New data from a Freedom of Information request to the Financial Conduct Authority (FCA) has revealed a resurgence in ransomware-related incidents following a quieter 12 months in 2022.  In order to initiate a successful ransomware attack threat actors need to consider a number of high level factors (or building blocks); ransomware delivery, distribution of ransomware within the environment, evasion of commodity AV/Anti-Malware detection, and an exfiltration mechanism.

The maturity of proactive cyber security systems (with embedded AI / ML) has allowed cyber defenders to detect and mitigate initial and latter phases of ransomware attacks more efficiently. Threat detection enhancements also allow for a faster creation and distribution of antimalware signatures (file hash, heuristics, behavioural etc.) which means even the less sophisticated antivirus or anti-malware solutions benefit. These factors decrease the MTTD (Mean Time To Detect), and MTTR (Mean Time To Respond) sufficiently to deal with less sophisticated opportunistic ransomware attacks, as cyber defenders can take action prior to the latter phases (distribution & detonation of the ransomware).

In addition to this, regulatory requirements relating to breach disclosure and recovery plans are becoming more stringent in order to influence the security posture and capabilities of public and private enterprise. More sophisticated threat actors (APT – Advanced Persistent Threat) continue to focus on stealthy implementations of necessary building blocks of a ransomware attack in the form of previously unknown or unpublished vulnerabilities in applications, operating systems or authentication/authorization systems.

The outcome is that less sophisticated attacks, targeting large enterprise (with a high level of cyber defence capability) and small enterprise (with entry level cyber defence capability) are much more likely to be detected and mitigated. Rather than it being a boom or bust scenario, it’s more likely that the overall global attack surface is better protected, which means the success rate of the opportunistic threat actors has fallen, leaving only the APT groups with reasonable chance of success against enterprises with entry level cyber defence capability, and a much smaller chance of success against large enterprises with high level cyber defence capability.