Ransomware Gangs Are Shifting Their Attacks to Smaller Companies

Attacks have surged in past 12 months as hackers go after companies in the manufacturing, professional, scientific and technical services industries.

The number of ransomware victims in March was nearly double the number from a year earlier, according to a new study. 

“The dramatic increase in successful ransomware attacks over the past several months is evidence that these groups are not slowing down," Paul Paget, CEO of Black Kite,a Boston-based third-party cyber risk intelligence company, told TheStreet.

DONT MISS: Fraudsters' New Trick Uses AI Voice Cloning to Scam People

Hackers remain "organized and motivated" to attack companies with ransomware which blocks a company from accessing their own computer system unless they pay a large sum of money, he said. 

Manufacturing Industry Top Target

The report showed that hackers targeted the manufacturing industry the most, followed by the professional, scientific and technical services industry, according to a report by Black Kite that analyzed ransomeware attacks from April 1, 2022 through March 31, 2023. Educational services received 6.1% of the attacks.

The U.S. was the number one targeted country, accounting for 43% of victim organizations, followed by the U.K. and Germany (4.4%).

Ransomware groups often focus on companies with annual revenue of $50 million to $60 million, Black Kite said in the report.

"These groups are smart, organized and methodical in their attacks," Paget said. "These ransomware groups target the organizations they know have both the means to pay a ransom and have a critical need for continuous access to their information to operate."

The top targeted industries found in this report are not shocking since all three of these industries generally have older IT systems that they must support that either have "unpatchable vulnerabilities or lack the staff and budget to update or replace them," Matthew Psencik, director of endpoint security at Tanium, a Kirkland, Washington-based provider of converged endpoint management, told TheStreet.

Many smaller universities are also known to have almost no budget for IT, "let alone IT security, so their networks are lacking patches, security control, and by their nature, lack strong software and browsing policies as this would hamper student and staff’s research and learning abilities," he said. 

The professional and technical services sector have environments that are  notorious for not having the most secure networks. They are often a "gold mine of lateral movement or additional reach for an attacker because of their employees or networks having elevated access to many businesses that they service," Psencik said.

Ransomware Attacks Fell at the Start of Russia's War on Ukraine

The sharp increase in recent ransomware attacks is not a surprise, Joseph Carson, chief security scientist and advisory CISO at Delinea, a Redwood City, Calif.-based provider of privileged access management solutions, told TheStreet.

A decline of ransomware attacks occurred during the months after the start of Russia's war against Ukraine in 2022.

"This could have resulted from many factors such as improved ransomware resiliency, ransomware groups distracted with specific targets, sanctions making ransom payments complex or simply the disbanding of some prominent ransomware gangs prior to that in late 2021 and early 2022," he said.

Last year ransomware gangs spent their time developing other types of ransomware, moving to new languages that can target more platforms including IoT devices and recruiting new affiliates to get around sanctions, Carson said. They also targeted countries with less security and no sanctions in place, such as some Latin American and African nations, he added.

The top industries targeted are quite common since they rely heavily on digital services and technologies, Carson said. 

"When their services are impacted, the business comes to a complete stop," he said. "Ransomware gangs tend to choose their targets based on poor security practices, fragile supply chain and pressure to pay due to impact of the business and sensitive of the data."

Many countries still do not have any laws requiring companies to report ransomware, so the U.S. ranking as the top targeted country "can be a bit of a red herring," Carson said. "Of course, the U.S. is one of the largest markets so I would still expect them to be in the top five targeted countries moving forward."

Bigger Payouts Lose Popularity

Ransomware groups are having a tougher time getting big payouts with traditional encryption-based ransomware attacks. The groups have shifted toward 'data extortion' attacks. 

The ransomware industry is constantly evolving, but overall profitability is down for these attacks, Joe McMann, head of cyber services for Binary Defense, a Stow, Ohio-based managed detection and response and enterprise defense provider, told TheStreet.

"More corporate and government victims have either been mitigating impacts or refusing to pay for a decryption key in traditional ransomware attacks, which is sparking changes in how these criminal groups operate," he said. 

Many of the most successful groups like Medusa, BlackCat and Clop are transitioning towards data extortion attacks. In traditional ransomware attacks, cyber criminals encrypt a victim's files, crippling operations. 

Now the criminals threaten to sell it or publicly release it unless they are paid off.

"Other ransomware groups like Lockbit are using the full extortion playbook (i.e., data extortion + ransomware + DDoS) to raise the stakes for victims and pressure them into paying," McMann said. "What all of this shows is that ransomware groups are still evolving and reacting to financial and operational pressures. Traditional encryption-based ransomware attacks are not yielding the desired results and return-on-investment."