What was once a small cyber-criminal industry based around encrypting files on personal computers and demanding a ransom of a few hundred dollars for a decryption key had evolved into a massive ecosystem designed around holding critical services and infrastructure to ransom -- and making extortion demands of millions of dollars.
"They are really acting like a business. Aside from the fact they're not legitimately registered, they really are. They're functioning like a real business and sometimes the number of people within these organisations is bigger than some startups," says Christine Bejerasco, CTO at WithSecure.
"They have shown a lot of resilience and a lot of agility in adapting to what's new," she adds.
"The main challenge is we don't know what the trends really are because most companies don't disclose incidents," says Brett Callow, threat analyst at Emsisoft. "You can't manage what you don't measure."
Ransomware attacks against smaller victims are going unreported
While ransomware attacks against large organisations get noticed, a ransomware attack against a small or local business, where the victim quickly pays the ransom because they feel as if they've got no other choice, might not get reported at all.
Individual attacks against smaller targets won't bring a huge payday like a successful attack on a big corporation would, but by chaining together a series of attacks against a range of smaller victims, ransomware attackers can still turn a substantial profit.
Small and medium-sized businesses are unlikely to invest as much into cybersecurity as large businesses, so getting inside networks might prove easier. That means ransomware groups can hit several targets across a short period of time, which is crucial if they want to make as much money as possible.
"They're obviously not going to get the same massive pay-outs as they could from a larger enterprise, which means that they need to go from the initial penetration to successful extortion much quicker," says Callow, who suggests going after smaller businesses also brings another advantage to cyber criminals.
"Attacks on small businesses may not attract the same level of attention -- targeting local grocery stores may mean the risks of being pursued by US Cyber Command are somewhat less," he says.
"Since that event, the reality is threat actors have changed their understanding of the world a little bit. They've seen consequences that up until that point they really hadn't seen before," says Sherrod DeGrippo, senior director of threat research and direction at Proofpoint.
"Since then, we've seen other large ransomware events, but we haven't seen the indiscriminate hammering of everyone anywhere, the way that we had seen in the past," she adds.
Ransomware is loud – some criminals may turn to quieter alternatives
Gangs could still be laying the foundation for a new wave of ransomware attacks -- or as DeGrippo suggests, some hacking groups could be turning their attention towards other cyberattacks that are less noisy but nonetheless profitable.
"We're going to see that initial access leveraged at scale, so it may be ransomware final-stage payloads, maybe something else -- we may see a big return to banking trojans," she says, adding: "There are options that are a lot quieter, under the radar, that still offer significant paydays, but don't catch the attention of law enforcement."
There's another issue that could persuade some cyber criminals using ransomware to go down this path: cryptocurrency is volatile. So a ransom payment made in Bitcoin that's stored away could end up being worth a lot less by the time the attackers opt to cash out. For cyber criminals, it could be tempting to focus their attention on using malware to steal hard cash again.
"You tell a threat actor you can get the equivalent of a million dollars of bitcoin today or you can get a million dollars hard currency out of a banking trojan transferred to wherever you're doing your money laundering -- I think a lot of them would take the cash right now," says DeGrippo.
But that doesn't mean that ransomware is going away any time soon. While some may turn their gaze elsewhere, ransomware attacks are still a lucrative means of illicitly making money -- and ransomware attacks continue to evolve.
It seems inevitable that some of the most sophisticated, well-resourced ransomware gangs could turn their attention to compromising cloud service providers in attacks that wouldn't just affect one company, but thousands.
That approach would create a lot of leverage for the attackers to demand a large ransom demand from their target -- one that might get paid quickly because of the widespread disruption.
"If ransomware actors head in that direction, effectively encrypt the data in the cloud and hold those up for ransom, can you imagine if all the customer data in a service got encrypted because they managed to access an organisation and encrypted all the data? That would bring an organisation to its knees," says WithSecure's Bejerasco.
How to protect your network against ransomware attacks
That's why it's important to apply security updates and software patches as soon as possible, especially when they're for critical vulnerabilities, because that prevents cyber criminals from exploiting them to gain access to, or maintain persistence on, networks. Applying security updates across whole networks can be a challenge, but it's one of the most important things an IT department can do to keep the business safe from cyberattacks.
Multi-factor authentication (MFA) can also provide an important defence against ransomware and other cyberattacks. Many ransomware campaigns begin with cyber criminals stealing usernames and passwords and exploiting them to move around networks. Rolling out MFA to users makes it harder for cyber criminals to use stolen passwords. Unexpected login notifications can indicate that something is amiss and needs investigation.
It's also useful to ensure that employees are using unique, complex passwords that can't be easily guessed -- or cracked with brute-force attacks -- to help make the network as robust as possible against unauthorised intrusions.
And as ransomware is based around encrypting data, it's vital that organisations regularly back up their data -- and do so offline. Then, if the worst happens and the network is hit with ransomware, there's the option of restoring the data without paying a ransom to cyber criminals, although the rise of double-extortion attacks means stolen data could still be published because the ransom isn't paid.
Law enforcement and government officials strongly discourage businesses from paying ransom demands. Not only does it encourage further ransomware attacks, but you also don't know who you're paying -- and your cash could be going to a sanctioned or rogue state.
But whether a victim decides to pay a ransom or not, according to DeGrippo, it's vital that a plan is made in advance about what to do -- because having a strategy set out in advance is much more preferable to making one in a panic after falling victim to a ransomware attack.
"Each organisation must decide how they will handle the ransomware event well in advance of the ransomware event happening, and yes, that includes the dollar amount that you will or will not pay," she says.
"These are not fun discussions to have. But they're incredibly devastating and painful to have while a ransomware event is going on."