the monetary lure for ransomware operators to target local administrations.
Homeland Security, FBI and Secret Service assist state, local, and other administrations in preventing or responding to ransomware attacks. The majority of government entities express satisfaction with the prevention and response efforts of these agencies. Nevertheless, many pointed out inadequate communication during incidents as a challenge.
Explore the Threat Intelligence Index
Elevated costs of ransomware incidents
Despite the decline in ransomware attacks, the expenses of recovering from such attacks have surged. The 2024 IBM Cost of a Data Breach report unveiled that the average cost of a ransomware attack reached $4.91 million across all sectors. According to Sophos, the average recovery cost for state and local governments in 2024 reached $2.83 million, more than double the $1.21 million reported in 2023. This surge can be credited to the heightened sophistication of ransomware attacks, notably in how they target system backups.
Previously, many organizations could rebound from ransomware attacks by restoring data from backups. However, ransomware groups have enhanced their ability to compromise these backups as well, with 99% of state and local government entities hit by ransomware reporting attempts to infiltrate their backups. Slightly over half of these attempts succeeded, resulting in substantially higher recovery costs as organizations were forced to reconstruct their systems from scratch.
The transition towards independent actors
One of the intriguing developments in 2024 has been the ascent of unaffiliated ransomware actors. Coveware documented a notable increase in assaults by unaffiliated actors, commonly termed as “lone wolves.” These assailants operate independently of established ransomware brands like LockBit or BlackCat, making it more complicated to attribute incidents to a specific group.
This trend towards unaffiliated actors can be traced back to the collapse of prominent ransomware groups. As law enforcement interventions and internal conflicts unsettled these groups, numerous ransomware affiliates opted to function autonomously or under alternative ransomware brands. Data indicates that affiliates are transitioning between diverse ransomware groups effortlessly or, occasionally, becoming unaffiliated completely to prevent drawing attention to any specific group.
The surge in unaffiliated assailants poses a fresh challenge for cybersecurity experts. Without a clear affixation to a brand, it becomes more arduous to forecast and shield against incidents. Businesses and government agencies must concentrate on protecting against the tactics, techniques, and procedures (TTPs) of ransomware assaults instead of solely monitoring the movements of known groups.
An illustration of a resolution is an Endpoint Detection and Response (EDR) mechanism. EDR tools incessantly oversee endpoints (computers, servers, mobile devices) for suspicious activities, facilitating prompt identification and response to ransomware or other forms of malware. These tools can recognize irregularities in user conduct, lateral movement across the network, or unusual file access patterns, frequently indicative of ransomware operations.
The implications for enterprises and vital infrastructure
Although the reduction in ransomware attacks on state and local administrations is uplifting, enterprises and critical infrastructure entities must not relax their watchfulness. The methodologies deployed by ransomware groups are evolving, and while some affiliates might be exiting the cyber extortion paradigm, others are expanding and establishing their infrastructure.
For enterprises, the focus should transition from solely defending against recognized ransomware groups to safeguarding against the broader range of TTPs employed in ransomware assaults. This encompasses reinforcing defenses around backup systems since ransomware groups persist in targeting backups to intensify the cost and complexity of recovery.
Furthermore, organizations should remain wary of the likelihood of unaffiliated actors aiming at their systems. The malleable landscape of the ransomware domain signifies that new threats can crop up rapidly, and sans the brand acknowledgment typically linked with high-profile attacks, recognizing these threats early might be more challenging.
Remain alert
The escalated involvement of law enforcement and the hesitation of governments to fulfill ransom demands are positive advancements, yet they do not signify the demise of the ransomware threat. With threat actors confronting challenges, it is the opportune moment for organizations to escalate their cybersecurity endeavors. The price of negligence is just too steep.