What are the biggest ransomware trends facing US businesses?

The US accounts for over two-thirds of all global incidents

What are the biggest ransomware trends facing US businesses?


By Mark Rosanes

The US alone accounted for more than two-thirds (67.6%) of all ransomware attacks worldwide last year as the nation logged almost 421.5 million hits – a 98% rise year-on-year, according to a new report by cybersecurity firm SonicWall.

But despite the volume of attacks in the country nearly doubling, the increase was still below the global average of 105%, with Europe and Asia experiencing the largest spike in ransomware attempts at 175% and 122%, respectively.

SonicWall’s 2022 Cyber Threat Report described 2021 as “one of the worst years for ransomware ever recorded” as attack volume rose to a staggering 623.3 million. The number is equivalent to 2,170 ransomware attempts per customer and almost 20 attempts every second. 

Separate research by tech giant IBM, meanwhile, revealed that ransomware topped all types of cyberattacks against North American organizations, accounting for 30% of attacks in the region last year. The number is higher than the global average of 21%, which is a slight drop from 23% in the year prior. IBM’s X-Force Threat Intelligence Index 2022 noted, however, that the decline “does not preclude a potential resurgence” this year.

As cybersecurity experts anticipate ransomware to continue to be a “grave and increasing threat” facing businesses, they are also urging organizations to arm themselves with the right information to help them to take the necessary actions to combat this risk.

These are the biggest ransomware trends every business in the US should be aware of, according to SonicWall’s and IBM Security’s research.

1. Although attacks are on a decline, ransomware remains the top cyber threat facing US businesses.

In 2020, North America experienced more ransomware attacks than any other region, with this attack type accounting for 33% of all cyber incidents against businesses. This trend continued the following year, although the proportion of the attack dropped to 30%, according to IBM’s report.

“It’s possible that the increased law enforcement activity in 2021, including the takedown of botnets and ransomware groups, are beginning to impede the attack rate we traditionally observed in the region,” the tech giant noted.

Globally, the frequency of ransomware attacks shifted throughout the year, with May and June seeing higher frequencies of attacks, while January has lower, the research added. Ransomware attacks also appeared to decrease in late summer or early fall. Last year, the decline was largely seen in August and November, likely spurred by the shutdown of several groups in the months prior – DarkSide and Babuk in May, Avaddon in June, and REvil in October.

2. Ransomware volume in the US more than doubled those of other countries in the top 10 combined.

Data gathered by SonicWall shows almost 421.5 million ransomware attempts against businesses in the US in 2021 – a figure that dwarfed that of second-placer Germany, which registered about 34.3 million hits. Ransomware attempts against the US actually more than doubled those of the top 10 countries with the most hits, which included the UK, Brazil, Canada, Colombia, France, South Africa, Belgium, and Mexico. Combined, these nations logged about 174 million ransomware attempts.

3. REvil is the top threat actor in the region.

REvil accounted for 43% of ransomware attacks in North America in 2021, according to IBM’s data. The Russian-speaking ransomware gang, however, shut down last October after 31 months of operation. Despite this, law enforcement authorities are wary that the group may operate under a new name in the future, something it has already done when it rebranded from GandCrab in 2019.

The other top threat actors the tech giant observed were LockBit 2.0, Conti, CryptoLocker, and Eking.

4. Phishing appears to be the attack vector of choice.

IBM’s report also found that phishing was the attack vector of choice for threat actors targeting businesses in the US, with 47% of incidents using this technique to gain initial access. Among the top spoofed brands are Microsoft, Apple, Google, Amazon, and Facebook.

“Threat actors may be focused on phishing as more North American organizations implement robust patch management programs in the face of several critical vulnerabilities released in 2020 and 2021,” the research noted.

Some threat actors, however, are going old school with their tactics, according to SonicWall. The cybersecurity specialist cited FIN7 – the group responsible for the BlackMatter and Darkside ransomware operations – which used UPS and USPS snail-mail ransomware to attack US businesses in the insurance, defense, and transportation sectors. 

“Targets received one of two packages: One, purportedly from Amazon, arrived in a gift box accompanied by a thank-you letter, a fake gift card, and a USB drive,” the firm explained in its report. “The other, disguised as a package from the US Department of Health and Human Services, included a page of guidance regarding COVID-19 and a USB drive.

“If plugged in, these drives — which are loaded with ‘BadUSB’ attacks — are able to register themselves as keyboards, emulate keystrokes, execute commands, and install malware, ultimately creating an entry point for ransomware, commonly BlackMatter or REvil.”

5. Triple extortion gains ground.

In the middle of last year, SonicWall revealed the rising trend of double extortion, in which ransomware gangs “exfiltrate data prior to issuing a ransom note and encrypting the system,” then use that information as leverage to increase the odds of securing payment.

Some organizations, however, still refused to pay – either on principle or the belief that paying would not guarantee the safety of their data. Because of this, some ransomware operators turned to these businesses’ customers for payment in a tactic called triple extortion.

Like double extortion, triple extortion begins with ransomware operators exfiltrating large quantities of data, usually before encrypting the victim’s network. But where double extortion groups threaten to release this data, triple extortionists filter through it, find out who might have the most to lose, and then demand ransom from them as well, SonicWall explained.

To mitigate the risk of a ransomware attack, the firm emphasized the importance of having “proactive defense” for every business. 

“Cybercrime has evolved, making it harder for defenders to protect against, detect, and stop attacks from entering their networks,” SonicWall wrote in the report. “As the pace of attacks continues to increase, and the ways attackers breach and infiltrate systems continue to become more targeted and evasive, the future will increasingly belong to the proactive.”

“Proactive organizations have a thorough understanding of both their network and the threat landscape, allowing them to adapt and shift just as agilely as cybercriminals,” the firm added. “This enables them to quickly detect and stop attacks.”

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!