There were less ransomware payments in the second half of 2024, according to research from cryptocurrency tracing firms. There were certainly some high profile attacks, but this matches with my impressions from talking with lots of fellow data professionals around the world. This article talks about the trend, and speculates that law enforcement actions may have had some effect.

My guess is that this is likely a temporary decrease as there are no shortage of criminals and so many tools are available on the Internet, especially the dark web. The idea of writing a piece of software to encrypt files isn't complex, and we've had people writing viruses for years. I suspect there are no shortage of smaller criminal organizations and individuals that will step in to continue attacks in the future. Whether that will be a lot of attacks or a few, I don't know.

One of the other problems is that so many organizations are loathe to disclose they've been hacked if they don't have to do so. Lots of them would prefer to just pay a ransom and get back to work. I don't know how many IT pros agree with that, though often the employees just want to get past the attack as quickly as possible and restore their systems. I know that they often worry about future attacks, but I also wonder if many IT pros know how to check their systems to be sure the malicious software is gone.

Securing your environment is hard, especially when most users (and IT people) want convenience. Many infrastructure people want to log in with a single account and get things done. Or they want an easy way to switch accounts when necessary, which isn't always convenient. Some of us are used to the runas command, but I've met many people who aren't.

I do like that much of the world is moving to using managed identities or service accounts for processes, known accounts for CI/CD that can handle deploying code while each of us just approves the deployment with our own credentials rather than directly moving bits. I am glad to see more and more people without rights to log into production, only to submit batches to a system to run and get results sent back. All of those are good things which can prevent an infection from a website or email from spreading to production systems.

However, we still have lots of interconnections between systems for important data stored outside of relational systems. Even storage explorer type access for Delta/parquet files can be a problem if you have that. Databases are safer from ransomware, assuming you can lock down all OS/file system access. Maybe we ought to store more data in databases, even those crazy Excel/Word/etc. documents as binary files.

I'm OK with that, as long as we have a separate instance for those files. I have no desire to see more binary files stored in my OLTP database, or even on the same instance.