Widely disruptive, large-scale hacks are surging.

After a lull in 2022, ransomware attacks on high-value targets such as big companies, banks, hospitals or government agencies, have seen a “massive uptick” this year, rising 51% through late November, according to cybersecurity firm Crowdstrike Holdings Inc. Last year, such attacks declined from the year before, the company said.

And the breaches are costing victims more money. Payments made to hackers who hold systems hostage for ransom increased by almost half through September, according to blockchain analytics firm Chainalysis Inc, totaling almost US$500mil (RM2.34bil) in payouts.

“Activity is at an all-time high,” said Nikesh Arora, chief executive officer of network security company Palo Alto Networks Inc. Arora singled out ransomware attacks in particular as increasing in frequency and severity during a recent call with investors. “Bad actors are doing damage in a much shorter amount of time,” he said.

In just the past few months, hackers have paralysed shipping at some of Australia’s largest ports; wreaked havoc on Las Vegas casinos; brought about a shortage of disinfecting wipes and garbage bags at Clorox Co; and disrupted clearance of some Treasury market trades.

The number of victims of cyber extortion – which includes ransomware – in the first three quarters of 2023 is already 33% higher than all of last year, according to a report published last month by Orange Cyberdefense, the cybersecurity arm of French telecommunications service provider Orange SA.

Most of the roughly 2,900 known new victims were concentrated in the US, the UK and Canada, with growing numbers in India, the Pacific islands and Africa, according to the report. This year has seen the highest count of victims Orange has ever recorded.

The surge in activity is all the more striking after ransomware attacks slowed by some measures last year. The lull corresponded to the timing of Russia’s invasion in Ukraine in February 2022, and some experts link it to the fact that many hackers are believed to be based in Eastern Europe and redirected their efforts or were otherwise distracted. Other theories posit that hacking groups were lying low after a series of high-profile attacks drew the attention of law enforcement.

“A lot of time was spent attacking Ukraine or Russia, but the war has bee n going on so long, these guys are like, ‘we have to make money again’, so they’re back doing their financially-motivated attacks,” said Jon Clay, vice president of threat intelligence at security software maker Trend Micro Inc.

The high-profile breaches reflect the ease of launching attacks now and the huge amounts of money to be made from them. The nearly endless supply of potential victims has fueled a rise in criminal activity where the goal is indiscriminate exploitation of as many targets as possible. The hackers’ success in getting paid rises in step with the amount of disruption they cause in a victim’s computer systems, experts say.

The problem is difficult for law enforcement to control. One reason is that many victims, desperate to recover their data or keep it off the dark web, or both, wind up paying the extortion, which fuels further attacks. Another is the scale and global nature of the industry, as many of the hackers are based in Russia or other countries that provide them with safe haven.

Growing awareness has led many organisations to invest in backup infrastructure that can be activated in an emergency and cyber incident response training, giving them leverage with the hackers to negotiate a lower payment or to avoid paying altogether, said Bill Siegel, chief executive officer of ransomware incident response company Coveware.

This year, the gross volume of dollars being paid to cyber extortionists is actually down 20%, Siegel said. However, when victims do pay, the average amount is increasing, reaching US$851,000 (RM3.98mil) in the third quarter of this year, according to Coveware.

Tracking trends in hacking is notoriously difficult. Not all victims disclose when they’ve been breached, and those that do typically provide few details. Data maintained by cybersecurity firms often includes only the experiences of their own customers, and leak sites maintained by hackers usually don’t name victims who pay up.

“This is just a partial view on the whole problem of cyber extortion,” the Orange report acknowledged. “We are very aware that there is a high dark number of victims that we simply don’t know of.”

A spike in ransomware attacks in 2021, including one on Colonial Pipeline Co that upended fuel supplies on the US East Coast, prompted the Biden administration to declare ransomware a national security priority. Since then, the US and many of its allies have attempted to crack down on hacking groups, in part by cutting off criminals’ cryptocurrency resources.

The Ransomware Task Force, a cyber-focused nonprofit, set out a list of 48 actions the public and private sector could take to mitigate such attacks, and as of Dec 18 companies will be required to disclose cybersecurity incidents to the Securities and Exchange Commission within four business days of determining they are material to investors. Under the new rules, businesses will have to report on the impact of the hack, including what data was publicly disclosed and to the processes the company took to mitigate risk.

The government is “using all the tools available” to stop hackers, said Eric Goldstein, executive assistant director for cybersecurity at the US Cybersecurity and Infrastructure Security Agency. “Unfortunately, the full scope of the problem can be difficult to measure because ransomware incidents are still widely underreported.”

Another challenge for authorities is that cyber extortion groups tend to have a very short lifespan – most last no longer than six months – which makes investigating and disrupting their activities hard, the Orange report found. Just 23 cyber extortion groups that Orange Cybersecurity tracks survived into 2023; 25 others disappeared altogether from the year before, while 31 new groups sprang up to take their place.

“Every day we are getting more attackers at a speed the industry has never encountered before,” said Jon Miller, co-founder and chief executive officer of Halcyon, a California-based maker of anti-ransomware software. The top hacking groups are perfecting a kind of franchise model, selling technologies and data to new entrants which then share the profits from their attacks, he said.

“The more skilled attackers go after the higher-tier targets – these are still primarily Russian – and now you also have medium-tier attackers going after the tier below,” Miller said. “Everyone profits and the attacks they are doing are super impactful.”

LockBit, ALPHV and Cl0p have been some of the most active ransom groups this year. Cl0p, for instance, was behind the breach of MOVEit file transfer software over the summer, an attack that has affected more than 2,600 organisations, according to Brett Callow, a threat analyst at Emsisoft. LockBit was behind an attack last month against the US arm of Industrial & Commercial Bank of China Ltd, which disrupted the US$26bil (RM121.79bil) US Treasury market, and an attack the month before that took down a website that Boeing Co uses to sell spare aircraft parts, software and services.

In the case of the casino hacks, a group known as Scattered Spider, which often breaches networks by calling or texting IT help desk workers and convincing them they’re employees who need access to the network, was described by an executive at Google-owned cybersecurity firm Mandiant as “one of the most prevalent and aggressive threat actors impacting organisations in the United States today”.

Those attacks, and others like them, highlight what cybersecurity experts say is the growing use by hacking groups of sophisticated analog forms of social engineering to gain initial entry into an organisation.

The shift to work-from-home for many employers has also created new security vulnerabilities – and opportunities for hackers, according to Jim McMurry, founder and CEO of cybersecurity firm ThreatHunter.ai in California. Some of the biggest attacks from the past year have involved hackers getting faster at exploiting software flaws immediately after they’re publicly disclosed and before victims have much time to apply the required fixes, including for technologies necessary for remote work, he said.

“This rapid exploitation, combined with the widespread adoption of remote-work technologies, has created a perfect storm, making even the most robust systems vulnerable to attack,” he said. McMurry estimates his firm has responded to and investigated twice the number of incidents this year as last. – Bloomberg