Skip to content

With ransomware on the rise, you may wonder if attackers are every caught. The short answer? It's complicated.

The growing threat of ransomware

Ransomware has become a major concern for individuals, small businesses, major corporations, and the public sector alike. With recent high-profile victims ranging from oil and gas pipelines to software companies, public health agencies, and meatpacking plants, it’s abundantly clear that ransomware attackers pose a significant threat to national security.

The US Cybersecurity and Infrastructure Security Agency (CISA) has noted that it’s particularly concerned with the impact of ransomware on government systems, municipalities, police and fire departments, medical facilities, and other vital infrastructure. And the problem is not limited to the United States; the European Union Agency for Cybersecurity (ENISA) noted a 150% rise in ransomware attacks between 2020 and 2021.  

Over the past few years, we’ve seen ransomware attackers band together in well-organized operations to carry out highly sophisticated cybercrimes. We’ve also seen the rise of Ransomware-as-a-Service (RaaS), where malware developers sell software leases or subscriptions to other cybercriminals.

The problem shows no sign of slowing down. A Cybersecurity Ventures report estimated that ransomware will cost the economy around $265 billion annually by 2031, with dozens of new attacks happening each minute.

The massive rise in the quantity and sophistication of ransomware attacks has left many wondering whether and how these criminals can be deterred. Unfortunately, though, the vast majority of ransomware attackers remain at large.

Relative impunity for attackers

First, it’s worth noting that a small number of attackers are caught and brought to justice. In late 2021, a Ukrainian attacker suspected to be part of the notorious Russia-based REvil ransomware gang was arrested and charged by the United States, and over $6 million in ransom money was recovered from an associate in the same group. Around the same time, Europol arrested 12 of the suspected cybercriminals behind the 2019 Norsk Hydro attack. 

Governments around the world are also stepping up their efforts to combat cyberattacks. In April 2021, the US Department of Justice launched a dedicated task force to crack down on ransomware. Similarly, Europol has begun to tackle ransomware attacks as part of its J​​oint Cybercrime Action Taskforce (J-CAT). 

However, arrests and prosecutions are still very much in the minority when it comes to ransomware attacks.

Ransomware is a burgeoning industry with an ever-widening network of criminals to carry out attacks, and it has been difficult to locate — let alone prosecute — many of these malicious actors. 

Why aren't more ransomware attackers caught?

There are many reasons why ransomware attackers manage to evade detection. First, there’s the international nature of cybercrime, which means that investigations often require extensive diplomatic cooperation among multiple nations and agencies.

There’s also the growing technical sophistication of malware itself, which often poses several different threats within the same attack. But at an even more basic level, there are just too many ransomware attackers, operating in too decentralized a manner, with too many strong incentives to continue perpetrating attacks, for most of them to be brought to justice.

Below, we’ll dive into several of these issues and incentives in more detail:

 We’ll also offer some suggestions to help your organization stay safe and mitigate the impact of ransomware attacks.

Ransomware is getting more sophisticated

The ransomware industry has grown more complex on several fronts. 

First, attackers have begun to coalesce into highly dangerous criminal enterprises.

These enterprises often share crucial infrastructure but operate in a decentralized fashion to make themselves harder to trace. Different teams in these organizations may specialize in different aspects of the ransomware attack, from stealing the data to communicating with the victim to publishing the exfiltrated material. 

Second, the underlying technology behind ransomware attacks has grown more complex.

According to the Center for Internet Security, ransomware has recently expanded to include data exfiltration, participation in distributed denial of service (DDoS) attacks, and anti-detection components. The result is stealthier encryption and more comprehensive and targeted damage

Lastly, ransomware attackers are now using a multi-pronged approach to ensure they are paid.

If an organization has backups in place to restore affected systems and files, the attackers may target the backups themselves. Or, they may threaten to release an organization’s sensitive data — everything from patient information to financial reports and trade secrets — to get what they want.

