The Ransomware Threat: Is It Decreasing — Or Retargeting?

Shifts in threat data may indicate a change in ransomware tactics, not a ransomware reduction.

ESET Guest Blogger

November 11, 2022

3 Min Read
Computer code on a Computer code on a screen with a skull representing a computer virus / malware attack.Getty Images

There’s no argument that ransomware remains a massive global threat, with recent research showing over 70% of organizations impacted by successful ransomware attacks in 2021. But recent movements in ESET’s 2022 T2 Threat Report indicate a 24% decline in ransomware detections from early 2021, along with a geographic shift in attack prevalence away from Russia and back to the United States.

Is this an early indication that attackers are moving away from ransomware? Or is a shift in tactics and targets a better explanation?

Cybercrime Is a Business

While there are certainly some “sole proprietors” in the game, cybercrime is largely run as a business. And it’s big business, with the global cost of cybercrime to organizations exceeding $6 trillion in 2020, according to the World Economic Forum’s Global Risks Report. For perspective, that’s bigger than the world’s third largest economy (Japan) by GDP.

As in legitimate business, outsourcing is popular among hackers, with different groups managing different parts of an attack in coordination. With ransomware, for instance, one entity often handles the network incursion, while another is responsible for the malware and another for the data exfiltration.

Changes in tools and tactics could result in a short-term drop in ransomware activity as cybercrime companies take time to recruit new partners and intensify their R&D.

A New Ransomware Business Model

While attack frequency trends are debatable, it’s clear there are some changes being tested in the ransomware business model, including “extortion without encryption.” Why bother encrypting loads of data when you can just exfiltrate something sensitive and demand a ransom to keep it private?

If there’s no wholesale data encryption, the drama and disruption of a ransomware attack decrease significantly. Could this be contributing to a drop in reported attacks, as businesses choose to handle things quietly?

New Regulatory Pressures

In the wake of the Colonial Pipeline attack, President Biden’s May 2021 cybersecurity executive order and similar initiatives globally, ransomware has become a political and legislative priority. Importantly, there has been an uptick in regulations requiring cyber incident reporting when paying ransoms to hackers. We also see growing issues among cyber liability insurers due to the U.S. Department of the Treasury’s Office of Foreign Asset Control adding those behind ransomware and the associated crypto currency wallets to the sanctions list.

Such vectors could make it more complicated for a firm to pay a ransomware demand. Is this pressure influencing companies to tighten up their cybersecurity and block more ransomware attacks?

Another factor that could be reducing attack success rates is a worldwide awareness push, as exemplified by CISA’s Shields Up program in the United States. With CISA’s own data indicating that more than 90% of successful cyberattacks start with a phishing email, more mindfulness of cyber safety could be forcing hackers to work harder for their profits.


Nobody is going to walk away from the multi-trillion-dollar cybercrime opportunity anytime soon. But perhaps cybercrime businesses are choosing to duck the media and policymaking spotlights as they focus their attacks on lower-profile (that is, SMB/SME) victims.


Whatever cybercriminals are planning, improving your security posture should be your next countermove. ESET can help with a range of offerings in vital areas like multifactor authentication (MFA), endpoint detection and response (EDR) and cybersecurity awareness training. Visit our website to get protected.


Tony Anscombe

Tony Anscombe is chief security evangelist for ESET. With over 20 years of security industry experience, he is an established author, blogger and speaker on the current threat landscape, security technologies and products, data protection, privacy and trust, and internet safety. His speaking portfolio includes industry conferences RSA, Black Hat, VB, CTIA, MEF, Gartner Risk and Security Summit and the Child Internet Safety Summit. He is regularly quoted in security, technology and business media, including BBC, the Guardian, the New York Times and USA Today, with broadcast appearances on Bloomberg, BBC, CTV, KRON and CBS.

This guest blog is part of a Channel Futures sponsorship.

Read more about:

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like