Arete, a leading global cyber risk management company, has released the second volume of its Investigative Cybercrime Series in collaboration with cybersecurity research firm Cyentia. The report, titled Reining in Ransomware, explores the most prolific ransomware strains, ransom demand and payment trends, and the implications of data exfiltration. The data for this research comes directly from nearly 1,500 ransomware events investigated by Arete, exceeding $1 billion in ransom demands. The insights in the report are drawn from thorough examination of tactics, techniques, and procedures (TTPs) employed by the threat actors. Mr. Raj Sivaraju, President, APAC, Arete shares more insights on the same.
What are the key findings in Arete’s recent report ‘Reining in Ransomware’?
In the first report of this series, Mitigating Ransomware’s Impact, Arete shared data-driven insights on ransom demands and payments, victims’ industry and implemented controls, likelihood to pay, and reasons for payment. The report provides insight into how data has helped Arete negotiate ransoms down by up to 93 percent, with all the requested recovery tools and reports successfully delivered to the client. The key findings of the recent report titled “Reining in Ransomware” are that in 2022, seven of the top ten ransomware strains were brand-new, indicating that cyber risk tactics are rapidly evolving. Cyber incidents that took advantage of unsecured remote access services accounted for 61%. As digitization grows, attacks change as well. Over 50% of ransomware incidents happen due to one of the top ten post-compromise techniques. There has been a five-fold increase in ransomware demands since 2019, and it will happen six-fold more frequently in the future due to data exfiltration.
What are the key takeaways from the report for insurers?
There is no doubt that over the past few years, there has been an increase in ransomware incidents and claims. However, numerous indicators—including Arete’s caseload—indicate at least a brief downturn. That is not to say that ransomware gangs have abandoned their schemes, but we are witnessing a changing guard, which will undoubtedly influence future developments. Seven out of the top ten ransomware strains in 2022 did not appear on this list last year. That suggests that these groups experienced many failures, making it more important to watch trends to manage risk.
What are the capabilities and defenses against ransomware?
To examine the most effective defense strategies used by the most prevalent ransomware strains, Arete has used the information their investigators gathered and information from cyber threat analysts. A ransomware incident can be divided into three phases: data exfiltration, post-compromise, and infection vectors. However, being aware of what ransomware does is only half the solution. The other half is working on a cyber risk mitigation plan. Arete evaluates the best defensive measures for mitigating ransomware incidents at each stage of a ransomware event.
How does ransomware infect victims?
The initial access technique is something that Arete responders pay close attention to when conducting a ransomware investigation. It would be ideal to prevent attackers from successfully introducing malware into the victim’s environment in the first place, because that is what determines everything else that follows. The objective of this study is to identify those common infection vectors and help concentrate on preventive strategies.
How is Arete addressing the changing trends in cybersecurity?
In order to reduce the burden of forecasting, identifying, and responding to cyberattacks, Arete works in partnership with clients in their transformative journey. Our team of cybersecurity experts has developed unmatched capabilities to address the entire cyber incident life cycle, from incident response readiness assessments to post-incident remediation and managed security services, based on years of experience battling cyber threats and nation-state attacks. These services, which are offered in 40 different languages, will re-establish trust and confidence while assisting clients in dealing with the entire threat life cycle and improving their overall cyber posture.
What are the most common ransomware families?
We are observing an increase in the number of ransomware families and incidents due to the proliferation and continued development of ransomware-as-a-service (RaaS). As a result, investigators endeavor to identify the families of ransomware strains after each incident. Looking at the top 10 ransomware families by year, it’s not surprising to see the appearance of some of Conti’s purported offshoots on this list—Hive, BlackCat, and AvosLocker. The spread of Ransomware-as-a-Service (RaaS) has allowed ransomware like Lockbit and Suncrypt to rise in prevalence. Makop will be one to keep an eye on—it is a trending piece of ransomware that asks users to contact the attacker via Tox (a P2P text messaging application). Once in contact, the malware then encrypts all the files until payment is received.