Businesses keep paying ransoms

The FBI and other cybersecurity experts have urged victims not to pay ransoms, as there is no guarantee that payment will make the attackers actually give up the decryption key or restore access to the affected files or systems. There’s also nothing to prevent a ransomware organization from targeting the same victim a month or a year later.

According to a May 2022 CyberTalk report, 63% of affected organizations paid the ransom — including a staggering 26% of organizations that had backups in place to restore their data. Nor were these small payments; the same report noted that one in ten victims paid more than $1 million.

With such significant payouts, it’s no surprise that ransomware attacks are spreading faster than law enforcement agencies and task forces can track and prevent them.

Ransomware insurance covers the costs

Another incentive for ransomware attackers is the existence of lucrative insurance payouts. An astonishing 83% of mid-sized companies currently rely on cyber insurance to help mitigate the cost of a ransomware attack — meaning that attackers who target this kind of organization are likely to receive the full ransom payment for their trouble.

While this is great news for companies who invest in cyber insurance, it’s worth noting that insurance policies have recently become more difficult to qualify for. Insurers are increasingly reluctant to pay out ransoms unless organizations first adhere to strict compliance frameworks and implement strong data security measures.

Cryptocurrency facilitates cybercrime

A final reason that ransomware attackers are able to evade detection is the use of cryptocurrency for ransom payments. Cryptocurrency transactions are not impossible to trace, but it is often difficult to track them because of their anonymous nature.

Cryptocurrency also facilitates fast international money transfers, making it easier to launder ransom payments without detection.

That’s why many attackers require that ransoms be paid in cryptocurrencies like Bitcoin. No personal identification is required for an attacker to obtain a crypto wallet, receive a large payment, and then vanish into the ether.

What can organizations do about ransomware?

With ransomware attackers avoiding detection and prosecution — and with major incentives remaining for them to continue their attacks — the threat of ransomware will likely keep growing. So what can organizations do to keep themselves safe?

Traditional data backups no longer cut it. Backup servers can now be infected with time-delayed ransomware, which means that backups can be compromised without companies realizing it.

Luckily, there are a number of data security recommendations that companies can follow from organizations like CISA and the Center for Internet Security. From training employees on phishing attempts to creating multiple iterations of backups and employing antivirus and anti-spam solutions, businesses can take many solid measures to help minimize the risk of ransomware. 

However, for more advanced protection, some companies may turn to outside solutions.

Consider Microshard™ technology

ShardSecure’s innovative, patented Microshard technology desensitizes sensitive data for use in multi-cloud and hybrid-cloud environments and helps mitigate against the impact of ransomware. We achieve this through our three-step microsharding process:


Microshard technology begins by shredding data into four-byte microshards that are too small to contain a complete birthdate, social security number, or any other piece of sensitive data. 


Next, poison data is added and the microshards are mixed into multiple logical Microshard containers. Identifying information like file extensions, file names, and other metadata is also removed.


After being mixed, the Microshard containers are distributed across multiple customer-owned storage repositories. These storage repositories can comprise multi-cloud or hybrid-cloud configurations.

With Microshard technology, confidential material that is exfiltrated in a ransomware attack will be unusable to anyone who would seek to extort your organization. Even if a Microshard storage location is compromised, the attackers will have access to only an unintelligible fraction of the complete data set — and no way to rebuild it.

Microshard technology also helps mitigate the effects of ransomware in the cloud with its self-healing data and its RAID-5-like ability to reconstruct affected data. These features mean that Microshard data containers can be rebuilt whenever they’re tampered with, deleted, or held hostage by ransomware.

Using an automated control, multiple data integrity checks detect unauthorized modifications — including those caused by cloud storage ransomware — and roll back data to its earlier state as soon as a single byte is changed. This means that real-time ransomware repairs can begin automatically and in a way that is transparent to users. Without manual intervention, organizations can restore their compromised data, avoid an outage, and maintain business continuity.

Interested in learning more about how ShardSecure can help your organization mitigate the impact of ransomware? Contact us today to schedule a demo and learn more about Microshard technology.