Ransomware encryption down amid surge of attacks, Microsoft says

The number of ransomware attacks that reach the encryption stage dropped 300% over the past two years, due in large part to automatic attack disruption technologies, according to a report out Tuesday from Microsoft. 

The findings — which come as part of Microsoft’s fifth annual Digital Defense Report analyzing trends between June 2022 and July 2023 — come amid the company observing a 275% year-over-year increase in ransomware-related attacks. 

The decrease in attacks reaching the encryption stage represents a “success story” in the fight against a dynamic ransomware ecosystem, Tom Burt, Microsoft’s corporate vice president of customer security and trust, told reporters ahead of the report’s release.

With improved defenses and better recovery technologies enabling companies to refuse ransom payments, attackers are more likely to steal data and threaten to release it, a trend that has increasingly played out over the past couple of years. 

The ransomware problem highlights the overlap between nation-state activities and financially driven cybercrime, Burt said, a problem enhanced both by countries using such operations to generate money but also by countries that do very little, if anything, to crack down on cybercrime emanating from within their borders.

Russian state-aligned cyber operations, for instance, are increasingly integrating commodity malware into their operations and are in some cases outsourcing cyberespionage operations to criminal groups, according to the report. 

In June, for instance, a group Microsoft tracks as Storm-2049 — which is tracked by the Ukrainians as UAC-0184 — used Xworm and Remcos RAT commodity malware to compromise at least 50 Ukrainian military devices, according to the report. 

“There didn’t appear to be any cyber criminal motivation for that activity,” Burt said. “We suspect that it was done in collaboration with the Russian military operation to gather intelligence and gain access to these devices for purposes of espionage.” 

Another group, tracked as Storm-0593 by Microsoft — and others as Gamaredon — and thought to be operated by the Russian Federal Security Service (FSB), handed off access to 34 compromised Ukrainian devices in June and July 2023 to a group known as “Invisimole,” which researchers have for years tracked as both a type of spyware as well as a group working with Gamaredon. 

Once Invisimole took over the devices, it established infrastructure linked to separate spearphishing attacks on Ukrainian military machines, Microsoft said, “suggesting a pattern by Storm-0593 of supporting state intelligence collection objectives.”

The report also highlights an Iranian-backed group selling stolen data from an Israeli dating site through personas, as well as suspected North Korean operations deploying a custom ransomware variant known as FakePenny, suggesting “the actor had objectives for both intelligence gathering and monetization of its access.”

Burt said that although the last year has included some positive collaboration with governments to takedown cybercriminal activity and combat nation-state operations, “the problem is that it doesn’t scale adequately to provide a real deterrence.”

“There seems to be virtually no consequence to these nation-state actions that we see not only continuing but escalating, both in their volume and sophistication, but also in their aggression,” Burt said, pointing to the Chinese-linked activity targeting non-military critical infrastructure known as Volt Typhoon as an example. “We need the nation states of the world to do more to deter this activity. Private sector can’t do that.”