Ransomware attacks are ubiquitous. Whether through media coverage, stories from the work environment or acquaintances – there is no getting around the topic of cybercrime and especially ransomware. However, the increasing presence has a fact-based origin.

Attack patterns are becoming more diverse, the frequency and scope of attacks are increasing, and those affected are becoming more and more independent of industry and company size. The US cybersecurity expert Recorded Future has conducted an analysis of the ransomware attack landscape in Germany, from which exciting insights can be drawn. In this blog post, we provide an overview.

What is ransomware and why is it so dangerous?

Ransomware attacks are attacks with malicious programs that aim to encrypt PCs and data and programs on them and render them unusable. The goal is to blackmail those affected and persuade them to respond to ransom demands – with the promise of releasing the data after payment has been made. Attacks of this kind are now increasingly taking place on companies as well as authorities and administrations. These are becoming more and more complex, sophisticated and personalized. Cybercriminals proceed in a targeted manner and usually in several stages. Everyday cyber incidents such as spam messages are used to gain access to the corporate network. In a second step, the IT infrastructure is analyzed in order to either encrypt particularly important or sensitive data or to paralyze the entire system, including connected backups. In this way, the extortionists can put greater pressure on the affected companies and demand higher ransoms. However, it is always uncertain whether the data will actually be released after payment has been made. This is because some ransomware programs, for example, do not provide for decryption or are not even possible at all.

The German industrial sector was the most affected by ransomware in 2020 and 2021

It can be observed that the volume of ransomware attacks worldwide and also on German companies is steadily increasing – with serious consequences for those affected: systems are infected by the malware and rendered unusable. Branches of business have to be closed temporarily, so that employees could be transferred to part-time work as a consequence. There is also a risk that company secrets will be made public. In special industry-specific cases, social benefits cannot be provided or hospitals do not have the opportunity to admit patients. Regardless of the individual consequences, ransomware attacks pose a serious and serious threat to companies and are rightly considered one of the greatest business risks of today.

Recorded Future has summarized the ransomware attack situation on German companies in 2020 and 2021 in a report. Exciting and at the same time worrying conclusions can be drawn from this.

At a glance: the ransomware threat landscape 

Overall, the number of ransomware attacks in Germany increased by 83% from 2020 to 2021. According to Recorded Future’s analysis, the trend is partly due to the following factors:

• The number of active criminal hacker groups committing ransomware attacks has doubled. The professionalism of the groups has increased in parallel.
• The volume and frequency of attacks is also increasing – increased gang activity can be observed.
• Higher ransom demands are being made, complicating payments.
• The pressure on companies to report incidents has increased due to increasing media coverage.
• Advancing and sometimes hasty digitization due to the pandemic leads to security gaps that can serve as a simple gateway.

Developments that ultimately lead to ransomware attacks being carried out more frequently on the one hand, but also being easier to carry out and having existential consequences for those affected.

Around 42% of ransomware attacks in Germany affect the industrial sector, which is considered the backbone of the German economy. According to Recorded Future, this sector includes the mechanical engineering and automotive industries, the metal industry, electrical engineering and the construction industry. Other industries such as education, the public sector and healthcare are also increasingly coming into the focus of cybercriminals. However, industry affiliation is not an exclusive indication of the likelihood of a cyberattack. Due to the increased livelihood and the easier execution, it can affect anyone nowadays.

The developments of the last few years in detail

The further development of the attack methodology does not stand still. Both types of attacks and the software used are continuously being expanded by cybercriminals and are therefore becoming increasingly sophisticated. What trends can be observed here in particular?

In general, ransomware attacks are becoming larger, more extensive and more consequential. While in the past ransomware attacks were mainly carried out on individual users, today they take place on a large scale and primarily target networks and supply chains of large organizations. By encrypting entire networked operating systems of different companies, the impact of an attack and the attackers’ leverage are becoming more and more massive. In addition to wide-ranging attacks, personalized and highly professional attacks on meticulously selected target organizations continue to take place.

The second worrying trend concerns the precision with which cybercriminals attack their victims. With the increased frequency of attacks and broader targets, the technologies used have been optimized. To gain access and control over all operating systems, threat actors use software that can be used to carry out attacks in a less time-consuming and more targeted manner.   Methods for accelerating encryption are often used, such as the LockBit software. In addition, domain controllers are used to take control of all active directories, from which entire networks can be encrypted in a second step. Ransom payments are now also not only made via Bitcoin, but also via alternative cryptocurrencies such as Monero. Here, attackers benefit from simple concealment of transactions as well as the preservation of privacy and anonymity.

The professionalism and internal organization of criminal hacker groups are also striking in the developments of recent years. A restructuring of the organizational structures can be seen here. Above all, criminal gangs that offer their services for sale on the darknet in the form of ransomware-as-a-service (RaaS) models should be mentioned here. It is now the case that virtually everyone has access to the services of cybercriminals and can take advantage of them in simple steps. It’s almost as easy as ordering a taxi: criminals are booked, paid and sometimes even evaluated in review portals on the darknet. These contracts can include anything from election manipulation to Bitcoin mining, ransomware, sabotage, espionage, and more. Partnerships between the threat actors are also formed via forums on the darknet. Individual actors specialize in different components of the attacks and then join forces for activities. This makes it much more difficult to trace ransomware attacks back to individual gangs.

Furthermore, advancing globalization not only affects politics, the economy and society, but also affects organized cybercrime. Cyberattacks are a global business risk that is not limited to just one country or region, but is of international relevance. While according to Recorded Future, the USA was mainly affected by cybercrime in the past, the current statistics show that the USA still leads the ranking, but there are no geographical limitations. The danger is not only real for companies and organizations, but is increasing vehemently worldwide. Decisive factors here are in particular revenues, particularly vulnerable IT infrastructure and critical relevance of the individual target organizations – no territorial affiliation.

Where do the findings come from and what does the future look like?

The number of unreported ransomware attacks is estimated to be higher than the actual cases registered. The challenge in recording the actual incidents is due on the one hand to the fact that some of the cases are not reported to the authorities and on the other hand to the fact that ransomware attacks are sometimes identified as regular security incidents and registered accordingly. Recorded Future’s analysis is based on data collected through various channels: media reports and reports from the respective affected organizations were collected and evaluated. However, the majority of the data set comes from so-called leak sites: websites that ransomware attackers use to communicate with the public and blackmail their victims.

Although it is difficult to make a general forecast of future developments, it can be assumed that the trends listed here will continue to intensify. Based on the findings, technologies will become even more sophisticated in the future, attacks more extensive and criminal gangs even more organized and specialized. The entire cybercrime ecosystem is becoming more accessible and connected.

In addition to these dark prospects, however, there is also a positive trend rooted in the fight against cybercrime: more and more internationally coordinated law enforcement measures can be observed, criminal gangs are being dismantled and shady websites are being taken offline. Efforts are being made to disrupt the infrastructure in which gangs operate, to hold threat actors and their partners and intermediaries accountable.

In addition to the measures taken by law enforcement agencies, general awareness of cybercrime has increased in society in general – but especially in companies and organizations. This leads to efforts to actively defend against cyber threats and to prevent emergencies through preventive measures. Coupled with initiatives to raise awareness and use technical resources, there is now an active resistance to cyberattacks, which will hopefully lower the ransomware success rate and put an end to the trend.

What are you actively doing against cybercrime? Are your employees prepared for an emergency?