From January to November 2021, nearly every second security incident handled by GERT was connected to ransomware (nearly 50% of all IR requests)—an increase of nearly 12 percentage points when compared to 2020.
Incident response (IR) is when companies call in a team in the aftermath of a breach to limit the damage and prevent an attack from spreading. At Kaspersky, IR is handled by the Global Response Emergency Team (GERT) and is reserved for mid-size to large organizations. From January to November 2021, nearly every second security incident handled by GERT was connected to ransomware (nearly 50% of all IR requests)—an increase of nearly 12 percentage points when compared to 2020, according to Kaspersky’s Story of the Year: Ransomware in the Headlines.
When it comes to cybersecurity, ransomware has become the undisputed story of the year, taking down gas pipelines and government health services. Ransomware operators have refined their arsenal, focusing on fewer attacks against large-scale organizations, and an entire underground ecosystem has appeared to support ransomware gangs’ efforts.
In fact, for the first 11 months in 2021, the percentage of IR requests processed by Kaspersky’s GERT team was 46.7%--a jump from 37.9% for all of 2020 and 34% for 2019.
The most common targets were those in the government and industrial sector; together, attacks against those two industries compromised nearly 50% of all ransomware-related IR requests in 2021. Other popular targets included IT and financial institutions.
However, as ransomware operators have shifted to bigger ransom demands and more high-profile targets, they have been facing increasing pressure from politicians and law enforcement agencies—making increasing the efficiency of attacks critical. As a result, Kaspersky experts have noted two important trends that will gain in popularity in 2022. First, ransomware gangs are likely to more frequently construct Linux builds of ransomware to maximize their attack surface; this is something that has already been seen with groups like RansomExx and DarkSide. In addition, ransomware operators will start to focus more on "financial blackmail". This is when operators threaten to leak information about companies when they are undergoing critical financial events (i.e conducting a merger or acquisition, planning to go public) to undervalue their stock prices. When companies are in such a vulnerable financial state, they are more likely to pay the ransom.
“We began talking about so-called Ransomware 2.0 in 2020, and what we’ve been seeing in 2021 is this new era of ransomware coming into full force. Ransomware operators aren’t just encrypting data; they’re stealing it from critical, large-scale targets and threatening to expose the information if the victims doesn’t pay. And Ransomware 2.0 isn’t going anywhere in the coming year,” comments Vladimir Kuskov, Head of Threat Exploration at Kaspersky.
“At the same time, now that ransomware is in the headlines, law enforcement agencies are working hard to bring prolific groups down—which is what happened with DarkSide and REvil this year. These gangs’ lifecycles are being compressed, and that means they’re going to have to refine their tactics in 2022 to remain profitable, especially if some governments make paying ransoms illegal—which is being discussed,” adds Fedor Sinitsyn, security expert at Kaspersky.