Coveware issued its 2021 Q4 Ransomware Report on February 1, 2022. The report stated that although average and median ransom payments increased “dramatically” in Q4, “we believe this change was driven by a subtle tactical shift by Ransomware-as-a-Service (RaaS) operations that reflected the increasing costs and risks” of executing an attack.

Because it is riskier and costlier to execute an attack, attackers are shifting from large company targets to smaller ones so they can stay under the law enforcement radar. This shift is seen in the statistic that “the proportion of companies attacked in the 1,000-10,000 employee count size increased from 8% in Q3 to 14% in Q4.” Because of large law enforcement takedowns in 2021, Coveware expects “RaaS operations to try and mitigate the size of the targets on their back to the extent possible.”

Data exfiltration continues to be a “popular tactic” and 84 percent of ransomware attacks in Q4 included data exfiltration. The RaaS model continues to dominate such attacks, which Coveware predicts will continue in 2022. The most common ransomware variants in Q4 included: Conti, LockBit 2.0, Hive, Mespinoza, Zeppelin, BlackMatter, and Suncrypt. Two new variants hit the top 10: Karakurt and AvosLocker.

The top tactics used by the attackers included Persistence (82 percent), Lateral Movement (82 percent), Credential Access (71 percent), Command and Control (63 percent), and Collection (61 percent), while the most common initial ingress vectors continue to be RDP compromise, email phishing and software vulnerability.

In Q4, Coveware found that “ransomware continues to be a crime of opportunism, not specific targets.” The top industries attacked included professional services, consumer services, materials, public sector, and health care.

The average duration of an incident in Q4 2021 was 20 days, which Coveware attributes to the ability of the attacked companies to be able to recover from backups “which is ALWAYS faster than attempting to decrypt data with a threat actor decryptor.”

The Coveware quarterly report is always a good read and spot on with its analysis of the current state of ransomware attacks.

Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.