How Ransomware is Evolving

Over the past two years, it’s been hard to miss the unmistakable rise in ransomware attacks affecting businesses everywhere. Headlines throughout 2021 and into the start of this year were dominated by ransomware attacks underway, or the long-term effects they were causing on businesses, supply chains, and other essential functions.

It should come as no surprise, then, that in 2021 ransomware attacks nearly doubled in frequency, according to the Verizon Data Breach Report, accounting for 10 percent of all breaches affecting organizations today. These attacks didn’t discriminate, affecting businesses of every size and industry, as well as crippling hospitals, schools, governments, critical infrastructure, and other essential organizations.

REvil group is one of the cyber-threat actors, responsible for attacks on JBS and Kaseya. JBS, one of the largest meat suppliers in the U.S, was forced to pay $11 million in ransom to restore its operations. Similar attacks also affected organizations such as German chemical distributor Brenntag and commercial insurer CNA Financial — highlighting the breadth of industries and companies being affected by these attacks.

For MSPs, this is an essential trend to pay attention to, both for themselves and for their clients. In 2021, more than a third (37 percent) of organizations reported being victims of a ransomware attack during the year and 54 percent of IT decision makers say they believe that ransomware today is too advanced for their IT team to handle on their own. MSPs can play an essential role in protecting their clients from these types of attacks and helping to build security strategies that can limit their risk long-term.

Further reading A Security-First Approach to Backup and IT Management: Elevating MSPs in an Age of Increasing Cyberthreats

Attacks Find New Target in Critical Infrastructure

In 2021, we saw significant attacks hit critical infrastructure organizations, an emerging trend that's incredibly concerning. One example is the ransomware attack on Colonial Pipeline, an organization that supplies a significant portion of the fuel to the East Coast of the United States. As the attack shut down the fuel pipeline for multiple days, it broke the chain of supply, resulting in lengthy lines at gas stations and fuel pumps across the country. The company ultimately paid the attackers a $4.4 million ransom, although the FBI was able to recover half of it later.

The attack on Colonial Pipeline wasn’t alone. Ransomware became the number 1 attack vector for industrial organizations in 2021, with manufacturing becoming a particular target for attack, representing 65 percent of cases detected at such organizations. The same report found that half of these attacks were caused by two ransomware groups: Conti and Lockbit 2.0.

Ransomware as a Service Enabling New Attackers to Rise

Ransomware as a service is a business model between a dark web IT organization and a threat actor in which an actor pays to launch ransomware attacks developed by hackers.

Further reading Why Dark Web Monitoring Should Be Top of Mind for MSPs

While not a new concept during the year, ransomware as a service continued to play a significant role in 2021 in making it easier for cybercriminals to launch their attacks, even with little or no expertise in the area. By one measure, there are about 56 groups currently offering ransomware-as-a-service products to attackers — a trend that is likely to grow, as there is minimum mitigation for these types of groups, and ransomware proves to be effective and lucrative for attackers.

Further reading The Rise of Ransomware as a Service (RaaS): What MSPs Should Know in 2022

Attacker Tactics Changing

Another new evolution of the ransomware game in 2021 was the rise of victim naming and shaming amidst an attack, in addition to the ransom payment itself. The year saw numerous examples of attackers not only encrypting data, but also publicly announcing the names of their victims and that an attack was underway. According to one measure, there was an 85 percent increase in the sharing of names and proof of compromise in 2021 versus 2020, with 35 new ransomware groups emerging that leverage extortion techniques regularly. This is a form of blackmail, forcing victims to promptly pay the ransom to end the attack, or pushing them for a higher ransom payment. In some cases, it also highlighted the prowess of the attackers to their peers on the dark web.

Costs from Ransomware Rising

As the prevalence of ransomware attacks continues to rise, so do the costs. The average cost of a ransomware demand in 2021 was $2.2 million, compared to $900,000 on average in 2020, and $541,010 in 2019. While not all organizations choose to pay the ransom and pursue other means to recover, these escalating total costs are a significant burden to bear for organizations of any size, from the largest enterprise to the smallest SMB.

However, the cost of a ransomware attack doesn’t stop at the payment itself (if an organization has decided that paying the ransom is in its best interest, which is a debate in itself). Full recovery from an attack is much more than simply decrypting and restoring the data, although that is an essential piece of the equation. It may also require that entire systems be rebuilt or further downtime be experienced to ensure that systems are working properly, among other factors. On average, it takes the majority of businesses (66 percent) around 15 to 30 days to recover from a ransomware attack.

MSPs not Immune from Attack

When it comes to protecting organizations from attack, MSPs also need to consider how they are limiting risk within their own four walls. This is important, not only because of the associated costs but also because a ransomware attack can affect an MSP’s ability to provide ongoing support to clients, as well as potentially make them a vector of attack on their customers, due to their high level of connectivity and privileged access to client systems.

Further reading How MSPs Can Educate Customers on Ransomware Prevention

One wake-up call in 2021 was the attack on Kaseya, which a lot of MSPs are familiar with, as it offers IT management software that many leverage to run their businesses effectively. In July, the company announced that it had been hit by a ransomware attack that ultimately rippled out to affect 1,500 organizations around the world that use its software. The attackers, REvil, demanded $70 million in ransom from the company, which Kaseya ultimately declined to pay and obtained a decryption key through other means.

This attack is an example of why MSPs need to ensure that they are protecting not only their clients from attack, but also themselves. This includes leveraging strong cybersecurity measures and best practices, as well as carefully evaluating the critical software that they are using within their environments to make sure the vendor employs strong cybersecurity practices to develop and maintain its software.

These are just a few ways that ransomware has evolved in 2021. While that year has now come to a close, the trends discussed above continue to remain prevalent and cause real impact to organizations in every industry, and of every size. Given these impacts, it is important that MSPs follow these trends closely and continuously adapt their strategies with customers to ensure they are helping them successfully mitigate the risks that face them in today’s landscape.

As the number of cyberattacks continues to rise, MSPs often stand on the front lines of their clients’ protection, helping them limit risk. Password management is one simple way to make a big difference when it comes to lowering overall cybersecurity risk — something that benefits both the MSP and its customers for the long term.

Further reading Stay safe from ransomware with MSP360

About the author
Kurt Abrahams is the Vice President of Marketing at MSP360 with expertise in technology marketing, cybersecurity and AI based technology.

More articles by Kurt Abrahams