Annual ThreatLabz Ransomware Report tracks trends and impact of ransomware attacks
Zscaler, Inc. (NASDAQ: ZS), a leader in cloud security, presents the results of its annual 2023 ThreatLabz Ransomware Report . This year’s report tracks the continued rise in sophisticated ransomware attacks and highlights recent ransomware trends, including targeting government agencies and organizations with cyber insurance, the growth of ransomware-as-a-service (RaaS) and encryption-less extortion. Since April 2022, ThreatLabz has identified the theft of several terabytes of data as part of successful ransomware attacks, which was then used to extort ransoms.
Highlights:
- The impact of ransomware is felt most strongly in the United States. Almost half of the ransomware campaigns were recorded there in the last twelve months.
- Organizations in the arts, entertainment, and leisure industries saw the largest rise in ransomware attacks, with a growth rate of over 430 percent.
- Manufacturing remains the hardest-hit industry, accounting for nearly 15 percent of all ransomware attacks. Next comes the service sector, which accounted for about 12 percent of all ransomware attacks last year.
- This year, 25 new ransomware families were identified using double-barreled or encryption-free ransomware attacks.
“Ransomware-as-a-Service has contributed to a steady rise in sophisticated ransomware attacks,” said Deepen Desai, Global CISO and Head of Security at Zscaler . “Malware authors are increasingly operating under the radar, relying on encryption-less attacks that involve large amounts of stolen data. Organizations should move beyond traditional security products and migrate to a holistic Zero Trust platform that helps reduce the attack surface, prevent compromise and mitigate the impact of successful attacks, and prevent data exfiltration.”
The development of ransomware is determined by the inverse relationship between the sophistication of the attacks and the barrier to entry for new cybercriminal groups. The barrier to entry dropped as cyberattacks became more sophisticated due to the proliferation of RaaS. In this business model, threat actors sell their services on the dark web for 70 to 80 percent of ransomware profits. This model has continued to gain popularity in recent years, which illustrates the frequency of ransomware attacks, which has increased by almost 40 percent. Another trend of cyberattacks in 2023 is the growth of encryptionless extortion, where stealthy data exfiltration is favored over disruptive encryption methods.
Top countries targeted by ransomware
The United States was the most common target of double ransomware attacks, with 40 percent of all victims located in this region. Canada, Britain and Germany combined had less than half the attacks compared to the US. The most prevalent ransomware families observed by Zscaler ThreatLabz include BlackBasta, BlackCat, Clop, Karakurt, and LockBit, all of which pose significant threats of financial loss, data breaches, and business disruption to employees and businesses of all sizes.
Over the past year, the most targeted industry globally has been manufacturing, known for its reliance on intellectual property and critical infrastructure, both attractive targets for ransomware groups. All of the ransomware groups tracked by Zscaler targeted companies in this industry, including those involved in the production of goods for the automotive, electronics, and textile industries. The BlackBasta ransomware family was particularly interested in manufacturing companies, directing more than 26 percent of their attacks against this industry.
Ransomware Trends
In 2021, ThreatLabz observed 19 ransomware families using a dual or multiple ransomware approach in their cyberattacks. That number has now grown to 44 ransomware families observed. This type of attack is so popular because once the stolen data is encrypted, the attackers threaten to release it to increase pressure on the victims. The increasing popularity of encryption-free blackmail attacks that skip the encryption process relies on the same tactic. The companies concerned are threatened with publishing the stolen data online if they refuse to pay the ransom. These tactics bring faster and bigger profits to ransomware groups since software development cycles and decryption support are eliminated. Additionally, these attacks are more difficult to detect and attract less attention from the authorities because they don’t lock down critical files and systems or cause recovery-related downtime. As a result, encryption-less extortion attacks typically do not disrupt their victims’ business operations, which in turn results in lower reporting rates. Initially, the encryption-less extortion trend started with ransomware groups like Babuk and SnapMC. Over the past year, a number of new families have adopted this tactic, including Karakurt, Donut, RansomHouse, and BianLian. as they do not lock critical files and systems or cause recovery-related downtime. As a result, encryption-less extortion attacks typically do not disrupt their victims’ business operations, which in turn results in lower reporting rates. Initially, the encryption-less extortion trend started with ransomware groups like Babuk and SnapMC. Over the past year, a number of new families have adopted this tactic, including Karakurt, Donut, RansomHouse, and BianLian. as they do not lock critical files and systems or cause recovery-related downtime. As a result, encryption-less extortion attacks typically do not disrupt their victims’ business operations, which in turn results in lower reporting rates. Initially, the encryption-less extortion trend started with ransomware groups like Babuk and SnapMC. Over the past year, a number of new families have adopted this tactic, including Karakurt, Donut, RansomHouse, and BianLian. Initially, the encryption-less extortion trend started with ransomware groups like Babuk and SnapMC. Over the past year, a number of new families have adopted this tactic, including Karakurt, Donut, RansomHouse, and BianLian. Initially, the encryption-less extortion trend started with ransomware groups like Babuk and SnapMC. Over the past year, a number of new families have adopted this tactic, including Karakurt, Donut, RansomHouse, and BianLian.
