WatchGuard Blog

Ransomware detections on endpoints increase by 627%

Ransomware is still present and growing across the threat landscape, to the extent that some organizations now include the cost of a ransomware attack in their annual budgets.  

Data from our Internet Security Report - Q4 2022 reveals that ransomware detections on endpoints rose by an alarming 627% in 2022 compared to the previous year. While ransomware does not discriminate by industry type, the report clearly shows the manufacturing sector was the most affected during 2022.  Attacks on these devices increased by 87% in 2022 compared to 2021 and 72% of them targeted the manufacturing sector, according to a recent study on the threats and trends in the operational technology (OT) space. 

When was ransomware created and how has it evolved? 

The nature of ransomware has changed as cybercriminals have managed to refine their extortionary tactics. For example, in just one year, from 2021 to 2022, the average time to complete a ransomware attack dropped from two months to less than four days. But when was this type of cyberattack first created and how has it evolved into the threat we know today?  

  • 1989: The first ransomware attack occurred after the 1989 World Health Organization AIDS conference, when a malicious actor mailed out 20,000 floppy disks containing ransomware that held data hostage and demanded a payment of $189 under the guise of being an HIV survey. 

  • 2004 - 2006: In 2004, a phishing campaign with malicious links infected victims through an attack known as GPCode Archievius that encrypted files on Windows systems and demanded $20 for the decryption key. By 2006, the ransomware authors had directed their efforts towards Archievius, albeit unsuccessfully, as they did not use different passwords to unlock the systems and the targets of the attack discovered this error.  

  • 2010 - 2015: The 2010s saw the emergence of locker ransomware linked to the early days of cryptocurrencies. In 2011, WinLock infected users who visited malicious websites and blocked access to their devices. In 2012, the first ransomware-as-a-service (RaaS) emerged with the Reveton malware, an attack that masqueraded as messages sent by law enforcement and threatened users with jail sentences if they did not pay a ransom in Bitcoin. In 2013 CryptoLocker hit, a locker and crypto variant that netted its authors more than $27 million in ransomware payments in the first two months. With SimpleLocker, in 2014, ransomware took the leap from PCs to other devices, being the first ransomware to encrypt files on Android devices. And, in 2015, LockerPin, which also targeted mobile devices, locked users out of their devices and changed their PIN.  

  • 2016: Petya malware was the first variant that did not encrypt individual files, as hackers had managed to lock the entire hard drive of their victims faster. 

  • 2017: This year ransomware went global thanks to the WannaCry ransomworm, which affected hundreds of thousands of machines in more than 150 countries and across different industries. The NotPetya variant also emerged this year, which incorporated new wiping functions that could delete and destroy users' files.  

  • 2018-2022: Over the last five years ransomware has evolved into its most damaging phase yet. Among the factors that have influenced this transformation are the use of double extortion, where attackers not only encrypt but also steal their victims' data, and big game hunting, i.e., the pursuit of large companies as targets. It is important to note that the rise in big game hunting in no way rules out the ransomware attacks on smaller companies that have been observed in the past.  

  • 2022-2023: 2022 was a record year for ransomware detections for WatchGuard, with a 627% increase in detections compared to 2021. From our analysis we conclude that Lockbit is undoubtedly the ransomware group that appears to be the most successful at breaching corporate data, through its affiliates. New variants of Lockbit malware are appearing all the time.  

Ransomware trends are dominated by the rise of ransomware-as-a-service (RaaS), which has been driven by the increasing availability of RaaS platforms that now offer features and services such as malware customization, support or a ransomware payment system. Also, zero day exploits have become one of the preferred entry vectors for ransomware attackers. Technologies such as artificial intelligence and machine learning have also gained ground in this industry and are used by cybercriminals to make ransomware more sophisticated and difficult to detect. Attackers leverage automation to reduce the risk of human error, especially in the penetration phase, as it usually requires a significant investment of time and effort. Another trend that has gained traction is the personalization of these attacks, where actors study the profile of their victims in-depth and build an airtight strategy to deploy malware. Taken together, these developments have had a major impact on the trillion-dollar industry that cybersecurity represents today. 

Fighting ransomware with endpoint security 

To combat these trends, organizations must have advanced security controls in place to prevent an incident proactively and develop solid business continuity and recovery plans. Implementing a unified endpoint security solution that combines EPP and EDR capabilities offers advantages in dealing with advanced threats such as ransomware by providing continuous endpoint monitoring that can detect and classify all activity, thus revealing and blocking anomalous user, machine and process behavior.  

WatchGuard's EPDR solution fulfills these criteria while also automating the prevention, detection, containment and response capabilities of any advanced threat. This, in turn, enables proactive discovery of new cyberattack and evasion techniques and tactics, which is a key point considering the continuous evolution of ransomware and its increasingly advanced level of sophistication.  

If you want to learn more about ransomware and how to protect companies from this type of attack, visit the following content:  


Share this: