RTF Year Two: New Map; New Data: Same Mission

By Bob Rudis on July 12, 2022

It’s hard to believe over a year has passed since the founding of IST’s Ransomware Task Force and launch of the inaugural “Combating Ransomware” report, which provides a comprehensive framework for action.

This year, we’ve continued to collect data from last year’s contributors:

Along with a new data partner, eCrime.ch, which contributed a staggering 3,000+ ransomware incidents from over 100 countries.

Combining this year’s data was somewhat challenging, since each source component of the full corpus contained duplicate incidents of other source components. Where the duplicates were obvious (i.e., the organization name, date(s), and details were close matches), it was pretty straightforward to account for them. There were other cases where the matches were not as easy to identify, and eCrime.ch’s large corpus component only had resolution down to date, country, sector, and company size. Therefore, we used some statistical approaches—erring on the side of dropping more records than chance wildly inflating counts—to account for any possibly remaining duplicates.

From all our data sources, we estimate that in 2021 there were well over 4,000 documented ransomware incidents involving at least 60 ransomware “families”, impacting organizations in 109 countries.

To give readers a sense of the new scope and scale of this year’s data collection, here’s the difference between country-level events between 2020 and 2021 for just the countries we had data for in 2020:

As the range chart shows, we have much more insight into the prevalence and extent of ransomware attacks than we did previously, which is further emphasized when we provide a look at the entire corpus:

Over 53% of countries had at least one organization impacted by ransomware, and that statistic likely understates the real problem.

Ransomware Impacts Everyone

Of the ~3,000 incidents in the eCrime.ch, corpus, 2,400 have complete family, country, sector, and organization size data for each event. We can use this to look at a few questions, such as, how big are the organizations ransomware groups are targeting?

Another question may be, “Do ransomware groups favor one sector over another?”. The following chart shows that there is some preference for industries that either cannot afford to suffer much downtime (e.g., construction, manufacturing, healthcare, …), or who might have some data worth stealing or would prefer not being leaked (e.g., legal firms, real estate, financial services, …), ransomware targets may, more often than not, be a victim of convenience.

A Look Across Time

eThe public data Allan Liska collects for Recorded Future is longitudinal, and we can use it to look across time to see the annual trends in [publicly disclosed] ransomware trends for municipalities, schools/school systems, and healthcare organizations (combined):

As the chart notes, major factors, such as the Russia-Ukraine war, increased national and international law enforcement actions, threat actor group retirements, and other issues may account for the slow start to the year when it comes to disclosed attacks in the United States. It may also be that more organizations are paying without evidence of data leaks. We will have a better picture of this as the year progresses.

More To Come

With great data comes great responsibility! Over the coming months, the IST RTF team will be working to provide additional ways to explore the data in our corpus. If there are particular views you’d like to see or questions you would like us to poke at, drop us a line!

The work of the task force is nowhere near complete, and we continue to explore new avenues and expand existing projects to help organizations prevent attacks and recover quickly and safely from them when they occur.