With the frequency, severity and sophistication of ransomware attacks in the US rising dramatically in 2021 from the prior year, according to Fitch analysts, this trend is expected to continue as long as profit incentives remain high and outweigh perceived risks of criminal prosecution.
In 2021 it was reported that there were 421.5 million attempted ransomware attacks in the US, and 623.3 million globally, up 98% and 105% YoY, respectively, according to a March 2022 report from the Senate Committee on Homeland Security and Governmental Affairs.
Fitch also stated that ransom payments are also increasing, as in 1H21, financial institutions reported $590 million in ransomware payments, which exceeded all payments made in 2020.
Fitch added that cybercrime has increased since the global pandemic, as businesses expanded their remote access capabilities and digital footprints.
In addition, according to the Senate report, ransomware attacks on government entities outpaced attacks on the private sector, with sectors such as healthcare and financial services that contain valuable and personal information, being targeted the most.
Data compiled by Fitch Ratings, as of 4Q21, showed that Professional Services was the most ransomware targeted industry, at 20.4%, and Consumer Services following close behind at 12.8%.
Fitch also notes, that cyber criminals are increasingly utilising denial of service (Dos), as well as other techniques such as ransomware-as-a-service (RaaS), and are continually rebranding to evade law enforcement.
The stealing and encrypting of sensitive personal data in double-and multi-pronged extortion attacks have also said to have grown dramatically, with these attacks often occurring by utilising leak sites on the “dark web” with the threat of releasing sensitive data and personal information.
However, Fitch adds that increased incidents have led to executive orders and proposed legislation to address these risks, with even several high-profile arrests being made within different ransomware groups, and some even claiming to have shut down, even if temporarily.
Furthermore, in the US, the Cybersecurity and Infrastructure (CISA) has mandated minimum hygiene levels and the FBI patched vulnerable servers via a court order. The SEC has also recently proposed new rules for enhanced and standardised cybersecurity incident reporting disclosures by publicly traded companies within four business days of the event.
Fitch says, “These positive steps are additive, with potential material benefit from increased levels of transparency regarding cyber risk, and the elevation of these risk concerns to the board and executive levels. This is critical as boards establish budgets for risk management, but more importantly approve risk parameters and choose leadership that establishes risk culture.”
