The volume of ransomware attacks is dropping - but it’s no time to get complacent

07 August 2023

Joseph Carson, chief security scientist and advisory CISO, Delinea

Joseph Carson, chief security scientist and advisory CISO, Delinea

Ransomware has developed a reputation as one of the most feared and high impact cyber threats in recent years, and opportunistic criminal gangs will seize on any available opportunities to extort vast sums from their victims.

Recent research conducted by Delinea, however, found that the number of ransomware attacks may be on the wane. Just 25% of respondents stated they had been the victim of ransomware in the last 12 months, a sharp decrease reported than the year before.

Although victims are still more likely to pay up, in the hopes of a speedy resolution, we found a sharp drop from 82% to 68% year-on-year. The IT/technology sector, as the industry that suffered the most incidents, was more likely to pay out than most but still saw a decline, dropping from 82% to 77%.

While it may seem like cause for celebration, don’t break out the champagne just yet: ransomware still poses a genuine threat. Ransomware gangs have shifted their geography focus such as targeting victims with fewer defences or capabilities of fighting back such as those in central and south America.

Are attitudes to ransomware risks shifting?

Threat groups are constantly looking for more advanced techniques to achieve their goals. We now frequently see encryption paired with exfiltration for double extortion attacks where attackers threaten to publicly leak stolen data to squeeze more money out of their victims.

As a result, ransomware attacks tend to hit harder and cost more. Research from Unit 42 found that payment amounts in the first five months of 2022 were roughly 71% higher than in the year before, to which remediation, downtime, and reputational harm costs should also be added.

Nevertheless, we found signs that indicate firms are becoming complacent about the threat. In 2021, 94% of organisations told us they had an incident response plan in place, but in 2022 that figure dropped to 71% and there was also a steep decline in businesses budgeting specifically for ransomware protection.

Only slightly more than half of respondents were regularly backing up data and updating systems despite the fact these should be security mainstays. A similar number implemented multi-factor authentication (MFA) as a ransomware precaution, while other identity-based measures saw a steady decrease.

Why are more businesses standing firm against ransomware demands?

It appears that some companies have been opting to invest in cyber insurance as a means of transferring the risk of ransomware, rather than addressing it directly, a trend evident in our previous research on cyber insurance. Although this is a tempting route, cyber insurance should not be seen as an alternative to appropriate security means, but only as an additional safety net against such a high impact threat.

Moreover, investing in cyber insurance, in lieu of meeting criminal demands, is a risky strategy. Cyber insurance coverage is in a state of flux as the industry attempts to get to grips with threats. There is a good chance that a premium won’t cover all the losses from a ransomware attack, or perhaps won’t pay at all, especially if insurers realise that firms are neglecting to invest in solid cybersecurity defences.

A sense of moral and legal obligation seems to be another contributing factor to the decrease in payments. The security industry has long advised against paying up, as each payment funds the criminal gangs, encouraging and facilitating further attacks. Government bodies like the NCSC have increasingly amplified this message in recent times. In contrast, we found a decline in support for making ransomware payments illegal.

Taking the opportunity to get ahead of ransomware

The best reason to stand firm against an extortion attempt is that the firm has a robust security strategy to minimise the damages, including a strong recovery and remediation plan hinging on reliable data backups, and is confident it can deal with the incident itself, preventing it from becoming a disaster.

Unsurprisingly though, most firms increased their security spending after suffering an attack. When an incident can cost millions of pounds and cause severe reputational damage, this can very much be a case of closing the stable door after the horse has bolted.

Although the decline in the volume of attacks is a positive trend, it is important for organisations to be proactive and keep ahead of the ransomware threat. Ransomware gangs are using this time to improve their code and port it over to modern languages, so the next wave of ransomware variants is likely to be more damaging.

Firms should aim to reduce the chances of an attacker infiltrating their systems by improving their identity security, particularly when it comes to privileged access.

Most attacks rely on hijacking privileged accounts to infiltrate the network and finding the most valuable assets to steal and encrypt. Identifying and securing these accounts with privileged access management that follows both a zero trust strategy and a least privilege approach will go a long way to harden defences, reducing the threat posed by a compromised account. Taking the opportunity to strengthen identity security and prepare a reliable recovery plan now will ensure a business can act swiftly and confidently when an attack does come their way.