Mumbai: Nearly 50% of all the incident response (IR) in 2021 that Kaspersky’s GERT handled was ransomware linked. This key finding revealed in Kaspersky’s annual Security Bulletin series examines critical security trends over the past year, an in-depth analysis of the current ransomware landscape in 2021 and predictions for 2022.
Nearly every second security incident from January to November 2021 that Global Emergency Response Team handled was connected to ransomware. This is nearly 12 percentage points more than 2020. Kaspersky’s GERT is in charge of handling IR for mid-size to large organisations.
In the aftermath of any breach incident or cyberattack, organisations call security experts to limit the damage and prevent the further impact of an attack – that is termed as the incident response (IR).
Ransomware operators have refined their arsenal, focusing on fewer attacks against large-scale organisations, and an entire underground ecosystem has appeared to support ransomware gangs’ efforts.
In fact, for the first 11 months in 2021, the percentage of IR requests processed by Kaspersky’s GERT was up 46.7% –a jump from 37.9% for 2020 and 34% for 2019.
Percentage of ransomware related IR requests per year
The most common targets were those in the government and industrial sector; together, attacks against those two industries compromised nearly 50% of all ransomware linked IR requests in 2021. Other popular targets included IT and financial institutions.
Interestingly, as ransomware operators have shifted to bigger ransom demands and more high-profile targets, they have been facing increasing pressure from politicians and law enforcement agencies—making increasing the efficiency of attacks critical.
Kaspersky experts have noted two important trends that will gain in popularity in 2022. First, ransomware gangs are likely to more frequently construct Linux builds of ransomware to maximize their attack surface. This is something that has already been seen with groups like RansomExx and DarkSide.
In addition, ransomware operators will start to focus more on “financial blackmail”. This is when operators threaten to leak information about companies when they are undergoing critical financial events (i.e conducting a merger or acquisition, planning to go public) to undervalue their stock prices. When companies are in such a vulnerable financial state, they are more likely to pay the ransom.
“We began talking about so-called Ransomware 2.0 in 2020, and what we’ve been seeing in 2021 is this new era of ransomware coming into full force,” said Vladimir Kuskov, Kaspersky’s Head of Threat Exploration.
“Ransomware operators aren’t just encrypting data; they’re stealing it from critical, large-scale targets and threatening to expose the information if the victims don’t pay. And Ransomware 2.0 isn’t going anywhere in the coming year,” added Kuskov.
“At the same time, now that ransomware is in the headlines, law enforcement agencies are working hard to bring prolific groups down—which is what happened with DarkSide and REvil this year,” said Fedor Sinitsyn, Security Expert – Kaspersky.