Ransomware attacks are omnipresent. Whether through media coverage, stories from work or friends and family – one can no longer avoid the topic of cybercrime and especially ransomware. However, the increasing presence has a fact-based origin. Attack patterns are becoming more diverse, the frequency and scope of attacks are increasing and the victims are becoming increasingly independent of industry and company size. The US cybersecurity expert Recorded Future has conducted an analysis of the ransomware attack landscape in Germany, from which valuable insights can be drawn. In this blog post, we provide an overview.
What is ransomware and why is it so dangerous?
Ransomware attacks are attacks with malware that aim to encrypt PCs and the data and programmes on them – thus make them unusable. The goal is to blackmail the victims and get them to agree to ransom demands – with the promise that the data will be released after payment. Attacks of this kind are now increasingly taking place on companies as well as public authorities and administrations. They are becoming more elaborate, sophisticated and personalised. Cyber criminals proceed in a targeted manner and usually in several stages. Everyday cyber incidents such as spam messages are used to gain access to the corporate network. In a second step, the IT infrastructure is analysed in order to either encrypt particularly important or sensitive data or to paralyse the entire system including connected backups. In this way, the blackmailers can exert greater pressure on the affected companies and demand higher ransoms. However, it is always uncertain whether the data will actually be released after payment. This is because with some ransomware programmes, for example, decryption is not provided for or not even possible in the first place.
The German industrial sector was most affected by ransomware in 2020 and 2021
It can be observed that the volume of ransomware attacks is constantly increasing worldwide and also on German companies – with serious consequences for those affected: Systems are attacked by the malware and rendered unusable. Branches of business have to be closed temporarily, and employees are transferred to part-time work as a consequence. There is also the risk that company secrets will be made public. In special sector-specific cases, social benefits cannot be provided or hospitals do not have the possibility to admit patients. Regardless of the individual consequences, ransomware attacks pose a serious as well as momentous threat to businesses and are rightly considered one of the biggest business risks today.
In a report, Recorded Future has summarised the ransomware attack landscape on German companies in 2020 and 2021. Exciting and at the same time worrying findings can be drawn from this.
At a glance: the ransomware threat landscape
Overall, the number of ransomware attacks in Germany increased by 83% from 2020 to 2021. According to Recorded Future’s analysis, the trend is partly due to the following factors:
- The number of active criminal hacker groups perpetrating attacks with ransomware has doubled. The professionalism of the groups has increased in parallel.
- The volume and frequency of the attacks is also increasing – higher gang activity can be observed.
- Higher ransom demands are being made, complicating payments.
- The pressure on companies to report incidents has increased due to more media coverage.
- Progressive and sometimes hasty digitalisation due to the pandemic leads to security gaps that can serve as an easy gateway.
Developments that ultimately lead to ransomware attacks being perpetrated more frequently on the one hand, but are also being easier to carry out on the other.
Around 42 % of ransomware attacks in Germany affect the industrial sector, which is considered the backbone of the German economy. According to Recorded Future, this sector includes mechanical engineering and the automotive industry, the metal industry, electrical engineering and the construction industry. Other sectors such as education, the public sector and healthcare are also increasingly becoming the focus of cybercriminals. However, industry affiliation is not an exclusive indicator of the likelihood of a cyberattack. With increased livelihoods and easier execution, it can hit anyone these days.
The developments of the last few years in detail
The further development of attack methods does not stand still. Both types of attacks and the software used are being continuously expanded by cybercriminals and are thus becoming more and more sophisticated. What are the main trends that can be observed here?
Generally speaking, ransomware attacks are becoming larger, more extensive and more serious. Whereas in the past ransomware attacks were primarily perpetrated on individual users, nowadays they are taking place on a broad scale and are primarily targeting networks and supply chains of large organisations.
Due to the encryption of entire networked operating systems of different companies, the effects of an attack as well as the attackers’ means of pressure are becoming increasingly severe. In addition to broad-based attacks, personalised and highly professional attacks on selected target organisations continue to take place.
The second worrying trend concerns the precision with which cybercriminals attack their victims. The increased frequency of attacks and broader targets has been accompanied by an optimisation of the technologies used. To gain access and control over all operating systems, threat actors are turning to software that makes attacks less time-consuming and more targeted. Methods for accelerating encryption, such as the LockBit software, are often used. In addition, domain controllers are used to take control of all active directories, from which complete networks can be encrypted in a second step. Ransom payments are now also made not only via Bitcoin, but also via alternative cryptocurrencies such as Monero. Here, attackers benefit from the simple concealment of transactions and the preservation of privacy and anonymity.
The professionalism and internal organisation of criminal hacker groups are also striking in the developments of recent years. Here, a transformation of organisational structures can be observed. First and foremost, criminal gangs are offering their services for sale on the Darknet in the form of Ransomware-as-a-Service (RaaS) models. It is now the case that virtually anyone has access to the services of cybercriminals and can take advantage of them in simple steps. It is almost as easy as ordering a taxi: Criminals are booked, paid and sometimes even evaluated in rating portals on the Darknet. These orders can include everything from election manipulation to bitcoin mining, ransomware, sabotage, espionage and much more. Partnerships between threat actors are also formed via forums on the Darknet. Individual actors specialise in different components of the attacks and then join forces for activities. This makes it much more difficult to trace the ransomware attacks back to individual gangs.
Furthermore, ongoing globalisation not only affects politics, the economy and society, it also has an impact on organised cybercrime. Cyber attacks are a global business risk that is not limited to one country or region, but is of international relevance. While according to Recorded Future, in the past it was mainly the USA that was affected by cybercrime, current statistics show that the USA still leads the ranking, but there are no geographical limitations. The threat to companies and organisations is not only real, but is increasing vehemently worldwide. Decisive factors here are in particular turnover, particularly vulnerable IT infrastructure and critical relevance of the individual target organisations – not territorial affiliation.
Where do the findings come from and what does the future hold?
The number of unreported cases of ransomware attacks is estimated to be higher than the actual cases registered. The challenge in recording the actual incidents is due on the one hand to the fact that the cases are partly not reported to the authorities and on the other hand that ransomware attacks are partly identified as regular security incidents and registered accordingly. Recorded Future’s analysis is based on data collected through various channels: Media reports and reports from the respective affected organisations e.g. However, the majority of the data set comes from so-called leak sites: Websites that ransomware attackers use to communicate with the public and to blackmail their victims.
Although it is difficult to make a general forecast of future developments, it can be assumed that the trends listed here will become even more pronounced. Based on the findings, technologies will become even more sophisticated in the future, attacks will become more extensive and criminal gangs will become even more organised and specialised. The entire cybercrime ecosystem will become more accessible and increasingly interconnected.
Alongside this dark outlook, however, there is also a very positive trend rooted in the fight against cybercrime: we are seeing more and more internationally coordinated law enforcement efforts, criminal gangs being dismantled and dodgy websites being taken offline. Efforts are being made to break the infrastructure in which gangs operate, to hold threat actors as well as their associates and facilitators accountable.
In addition to law enforcement actions, general awareness of cybercrime has increased in society at large – but especially in businesses and organisations. This is leading to efforts to actively defend against cyber dangers and to prevent the worst from happening through preventive measures. Coupled with initiatives to further raise awareness and the use of technical resources, active countermeasures against cyber attacks are taking place nowadays, which will hopefully lower the ransomware success rate and put an end to the trend.
What are you actively doing against cybercrime? Are your employees prepared for an emergency?