Ransomware attacks increased another 80% between February 2021 and March 2022, according to an analysis of cloud-seen ransomware payloads by Zscaler. Double extortion attacks, which include data exfiltration in addition to encryption, are increasing even faster, 117% year-over-year.

ThreatLabz ‘s State of Ransomware 2022 report breaks down an entire year of data from a variety of sources, including more than 200 billion daily transactions and 150 million threats blocked daily across the entire Zscaler Zero Trust Exchange, and shows that the Ransomware is becoming even more attractive to criminals. Attackers are able to launch increasingly profitable campaigns based on three main trends: 

• Supply chain attacks leverage trusted relationships with suppliers to compromise organizations and multiply the damage of attacks by allowing threat actors to attack multiple (sometimes hundreds or thousands) of victims at the same time.
• Ransomware-as-a-Service uses affiliated networks to distribute ransomware on a large scale, allowing hackers skilled in breaching networks to share profits with the most advanced ransomware groups.
• Multiple extortion attacks using data theft, distributed denial of service (DDoS) attacks, customer communications, and other methods such as layered extortion tactics to increase ransom payments. Supply chain attacks, ransomware-as-a-service ecosystems, and racketeering tactics have increased the volume and success rates of attacks. 

In this report, ThreatLabz offers a comprehensive view of the ransomware threat landscape to provide data on trends, predictions, and defensive guidance. This report includes a detailed analysis of the attack sequences, victim profiles, and business impact of the top 11 ransomware families, including:

• 
  clop   
• Grief   
• Hive   
• BlackByte   
• AvosLocker   
• BlackCat/ALPHV

• Conti   
• LockBit   
• PYSA/Mespinoza   
• REvil/Sodinokibi   
• Avaddon   
• clop   
• Grief   
• Hive   
• BlackByte   
• AvosLocker   
• BlackCat/ALPHV

Percentage change in double extortion attacks by sector

 key findings

• Ransomware attacks increased by 80% over the previous year and accounted for the entire ransomware payloads observed in the Zscaler cloud.
   
• Double extortion ransomware increased by 117%. Some sectors experienced particularly high growth in double extortion attacks, such as healthcare (643%), food services (460%), mining (229%), education (225%), media ( 200%), and the manufacturing industry (190%).

• The manufacturing industry was the sector that received the most attacks for the second year in a row, accounting for almost 20% of double extortion ransomware attacks.
   
• Supply chain ransomware attacks are on the rise. Using trusted vendors allows attackers to exploit a large number of organizations at once, even organizations that have strong protections against external attacks in any case. Supply chain ransomware attacks in the past year include malicious campaigns against Kaseya and Quanta, as well as a series of attacks exploiting the Log4j vulnerability.
   
• Ransomware as a service is driving more attacks. Ransomware groups continue to recruit members through underground criminal forums. These affiliates compromise large organizations and deploy the group’s ransomware, typically in exchange for around 80% of the ransom payments received from victims. Most (8 out of 11) of the top ransomware families in the past year have routinely proliferated through ransomware-as-a-service models.
   
• Law enforcement is cracking down. Several of the biggest ransomware families in the past year—particularly those targeting critical services—garnered the attention of law enforcement around the world. In 2021, law enforcement seized assets from the most infamous ransomware families of the past two years.

• Ransomware families aren’t going away; they are just getting a facelift. Feeling increased pressure from law enforcement, many ransomware groups have disbanded and reformed under new names but use the same (or very similar) tactics. 
   
• The conflict between Russia and Ukraine has the world on high alert. There have been several attacks associated with the Russia-Ukraine conflict, some of which combine several tactics, such as HermeticWiper and PartyTicket ransomware. Until now, most of this activity has been focused on the Ukraine. However, government agencies have warned organizations to prepare for more widespread attacks as the conflict persists.
   
• Zero trust is still the best defense. To minimize the chance of a breach and the damage that a successful attack can cause, your organization should use defense-in-depth strategies that include reducing the attack surface, enforcing least-privilege access control, and Continuous monitoring and inspection of data across the environment.

How to protect yourself against ransomware

Whether it is a simple ransomware attack, a double or triple extortion attack, a stand-alone threat family, or a RaaS attack executed by an affiliate network, the defense strategy is the same: employ the principles of zero trust to limit vulnerabilities, prevent and detect attacks, and limit the effects of successful breaches. Here are some best practice recommendations to protect your organization from ransomware:

1. Get your apps off the internet. Ransomware authors begin their attacks by reconnoitering their environment, looking for vulnerabilities to exploit, and calibrating their approach. The more applications you have published on the Internet, the easier it is to attack. Use a zero-trust architecture to protect internal applications, making them invisible to attackers.
2. Apply a consistent security policy to avoid being compromised initially. With a distributed workforce, it’s important to implement a security service perimeter (SSE) architecture that can enforce a consistent security policy no matter where your users work (in the office or remotely). 
3. Use sandboxing to detect unknown payloads. Signature-based detection is not enough in the face of rapidly evolving ransomware variants and payloads. Protect against unknown and evasive attacks with AI-powered online sandboxing, which analyzes behavior instead of packing a file.
4. Implement a Zero Trust Network Access Architecture (ZTNA). Implement granular user-to-application and application-to-application segmentation, and intervene on access with dynamic least-privilege access controls to eliminate lateral movement. This allows you to minimize data that can be encrypted or stolen, thereby reducing the effect of an attack. 
5. Implement online data loss prevention. Prevent the exfiltration of sensitive information with trust-based data loss prevention tools and policies to thwart double extortion techniques.
6. Keep computer programs up to date and make training constant. Apply security patches to software and conduct regular security awareness training to reduce vulnerabilities that can be exploited by cybercriminals.
7. Have a response plan. Prepare for the worst with cyber insurance, a data backup plan, and a response plan as part of your overall business continuity and disaster recovery program.

To maximize your chances of defending against a ransomware attack, you must adopt layered defenses that can disrupt the attack at every stage, from reconnaissance to initial compromise, lateral movement, data theft, and ransomware execution.