Are ransomware attackers ever caught?

The growing threat of ransomware

Ransomware has become a major concern for small businesses and major corporations alike. With recent high-profile victims ranging from oil and gas pipelines to software companies, public health agencies, and meatpacking plants, it’s abundantly clear that ransomware attacks pose a significant threat to national security.

The US Cybersecurity and Infrastructure Security Agency (CISA) has noted that it’s particularly concerned with the impact of ransomware on government systems, municipalities, police and fire departments, medical facilities, and other vital infrastructure. And the problem is not limited to the United States; the European Union Agency for Cybersecurity (ENISA) noted a 150% rise in ransomware attacks between 2020 and 2021.

Over the past few years, we’ve seen ransomware attackers band together in well-organized operations to carry out highly sophisticated cybercrimes. We’ve also seen the rise of Ransomware-as-a-Service (RaaS), where malware developers sell software leases or subscriptions to other cybercriminals.

The massive growth in the quantity and sophistication of ransomware attacks has left many wondering whether and how these criminals can be deterred. Unfortunately, though, the vast majority of ransomware attackers remain at large. We'll explore why below.

First, some attackers are caught

It’s worth noting that a small number of attackers are caught and brought to justice. In late 2021, a Ukrainian attacker suspected to be part of the notorious Russia-based REvil ransomware gang was arrested and charged by the United States, and over $6 million in ransom money was recovered from an associate in the same group. Around the same time, Europol arrested 12 of the suspected cybercriminals behind the 2019 Norsk Hydro attack.

Governments around the world are also stepping up their efforts to combat cyberattacks. In April 2021, the US Department of Justice launched a dedicated task force to crack down on ransomware. Similarly, Europol has begun to tackle ransomware attacks as part of its Joint Cybercrime Action Taskforce (J-CAT).

However, arrests and prosecutions are still very much in the minority when it comes to ransomware attacks.

Ransomware is a burgeoning industry with an ever-widening network of criminals to carry out attacks, and it has been difficult to locate — let alone prosecute — many of these malicious actors.

Why aren't more ransomware attackers caught?

There are many reasons why most ransomware attackers have managed to evade detection. First, there’s the international nature of cybercrime, which means that investigations often require extensive diplomatic cooperation among multiple nations and agencies. There’s also the growing technical sophistication of malware itself, which often poses several different threats within the same attack.

But at an even more basic level, there are just too many ransomware attackers, operating in too decentralized a manner, with too many strong incentives to continue perpetrating attacks, for most of them to be brought to justice.

Below, we’ll dive into several of these issues and incentives in more detail:

Ransomware is getting more sophisticated
Businesses keep paying ransoms
Ransomware insurance covers the costs
Cryptocurrency facilitates cybercrime

We’ll also offer some suggestions to help your organization stay safe and mitigate the impact of ransomware attacks.

Ransomware is getting more sophisticated

The ransomware industry has grown more complex on several fronts.

First, attackers have begun to coalesce into highly dangerous criminal enterprises. These enterprises often share crucial infrastructure but operate in a decentralized fashion to make themselves harder to trace. Different teams in these organizations may specialize in different aspects of the ransomware attack, from stealing the data to communicating with the victim to publishing the exfiltrated material.

Second, the underlying technology behind ransomware attacks has grown more complex. According to the Center for Internet Security, ransomware has recently expanded to include data exfiltration, participation in distributed denial of service (DDoS) attacks, and anti-detection components. The result is stealthier encryption and more comprehensive and targeted damage.

Lastly, ransomware attackers are now using a multi-pronged approach to ensure they are paid. If an organization has backups in place to restore affected systems and files, the attackers may target the backups themselves. Or, if the organization has potentially embarrassing sensitive data — anything from patient information to financial reports and trade secrets — the attackers may threaten to publish that data to get what they want.

Businesses keep paying ransoms

The FBI and other cybersecurity experts have urged victims not to pay ransoms, as there is no guarantee that payment will make the attackers actually give up the decryption key or restore access to the affected files or systems. There’s also nothing to prevent a ransomware organization from targeting the same victim a month or a year later.

According to a May 2022 CyberTalk report, 63% of affected organizations paid the ransom — including a staggering 26% of organizations that had backups in place to restore their data. Nor were these small payments; the same report noted that one in ten victims paid more than $1 million.

With such significant payouts, it’s no surprise that ransomware attacks are spreading faster than law enforcement agencies and task forces can track and stop them.

Ransomware insurance covers the costs

Another incentive for ransomware attackers is the existence of lucrative insurance payouts. An astonishing 83% of mid-sized companies currently rely on cyber insurance to help mitigate the cost of a ransomware attack — meaning that attackers who target this kind of organization are likely to receive the full ransom payment for their trouble.

While this is good news for companies who invest in cyber insurance, it’s worth noting that insurance policies have recently become more difficult to qualify for. Insurers are increasingly reluctant to pay out ransoms unless organizations first adhere to strict compliance frameworks and implement strong data security measures.

Cryptocurrency facilitates cybercrime

A final reason that ransomware attackers are able to evade detection is the use of cryptocurrency for ransom payments. Cryptocurrency transactions are not impossible to trace, but it is often difficult to track them because of their anonymous nature. Cryptocurrency also facilitates fast international money transfers, making it easier to launder ransom payments without detection.

That’s why many attackers require that ransoms be paid in cryptocurrencies like Bitcoin. No personal identification is required for an attacker to obtain a crypto wallet, receive a large payment, and then vanish into the ether.

What can organizations do about ransomware?

With ransomware attackers avoiding detection and prosecution — and with major incentives remaining for them to continue their attacks — the threat of ransomware will likely keep growing. What's more, backup servers can now be infected with time-delayed ransomware, which means that traditional backups can be compromised without companies realizing it. So what can organizations do to keep themselves safe?

Luckily, there are a number of data security best practices that companies can follow; we discuss a handful in our article here. From training employees on phishing attempts to creating multiple iterations of backups and employing antivirus and anti-spam solutions, businesses can take many solid steps on their own to help minimize the risk of ransomware.

However, for more advanced protection, some companies may turn to outside solutions.

Consider ShardSecure for ransomware mitigation

ShardSecure’s innovative approach to data security, privacy, and resilience helps mitigate the worst aspects of many ransomware attacks. With our platform, confidential material that is exfiltrated in a ransomware attack becomes unexploitable to unauthorized users. Even if a customer-owned storage location is compromised, the attackers will have access to only an unintelligible fraction of the complete data set — and no way to rebuild it.

The ShardSecure platform also maintains high availability with virtual clusters and offers a self-healing feature to reconstruct data, preventing loss of business continuity. In the event of data tampering or loss, we send an automatic alert to your SOC and begin reconstructing data immediately.

Interested in learning more about how ShardSecure can help your organization mitigate the impact of ransomware? Check out our solution brief and white paper today.