Ransomware attacks less but more aggressively: what to do?

This year will be an overwhelming year for ransomware news. Law enforcement authorities dismantled the LockBit ransomware group following an international police operation earlier this year in which two people were arrested in Poland and Ukraine. On May 7, the US Department of Justice released a 26-count indictment against a Russian citizen and alleged leader of the LockBit organization. It is estimated that the syndicate stole $120 million from victims worldwide.

Disrupting and arresting ransomware criminals is good news and a small step in the right direction, although it is unlikely that law enforcement will be able to significantly curb the overall ransomware threat. This battle will determine how well companies protect their data and systems from such attacks. The Sophos State of Ransomware 2024 report, which analyzes events in 2023, found more good news: the number of organizations reporting that they were affected by ransomware fell slightly.

In the just-released Sophos study, based on a survey of 5,000 respondents in 14 countries, ransomware attacks have decreased in 2023. While 59% of respondents were hit by ransomware last year, that’s a 5% decrease from 66% hit in 2022 and 2021. It’s a small win, but with the ransomware scourge, companies will take whatever profits they can.

However, John Shier, field chief technology officer at Sophos, warns that the decline in ransomware attacks should give companies a sense of complacency. “Ransomware attacks continue to be the biggest threat today, fueling the cybercrime economy,” Shier said.

This is both correct and good advice. The average ransom payment increased by 500% last year, and the organizations that paid a ransom paid an average of $2 million. This is a significant increase compared to 2022, when ransom payments were $400,000. The 2024 report also found that 63% of ransom demands were for $1 million or more, with 30% of demands over $5 million.

The Cost of Ransomware

Ransomware gangs are demanding $4.3 million in ransoms if exceeded, with an average demand of $2 million, and 63% of demands were for $1 million or more. It turns out that 76% of victims end up paying less than the original ransom demand. It’s worth negotiating.

The number of data encryption attacks fell from 76% in 2022 to 70% in 2023. 32% of encryption incidents also involved data theft.

Now for the bad news:

Almost all victims report that attackers attempted to compromise their backups as part of the attack. When attackers perform targeted backups, they succeed 57% of the time. Unsurprisingly, negotiation opportunities decrease when backups are compromised, which is reflected in the numbers. Those with compromised backups paid ransoms more than six times higher than those who did not suffer a compromised backup, the average being $2.3 million versus $1 million.

What is the cost of recovery from these attacks? That’s also a significant increase from $1.82 million in 2022 to $2.73 million. The time needed to fully recover has increased significantly, with up to 34% of victims taking more than a month to recover. In 2022 it was 24%.

Targeted industries, regional impacts

When it comes to sectors attacked, the federal government recorded the highest attack rate of any industry: 68% experienced an attack. Meanwhile, state and local governments reported that 34% had experienced a ransomware attack. In retail this value is 45%.

Otherwise, ransomware attacks occurred relatively evenly across all industries: in 11 of the 15 sectors examined by Sophos, between 60% and 69% of companies were affected. Healthcare was one of five sectors to report an increase in attack rates from 60% to 67% last year. IT, telecommunications and technology no longer have the lowest attack rate: 55% of organizations were hit last year, an increase from 50% in 2023. The education sector no longer reports the two highest attack rates at 66% (higher education) and 63% (lower education) this year compared to 79% and 80% last year.

When it comes to regional differences, 74% of organizations in France reported being affected by a ransomware attack. This was followed by South Africa (69%) and Italy (68%). The lowest reported attack rates were reported by respondents in Brazil (44%), Japan (51%) and Australia (54%).

Attack vectors leading to ransomware

The most common exploitation vectors that trigger ransomware attacks mirror the findings of other reports over the years: software vulnerabilities, compromised credentials and phishing emails. A breakdown of the numbers includes exploited vulnerabilities (32%), compromised credentials (29%) and email (23%).

Also notable is that organizations where the attack began with exploited vulnerabilities suffered the worst damage and consequences: a higher rate of compromised backups (75%), data encryption (67%), and propensity to pay a ransom (71st). %). compared to the attacks that started with compromised credentials. These organizations also cited major financial and operational losses, with references serving as the initial trigger. The average recovery cost was $3.58 million, compared to $2.58 million when an attack began with compromised credentials and a larger proportion of attacked organizations required more than a month to recover.

“Risk management is at the heart of our work as defense attorneys. The two most common causes of ransomware attacks, exploited vulnerabilities and compromised credentials, are preventable but still pose a problem for too many organizations. Organizations must critically assess their exposure to these attacks.” “In a defensive environment, When resources are scarce, it is time for companies to impose costs on attackers. Only by raising the bar for network penetration can companies hope to maximize their defense spending.” Scheuer.