- Human-operated ransomware remains the most prevalent form of ransomware, according to Microsoft, because it elicits the highest rate of successfully compromised targets.
- One-third of organizations targeted by human-operated ransomware are compromised, and 5% of those organizations ultimately fall victim to these more selective attacks, Microsoft reported in its Digital Defense Report published on Friday.
- “This franchising of the cybercrime economy has expanded the attacker pool. The industrialization of cybercriminal tooling has made it easier for attackers to perform intrusions, exfiltrate data and deploy ransomware,” Microsoft said in the report.
Ransomware has evolved from a single group developing and distributing a ransomware payload to the ransomware as a service model. This shift allows threat actors to be more strategic in identifying targets, which increases their rate of success.
Unlike commodity ransomware attacks, human-operated ransomware is “driven by humans who make decisions at every stage of the attacks based on what they discover in their target’s network,” Microsoft said in the report.
Ransomware as a service affiliates will significantly narrow potential targets down according to intended impact or potential profit, according to a model Microsoft created from endpoint detection and response data for the first six months of 2022.
Ransomware affiliates target an average of about 2% of compromised networks they purchase access to via access brokers. One-third of that narrowed pool of organizations are successfully compromised, and 5% of those organizations are ultimately ransomed, according to Microsoft research.
For every 2,500 potential target organizations ransomware affiliates gain access to via security brokers, 60 encounter ransomware activity, 20 are compromised and one falls victim to a successful ransomware event, Microsoft said.
“Expanding relationships between specialized cybercriminals have increased the pace, sophistication and success of ransomware attacks,” Microsoft said.
This dynamic gets to the heart of what National Cyber Director Chris Inglis warned about during the RSA Conference in June when he said all federal agencies and cyber defenders need to “crowdsource [transgressors] the way they’ve crowdsourced us.”
Ransomware payments surged in 2021 to a total of nearly $1.2 billion, reflecting a 188% year-over-year increase from 2020, according to the Treasury Department’s Financial Crimes Enforcement Network.