Chris Swagler | August 3rd, 2022

In Q2 2022, the battlegrounds between ransomware affiliates and cybersecurity providers have expanded. Ransomware groups such as Black Basta, BlackCat, Hive, and Quantum are among the few existing and new ransomware-as-a-service (RaaS) groups that have absorbed the disbanded Conti affiliates resulting from the Conti Leaks and Russian-Ukrainian invasion. With two US States, Florida and North Carolina, banning municipal organizations from paying ransoms, innovations in preventative policy are evolving. Even though there are arguments on both sides of the issue, this may be a worthwhile experiment, but the data must be constantly monitored. Analysis of how well the policy is working in comparison to states without similar laws can be hampered by the lack of uniform reporting.

The Cyber Incident Reporting Act, which mandates incident reporting, a crucial component of data aggregation, was signed into law. Before the first report is filled with CISA, it can take more than 2 years because of the rulemaking and implementation process. Defenders can stay ahead of the cybercriminals’ constant innovation if mandatory incident reporting is expedited. Threat actors using ransomware have been developing new techniques. A small percentage of ransomware variants were able to encrypt operating systems that weren’t Window-based a year ago. Nearly all RaaS variants are targeting every server, regardless of operating system, and have robust Windows, Linux, and ESXi versions.

Cybersecurity teams from large companies have had the chance to make a significant investment in perimeter security, privileged access management tools, segmentation, and continuity assets and strategies in the wake of the anniversaries of the Colonial Pipeline and Kaseya attacks. Companies with adequate security expenditures and the right culture have made themselves targets for financially motivated threat operators due to the high-profile attacks.

Ransomware affiliates or their RaaS brand, appear to be less inclined to participate in high-profile attacks that might put geopolitical pressure on them or draw the attention of law enforcement agencies. RaaS operations have changed in reaction to stern law enforcement action against the DarkSide and Conti ransomware groups. Three crucial elements of RaaS, which were beneficial, may be detrimental to RaaS operations:

Ransomware-as-a-Service (RaaS) Branding

RaaS Infrastructure

 The back-end infrastructure that RaaS developers used to run their operations was once a valuable resource because it allowed scale and improved profitability. The infrastructure investment yielded a significant return if the back end can be utilized for an extended period.

 RaaS Shared Services

These elements resulted in highly skilled RaaS affiliates frequently switching between variants or launching attacks without branded malware. Even though attribution has been challenging, today’s environment makes it difficult.

Average and Median Ransom Payment

From Q1 2022, the average ransom payments climbed to $228,125, an 8% increase. While several outliers pushed the average up, the median ransom payment fell to $36,360, a 51% drop from Q1 2022. The mid-market, where the risk-to-reward profile of attacks is more constant and less dangerous than high-profile attacks, is where RaaS affiliates and developers are shifting. Large companies have started a promising trend of refusing to negotiate with ransomware groups demanding high ransom amounts.

Data Exfiltration Remains a Threat in Cyber Extortion

A threat to release exfiltrated data is present in 86% of ransomware cases. A majority of companies who fall victim to data exfiltration extortion continue to challenge and frustrate the IR industry. During Q2, there’s evidence that threat actors don’t keep their word when it comes to destroying exfiltrated data. Data exfiltrated victims continue to fund the cyber extortion economy by paying these ransoms. The United Kingdom’s National Cyber Security Centre and the Information Commissioner’s Office sent a joint letter to the legal community encouraging them to closely review the guidance provided to data exfiltration extortion victims.

Even though ransomware victims are paying fewer ransoms and the average payment is dropping, companies need to always remain alert to the current threat landscape and regularly update their data network security infrastructure. At SpearTip, our certified engineers are continuously working 24/7/365 monitoring companies’ networks for potential ransomware threats. Our remediation experts focus on restoring companies’ operations, reclaiming their networks by isolating the malware, and recovering business-critical assets. The ShadowSpear Platform, our endpoint detection and response tool, provides cloud-based solutions by collecting endpoint logs and detecting sophisticated unknown and advanced ransomware threats with comprehensive insights.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.