Downturn in Ransomware Attacks?

As much as it would be great to declare a downturn in ransomware attacks on critical infrastructure it seems premature to do so. The frequency chart based on the CIRA dataset indicates successful attacks every 2 or 3 days is more of a new normal.

Whether the law of averages applies is a fair question (I am doubtful, but time will tell).

It’s also likely that ransomware attacks are under reported. Coming rules in accordance with the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) are intended to address this issue. ?

Uniform incident reporting rules are welcome, especially the explicit focus on rapid reporting of ransom payment. Payment fuels the illicit market and is arguably where government is uniquely positioned to trace payment and identify attackers.

The CIRA dataset makes a best effort to track paid status. Unfortunately, paid status updates are late if at all. It's also nice to see which organizations refused to pay.

CIRA also attempts to track incident duration. Although organizations that recover rapidly are still underrepresented in the data set there are links provided to find more information.

You might have other questions of interest. Perhaps we'll never have the data to answer with confidence but here are a few questions that come to mind for me:

• What factors explain chronic attacks on government, healthcare, and education facilities?
• Does under reporting really explain fewer attacks on 'for profit' organizations?
• Is lack of successful attack on NERC responsible entity because of the CIP standards?

We'll always want more data to drive actionable insights. In the meantime, the available data shows that ransomware attacks on critical infrastructure continue to affect the global community.

Call to Action

Short term, consider starting the year with a renewed effort to check backups for your important systems and industrial applications. Engage your technology supplier to review recovery plan for complex systems.

Medium term, identify your coalition to participate in the CIRCIA rule making process. Trusted advisors such as your sector ISAC could help ensure reporting rules make sense for all stakeholders.

Finally, critical infrastructure organizations will continue to invest in defensive initiatives. As feasible leverage Consequence-driven Cyber-informed Engineering (CCE) or similar methodology to reduce the potential impact of a ransomware attack. ?