In the last decade, the ransomware and data extortion landscape has expanded significantly, as groups have emerged, closed, rebranded and developed new variants. We have seen multiple high-impact incidents such as the DarkSide ransomware attack on US Colonial Pipeline in May 2021, and the REvil attack in July of the same year that targeted US-based IT management software provider Kaseya and impacted at least 800 companies worldwide.
We have also observed significant increases in the number of business email compromise (BEC) incidents. These incidents are reported far less frequently than ransomware incidents; however, between June 2016 and December 2021, the US FBI recorded over USD 43bn in funds stolen through BEC globally, with USD 2.4bn stolen in the US alone in 2021. The FBI also saw a 65% increase in global losses from BEC incidents between July 2019 and December 20211.
We have observed multiple significant changes in the ransomware landscape that we assess have likely resulted in or indicate a decline in ransomware profits in at least the short term, while BEC profits continue to grow. Cybercriminals will continue to identify new ways to generate revenue, including using innovative tactics to boost income, socially engineer victims and compromise networks.
All of these factors indicate ransomware has likely become less profitable for threat actors. As organisations become increasingly aware of the importance of mitigation measures and data recovery techniques, they are less likely to pay ransoms to restore systems and data. The conflict in Ukraine has also resulted in a reduced appetite for paying ransomware groups, as many operate from within Russia and in some cases in support of the state.
We assess that the reduced profitability of ransomware as well as significant scrutiny from law enforcement are likely to result in many threat actors changing their targeting focus and methods. This will include targeting new sectors and geographies, using more aggressive tactics and engaging in alternative cybercrimes such as business email compromise (BEC). BEC requires lower capabilities and fewer resources compared with ransomware and is less likely to come under close law enforcement scrutiny while still providing the opportunity for significant financial gain.
Despite all of this, we assess ransomware will continue to pose a high threat to organisations across sectors and geographies. This is illustrated by a significant peak in the number of victims named on leak sites in March 2023, which was the result of the Clop ransomware group exploiting a single vulnerability to target more than 100 organisations.
Even with a relatively low ransom payment rate of 45%, ransomware still provides considerable profits for groups. We will likely continue to see highly capable and well-resourced groups, such as LockBit, BlackCat, Play, Royal and others, targeting organisations globally, though the number of threat actors conducting such attacks is likely to remain broadly stable in the coming months. Ransomware groups will also likely continue to incorporate novel pressure tactics in an attempt to increase their success rates.