Two reports released by the U.S. government provide important insights into the state of the ransomware threat. The FBI’s  2023 Internet Crime Report gives data on ransomware amongst other cybercrime types, while the Office of the Director of National Intelligence (ODNI) 2024 Annual Threat Assessment offers a strategic assessment of ransomware amidst a broader account of national security threats to the United States.

Combined, the two reports confirm what has been evident through multiple years of tracking and reporting:

  1. Ransomware continues to be “costly and impactful” for industry and government. The FBI Internet Crime Report notes an 18% increase in complaints received in 2023 from 2022 levels.
  2. Ransomware is now a staple national security risk for the U.S. government. It has been referenced in the last three ODNI annual threat assessments and was framed as such in the 2023 National Cybersecurity Strategy, “Ransomware is a threat to national security, public safety, and economic prosperity.”

Ransomware first appeared in an ODNI annual threat assessment in 2016, with this rudimentary but prescient assessment of the threat to come:

  • “Ransomware” designed to block user access to their own data, sometimes by encrypting it, is becoming a particularly effective and popular tool for extortion for which few options for recovery are available. Criminal tools and malware are increasingly being discovered on state and local government networks.”

Fast forward, and ODNI has been including ransomware as part of its annual assessment for several years as criminals have moved away from pray-and-spray-style ransomware attacks to more targeted attacks. In that period, ransomware-as-a-service model (RaaS) took over and the targeting of critical infrastructure commenced. This shift is why ransomware has consistently appeared on the main table of national security risks.

This evolution of the threat is noted in the handful of sentences dedicated to ransomware in the 2024 assessment. It acknowledges that ransomware criminals continue to evolve their operations -- some have defined this as a commercialization or industrialization of the crime type -- and the barrier to entry for new ransomware criminals is being lowered:

  • “The emergence of inexpensive and anonymizing online infrastructure combined with the growing profitability of ransomware has led to the proliferation, decentralization, and specialization of cyber criminal activity. This interconnected system has improved the efficiency and sophistication of ransomware attacks while also lowering the technical bar for entry for new actors”

Across both the 2023 and 2024 assessments, the ODNI confirms ransomware actors targeted critical services and infrastructure, including healthcare, schools, and manufacturing, with a significant number of attacks occurring in the U.S. However, the 2024 assessment indicates an expansion of targets to include low-income country networks, because of their weak cyber defenses and digitization efforts.

The trend of criminals targeting low-income countries is likely set to accelerate as other countries take steps to create greater whole-of-economy resilience and disrupt the operations of ransomware actors, thus forcing them to look abroad.

This dynamic will also continue as countries introduce requirements for reporting of ransomware incidents – coming soon through the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) and in Australia. As countries increase their visibility of ransomware through legislated reporting requirements it will set the stage for incremental policy steps towards banning ransomware payment.

The International Counter Ransomware Initiative Summit of 2023 offered the first sign of a consensus in a communique from its annual meeting in Washington DC in November 2023. Forty countries and INTERPOL agreed to, “strongly discourage anyone from paying a ransomware demand.” Not exactly a breakthrough international agreement, but overt discouragement is better than silence.

The ransomware threat picture does not get much better when you delve into the FBI’s annual cyber crime report. While investment fraud continues to be the costliest internet crime type tracked by the FBI, ransomware complaints increased by 18% in 2023,after a slight downturn in 2022. Given its plea for organizations to report ransomware incidents, regardless of whether an organization decides to pay, it is clear the FBI does not have a clear grasp on the full extent of the payment picture. Hence, CIRICA reporting will be pivotal to understanding the threat.

Other notable takeaways:

  • Incidents increased across all 14 critical infrastructure sectors affected by ransomware
  • The healthcare sector accounts for nearly 21% of all reported attacks

Ransomware is now a pervasive and persistent national security threat. The U.S. government is to be commended for its transparency in the FBI’s Internet Crime Report and the ODNI’s Annual Threat Assessment. Such openness deprives criminals of secrecy and alerts institutions and businesses to the growing threat they face.

The Biden Administration has reacted to this new threat paradigm by establishing domestic structures such as the Joint Ransomware Task Force and international groupings such as the International Counter Ransomware Initiative.

The threat will continue to evolve as criminals adapt to government policy approaches and harness new tactics. techniques, procedures, and capabilities -- AI foremost amongst them -- and so it is beholden on governments to work with industry to put in place strategies to meet the three imperatives that exist for banning ransomware payments. Groupings  such as the Institute for Security and Technology’s Ransomware Task Force, which unites key stakeholders across industry, government, and civil society, will play a pivotal role in this effort. 

Adam Dobell

Read Next

CISA Proposes Sweeping Cyber Incident Reporting for U.S. Companies

The federal government is one step closer to requiring approximately 315,000 businesses to report cyber incidents and ransomware payments. 

Event Recap: Spring Into Privacy with the NIST Privacy Engineering Program

The NIST Privacy Framework is getting a little "Spring Cleaning." Officials from NIST's Privacy Engineering Program updated participants on updated to the Privacy Framework and other projects at an event last week.

Multiple Organizations Request 30-day Extension on CIRCIA Comments

The Cybersecurity Coalition, U.S. Chamber of Commerce, and 23 other organizations have requested a 30-day extension to the comment period for the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) from CISA.