Coveware issued its 2021 Q4 Ransomware Report on February 1, 2022. The report stated that although average and median ransom payments increased “dramatically” in Q4, “we believe this change was driven by a subtle tactical shift by Ransomware-as-a-Service (RaaS) operations that reflected the increasing costs and risks” of executing an attack.

Because it is riskier and costlier to execute an attack, attackers are shifting from large company targets to smaller ones so they can stay under the law enforcement radar. This shift is seen in the statistic that “the proportion of companies attacked in the 1,000-10,000 employee count size increased from 8% in Q3 to 14% in Q4.” Because of large law enforcement takedowns in 2021, Coveware expects “RaaS operations to try and mitigate the size of the targets on their back to the extent possible.”

Data exfiltration continues to be a “popular tactic” and 84 percent of ransomware attacks in Q4 included data exfiltration. The RaaS model continues to dominate such attacks, which Coveware predicts will continue in 2022. The most common ransomware variants in Q4 included: Conti, LockBit 2.0, Hive, Mespinoza, Zeppelin, BlackMatter, and Suncrypt. Two new variants hit the top 10: Karakurt and AvosLocker.

The top tactics used by the attackers included Persistence (82 percent), Lateral Movement (82 percent), Credential Access (71 percent), Command and Control (63 percent), and Collection (61 percent), while the most common initial ingress vectors continue to be RDP compromise, email phishing and software vulnerability.

In Q4, Coveware found that “ransomware continues to be a crime of opportunism, not specific targets.” The top industries attacked included professional services, consumer services, materials, public sector, and health care.

The average duration of an incident in Q4 2021 was 20 days, which Coveware attributes to the ability of the attacked companies to be able to recover from backups “which is ALWAYS faster than attempting to decrypt data with a threat actor decryptor.”

The Coveware quarterly report is always a good read and spot on with its analysis of the current state of ransomware attacks.