With the increase in ransomware attacks over the past several years, cybercriminal gangs have become increasingly brazen with each incident, targeting larger and larger organizations and demanding greater sums of money from victims. If extortion demands aren’t met or ignored, attackers resort to releasing sensitive data on “dark web” information sites.

But something unexpected is happening to the ransomware extortion racket. In 2022, revenue from these attacks dropped to about $456.8 million, compared to $765.6 million in 2021—a decrease of about 40 percent year-over-year, according to a report published earlier this year by Chainalysis. The researchers found this change is likely the result of victims refusing to pay the gangs rather than a decline in attacks.

There are also signs that increased law enforcement is also having an effect. Deputy U.S. Attorney General Lisa Monaco recently told the Wall Street Journal that a combination of better security practices by organizations, enforcement by the FBI and other agencies, asset seizures, and the willingness of victims not to meet attackers’ demands has rippled through the cyber underground. The same report quoted security firm Mandiant reporting a 15 percent decrease in ransomware intrusions in 2022.

In January, the FBI, Justice Department and European law enforcement announced the seizure of servers and infrastructure associated with the Hive ransomware gang, which previously targeted about 1,500 victims worldwide and extorted over $100 million.

Despite these reports and announcements, ransomware remains a significant security concern, especially for school systems, healthcare organizations and other companies and smaller government agencies that lack sophisticated cybersecurity defenses. Industry watchers note that tech and security pros must remain vigilant against a possible uptick in attacks, and keeping skills and training up-to-date is crucial.

“Even if there has been a dip in ransomware, and even if there is a declining trend that persists, the threat remains significant. And there are many attack methods beyond ransomware that are extremely disruptive and prohibitively expensive to address,” Mark Millender, a senior advisor at security firm Tanium, told Dice. “It is critical that cyber hygiene remains a primary focus and improves from the current state to mitigate this growing risk.”

Many Reasons to Remain Vigilant

One reason why some targeted organizations are reluctant to pay ransomware demands may have started in 2020. At the time, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) published an alert warning cyber insurers that ransomware payments may run afoul of OFAC regulations, which could lead to a criminal investigation.

Even with a decrease in ransomware payments, Millender noted attackers still pose a significant threat to organizations, including data theft and long-term damage to infrastructure and networks.

“System downtime, investigation and remediation and unrecoverable data all have serious business impacts,” Millender said. “It’s important to keep in mind that cyber-attacks go well beyond ransomware, all of which can be very costly. The most obvious examples are data theft and commercial espionage. However, not all bad actors are looking for a ransom payout. There are other reasons, including theft of IP, activism or state-sponsored destruction.”

Other security experts note that Russia’s war with Ukraine also affected ransomware attacks. It’s now more difficult for criminal gangs based in Russia to collect ransoms due to additional sanctions imposed by the U.S. and European countries, said Joseph Carson, chief security scientist and advisory CISO at security firm Delinea.

While encouraging, these ransomware trends should not translate into complacency and organizations need to remain vigilant, which includes hiring tech and cybersecurity pros with specific skills and increasing training for current staff, Carson added.

“Organizations should continue to invest in their people and the training of cyber staffs to keep attacks down, while at the same time, maintaining ransomware protection and resilience as a top priority,” Carson told Dice. “They must continue to implement best practices such as strong privileged access security, multifactor authentication and a ransomware resilient backup strategy to ensure if or when they become a victim, they have a path to recovery.”

Several experts noted that cybersecurity training remains a must for all organizations, including non-IT employees. All workers must know how to spot phishing emails and determine if a suspicious outsider is attempting to gain initial access or a foothold in a network through social engineering or other means.

“Training should be adapted to educate users regarding the risks of remotely accessing resources, and how they should be accessing these internal resources in a secure manner,” Sajeeb Lohani, director of cybersecurity at Bugcrowd, told Dice. “These trainings need to be tailored to an organization’s infrastructure, ensuring the users do not need to guess or search about things, but rather can use the training as a reference for the future.”

Preventing the Next Ransomware Attack

With data showing ransomware attacks are slowing down from their peak of just a few years ago, experts noted that now is the time to shore up defenses to ensure that, if these threats pick up again, tech and cybersecurity pros are ready.

There are several techniques that tech and cyber pros can deploy now that can prevent or limit a ransomware attack as well as other types of intrusions, said Guillaume Ross, deputy CISO at security firm JupiterOne. These include:

Ensuring backups cannot be deleted and these files can be quickly recovered: While this might save an organization from having to pay a ransom, it might also be useful in a variety of other situations, including human error, hardware issues and software bugs that can corrupt data.

Preventing lateral movement by isolating devices on the network and ensuring none of the devices have credentials with access to entire environments: This prevents lateral movement, which is a technique ransomware threat actors love, but that is also used by many other malicious groups and threat actors.

Monitoring data exfiltration volumes: Many ransomware actors will ask for a ransom in exchange for not leaking your data. To do that, they have to exfiltrate it first. Detecting this could allow an organization to stop such an incident rapidly, no matter if it's a threat coming from a ransomware group or any other type of group.

Having good email security practices: By blocking potentially malicious attachments and preventing employee name usurpation, this technique protects against ransomware and is also useful to prevent fraud, such as business email compromise fraud and impersonating employees.

For these reasons, and because ransomware can pick back up at any time, it makes sense for companies to keep addressing the root issues, Ross told Dice. “Training IT staff on these techniques can have very positive results, as opposed to adding more security people on a team. An IT team that knows its attack surface and understands how to prevent common attack patterns from occurring is a great thing to have in a company.”

By focusing on basics and core security principles, tech and cybersecurity pros can take advantage of this dip in ransomware attacks to ensure better cyber defenses. “Ransomware is not going away, and it’s essential that organizations keep focused on defending their infrastructures in a layered security approach, while also ensuring they have a solid, tested backup strategy,” said Mark Grazman, president at Conversant Group.