Companies Are Finding It Harder to Detect Ransomware

Fewer and fewer organizations are detecting ransomware on their networks and their endpoints, but that doesn’t mean that there are fewer ransomware attacks happening around the world.

Source: TechRadar Pro | Published on August 21, 2023

Christie's ransomware

Fewer and fewer organizations are detecting ransomware on their networks and their endpoints, but that doesn’t mean that there are fewer ransomware attacks happening around the world.

In fact, the contrary might very well be true, a report from Fortinet claims. Its latest research found ransomware operators are growing more sophisticated, and more picky when it comes to choosing their targets.

That makes them more successful and, at the same time, makes organizations detect these intrusions harder, with Fortinet finding just 13% of victim organizations discovered ransomware on their devices in the first half of the year – compared to 22% five years ago.

Ransomware as a service

This increase in sophistication comes from ransomware becoming more of a service, and less of a commodity. Threat actors are increasingly turning towards ransomware-as-a-service offers, in which a dedicated group develops and maintains the malware strain, while a separate group pays to use it. This gives developers more time to create more dangerous variants. As a result, the researchers documented “substantial spikes” in ransomware variant growth in recent years, it was said.

On a longer timeframe, ransomware detections are declining. On a shorter timeframe, however, they continue to be volatile, the researchers further stated. In the first half of the year, there had been 13x more detections compared to the end of 2022. Year-on-year, it’s still a downtrend.

All of these threats came from roughly a third of all known advanced persistent threat (APT) groups. Fortinet says that out of 138 threat actors MITRE tracks, 41 were active in the first half of 2023, equaling roughly a third (30%). Of those, Turla, StrongPity, Winnti, OceanLotus, and WildNeutron were the most active.

Lately, ransomware operators have started ditching the encryption part of the attack, and focusing solely on stealing data and demanding ransom in exchange for keeping the data private.