Reining in Ransomware, Vol. 2

Ransomware has transitioned from a blunt-force encryption tool into a highly professionalized, specialized criminal ecosystem. This second volume of the Investigative Cybercrime Series unmasks the most common strains and their tactics, drawing on data from nearly 1,500 real-world investigations. It provides a data-driven baseline for organizations to understand how these actors infiltrate, spread, and monetize their attacks.

The most impactful trend is the rise of “double extortion,” where criminals steal sensitive data before encrypting it. Our analysis shows that typical ransom demands are 5x higher when exfiltration is involved compared to encryption-only events. This report rewards the click by deconstructing exactly how criminals make their getaway, primarily piggybacking over legitimate web services to hide their theft in plain sight.

The research also highlights a high degree of “churn” in the market, with seven of the top 10 strains in 2022 being completely new to the list. While high-profile groups like REvil and Conti have disbanded, their members and code live on in newer offshoots like BlackCat and Hive. This report identifies over 20 specific practices that can still mitigate risk even after an initial infection has occurred.

Key Findings

• The 5x Exfiltration Tax: Typical ransom demands increase five-fold, from $107K to $530K, when data is exfiltrated from the environment.
• Remote Access Dominance: 61% of ransomware infections begin by exploiting poorly secured external remote access services.
• Rapid Strain Churn: 70% of the top 10 ransomware strains observed in 2022 were not on the top 10 list the year prior.
• Privilege Escalation Impact: Victims are 20% less likely to pay a ransom if the attackers were unable to successfully escalate their privileges.
• Encryption Prevalence: While 100% of common ransomware strains possess encryption capabilities, only 96% of cases actually resulted in successful system encryption.
• Exfiltration Growth: Data theft occurred in 53% of investigations in 2022, a six-fold increase over the 9% rate seen in 2019.