May 12 marks World Anti-Ransomware Day. This significant day, established in 2020 through a collaboration between INTERPOL and Kaspersky, serves as an opportunity to examine trends in ransomware incidents and highlight why negotiating with attackers and making payments in cryptocurrency are increasingly unwise.
Subpar quality of decryptors
When a company’s infrastructure is compromised due to an attack, the immediate goal is to return to regular operations by swiftly recovering data from workstations and servers. The ransom notes might suggest that upon paying the ransom, the company will receive a decryptor application that will quickly restore all information to its original state and enable the resumption of work processes with minimal hassle. However, this is rarely the case in reality.
Firstly, some extortionists simply mislead their victims and fail to provide a decryptor at all. Such instances gained notoriety, for example, following the leak of internal communications from the Black Basta ransomware group.
Secondly, cybercriminals typically specialize in encryption rather than decryption, leading them to invest little effort into their decryptor applications; consequently, these applications are often ineffective and slow. It might be more efficient to restore data from a backup copy than to rely on the tools provided by the attackers. Their decryptors frequently malfunction when faced with unusual file names or conflicts over access rights (or sometimes for no discernible reason), and they lack a mechanism for resuming decryption from the point at which it halted. Occasionally, due to flawed programming, they even corrupt files.
Recurring attacks
It is well-known that a blackmailer can continue their practices indefinitely; the same applies to ransomware blackmail. Cybercriminal gangs share information with one another, and “affiliates” frequently switch among ransomware-as-a-service providers. Moreover, even when law enforcement effectively dismantles a gang, they cannot always apprehend all of its members, and those who evade capture may revert to their previous methods in a new group. Consequently, news of a victim successfully paying a ransom spreads to new gangs, which then target the same organization – often with success.
Stricter legislation
Contemporary attackers not only encrypt but also exfiltrate data, creating long-lasting risks for companies. After a ransomware assault, a company has three primary choices:
1. publicly report the incident and restore operations and data without engaging with the cybercriminals;
2. disclose the incident, but pay a ransom to retrieve the data and prevent its dissemination;
3. hide the incident by paying a ransom for confidentiality.
The latter option has consistently been a potential risk, as demonstrated by the cases of Westend Dental and Blackbaud. Additionally, numerous countries are enacting laws that render such actions illegal. For instance:
- The NIS2 (Network and Information Security) directive and DORA (Digital Operational Resilience Act) adopted in the EU mandate that many industries, along with large and critical enterprises, promptly report cyber incidents and impose significant requirements for cyber resilience on organizations;
- A proposed law in the UK aims to forbid government entities and critical infrastructure operators from paying ransoms, along with a requirement for all businesses to promptly report ransomware incidents;
- The Cybersecurity Act has been revised in Singapore, mandating critical information infrastructure operators to report incidents, including those linked to supply-chain attacks and any disruptions to customer service;
- In the U.S., a combination of federal directives and state laws is being discussed to prohibit significant payments (over $100,000) to cybercriminals, as well as to require prompt reporting of incidents, some of which have already been partially implemented.
- Thus, even if a company successfully recovers from an incident, secretly paying extortionists could lead to severe repercussions for years to come if the incident later becomes public (for instance, after the arrest of the extortionists).
Absence of guarantees
Often, companies pay not for the decryption itself, but for the assurance that stolen data will remain unpublished and that the attack will stay confidential. However, there are no guarantees that this information will not surface later. Recent incidents illustrate that disclosure of the attack and the stolen corporate data can occur in various scenarios:
Due to an internal dispute among attackers, conflicts can arise. For instance, this could result from disagreements within the group or an assault by one faction on the infrastructure of another. Consequently, victims’ information is released as a form of retaliation, or it may be disclosed to aid in undermining a rival gang’s assets. In 2025, there was a leak of internal communications from the Black Basta gang which revealed victims’ data; a separate incident occurred when the DragonForce group took down and commandeered the infrastructure of two competitors, BlackLock and Mamona. On May 7, the Lockbit website was compromised, leading to the public release of data from the admin panel—this included a detailed list of all the group’s victims from the past six months.
In instances where law enforcement conducts a raid on a ransomware group, they typically won’t disclose the actual data, but they will announce that the incident occurred. This was the case last year when victims of Lockbit became identified.
Sometimes, it is due to errors made by the ransomware group itself. Often, the infrastructure of these groups is not particularly secure, leading to the accidental discovery of stolen data by security researchers, competitors, or simply individuals. A notable example involved a massive dataset taken from five large corporations by various ransomware gangs, which was fully published by the hacktivist collective DDoSecrets.
Ransomware might not be the principal issue anymore. With the proactive efforts of law enforcement and advancements in legislation, the profile of a “typical ransomware group” has changed significantly. The frequency of activities by large groups seen in incidents from 2020 to 2023 has declined, giving way to ransomware-as-a-service models, where the attacking parties can be very small teams or even solo individuals. An important pattern has emerged: while the number of encryption incidents has risen, the overall ransoms collected have dropped. There are two main factors for this: first, victims are increasingly choosing not to pay, and second, many extortionists are now targeting smaller companies and demanding lower ransoms. More comprehensive statistics can be found in our report on Securelist.
However, the most significant shift is the increase in instances where attackers have mixed motivations; for example, a single group may simultaneously carry out espionage operations while deploying ransomware. In some cases, ransomware may serve merely as a cover for espionage efforts, while at other times, attackers may be executing orders to extract information while utilizing extortion as an additional income stream. This situation implies that for business owners and managers, understanding the attacker’s motivations fully or verifying their reputation may not be feasible in the event of a ransomware attack.
Addressing a ransomware incident can be straightforward: paying ransom to operators might not resolve the issue but could instead exacerbate it. A swift recovery for businesses hinges on having a pre-prepared response plan.
Organizations ought to develop thorough protocols for their IT and cybersecurity teams to address a ransomware incident effectively. It is essential to focus on scenarios that involve isolating hosts and subnets, disabling VPN and remote access, and deactivating accounts (including main administrative ones), while transitioning to backup accounts. Regular training on backup restoration processes is also advisable. Additionally, it is crucial to store those backups in a secure system to prevent them from being compromised during an attack.
To enact these measures and ensure a prompt response before an attack impacts the entire network, it is vital to establish a continuous deep monitoring process: larger companies may find value in an XDR solution, while smaller businesses can achieve effective monitoring and response by enrolling in an MDR service.
Leave a Reply