The last few years have been a consistent theme – continued rise of ransomware and phishing attacks. 2022 was a year of change for the cyber threat landscape, as cybercriminals mixed up their attack methods and the attack vectors they went after.
Ransomware in particular saw a 21% decrease in the number of attacks, as the #1 nation-state involved in ransomware is Russia, which had its hands full with the Ukraine war. 2021 saw several ransomware gangs busted in a flurry of headlines. And it has become more difficult for cybercriminals to move money internationally.
Unlike ransomware, which announces its presence, thrives on branding and notoriety, and relies heavily on direct contact with victims, cryptojacking can succeed in complete silence. And for some cybercriminals feeling the heat from increased enforcement efforts and ongoing geopolitical conflict, a consistent, lower-risk income stream may be worth sacrificing a potentially higher payday. In 2022, SonicWALL researchers noted a 43% increase in cryptojacking.
An increased awareness of ransomware motivated many organizations to create and maintain strong backups and incident response plans, making file encryption less effective than it once was.
In response, 2022 brought a growth in the number of ransomware groups no longer actually deploying ransomware. These attackers, referred to as “extortion groups,” include both Lapsus$ and Karakurt — both of which became major threats without encrypting a single endpoint. By using social engineering, vulnerability exploits, stolen credentials or other tactics, these groups gain illegal access to a target network. Then, once they’ve stolen data, they threaten to leak the information if victims don’t pay up.
But while these attacks involve reputational damage, data leaks, and the risk of compliance issues and lawsuits like traditional ransomware, they’re much harder to trace. Since there’s no actual ransomware involved, tracking is often conflated under “malware.” However, this is a distinct form of extortion and needs to be tracked by vendors despite a lack of encrypting endpoints.