By John E. Dunn
The 2023 Sophos State of Ransomware report found that while the number of ransomware attacks stabilized, larger victims are paying more than ever. Are they simply getting used to paying up?
Ask CISOs which cyberthreat they worry about on a day-to-day-basis and the first name on most lists will be ransomware.
It’s been like this for a while and judging from the recently published 2023 Sophos State of Ransomware report, there is no sign that the phenomenon is going to relent any time soon.
A virtue of the Sophos study is that it is vendor agnostic and draws on interviews with 3,000 global IT leaders. One thing the world has learned from ransomware in the last decade is that it isn’t fussy – it will attack anyone and everyone. Understanding it means drawing data from as many sources as possible.
The first finding of the report is that ransomware was a bit of a monster during 2022, with 66% of interviewees saying they’d experienced an incident during the year. On the other hand, this percentage was identical to the previous year, which means the volume of attacks stabilized, albeit at a high level.
This is still much higher than it was before the pandemic. A likely explanation for this is the ascent of ransomware-as-a-service platforms (RaaS). A criminal version of the cloud model lauded in enterprises, RaaS is especially good at automating the potentially complex initial phase of an attack, the part where attackers find a way behind the victim’s defences.
How Attackers Get In – It’s Not All Phishing
Where it could be identified, the two biggest root causes of attacks were exploited vulnerabilities (misconfigurations as well as software flaws) in 36% of incidents, and compromised credentials on 29%. However, a further 18% cited malicious emails as the cause and 13% phishing attacks. The latter both sound suspiciously like different ways of experiencing the same thing which suggests that the defenders simply weren’t sure where the attack originated but assumed it was via email.
The takeaway here is that in many attacks it was the weaknesses the defenders couldn’t see – compromised credentials and vulnerable systems – that gave the attackers a foothold. Traditional email and phishing attacks are still important but addressing phishing alone is not going to repel ransomware.
What Attackers Do – Encryption Is Still Big
It’s no secret that ransomware has turned from a crime primarily based on encrypting files to one focused more on stealing and threatening to publish them in a tactic known as double extortion. However, according to Sophos, encryption is still a big part of ransomware, with 76% of attacks leading to this outcome. In another 21% of attacks, encryption was attempted but stopped, and only 3% were reported in which no encryption was attempted at all.
The low point for encryption was 2021 where the success rate was only 54%, since when it has made a comeback. What this rise suggests is that once ransomware gets to the point of encrypting files today, it is incredibly hard to stop. However, some types of ransomware are much faster to encrypt than others, however with testing by Splunk in 2022 finding that the fastest, LockBit, managed an encryption rate of 25,000 files per minute.
Depressingly, the most likely explanation for different encryption speeds is that some variants can multi-threat their encryption routines, taking advantage of more powerful microprocessors and faster SSDs in servers. This is logical but mildly ironic – as underlying datacenter and server hardware improves, so does the speed at which ransomware can encrypt data.
What Happens Next – Does Cyber-Insurance Make a Difference?
On the other hand, 97% of victims eventually got their data back, encryption or not. In 70% of cases, backups were used to reinstate data with 45% paying a ransom. The fact this adds up to more than 100% shows that some organizations must be using both backups and ransoms to reinstate encrypted data.
Generally speaking, larger organizations were more likely to pay ransoms than smaller ones. Sophos reasons that this is probably operational:
“Larger revenue organizations typically have complex IT infrastructures which may make it harder for them to use backups to recover data in a timely fashion. They are also the businesses most able to buy their way out of such situations.”
The effect of cyber insurance on behavior was more intriguing. Not surprisingly, organizations with some form of cyber insurance were much more inclined to pay than ransoms those without it by 58% to 15%. At the same time, 98% of those with a policy got their data back as against 84% without. Perhaps, this is to be expected; cyber insurance policies always require robust backup routines as a condition of insurance, something which improves ransomware outcomes. Or you could argue that those who didn’t buy cyber insurance were making the bet that they could do other things with the money paid in premiums, for example investing in more advanced backup systems.
Ransoms And Recovery – Ransomware Inflation Is a Thing
While the inclination to pay is in line with the previous year, the sums being demanded have nearly doubled in the 2023 survey to $1,542,333. Most of this is down to the ransom segment between $1 million and $5 million, which accounted for 27% of all ransoms sums. Meanwhile, the number of very large payments above $5 million has also spiked to 13% of the total demanded.
As to how long it took to recover, the most frequent answer was up to a week on 38%, with a further 29% saying it took them up to a month. But looking at average recovery times might be to miss the point with 18% saying it took them up to three months. The learning here is that ransomware recovery is not simply about paying a ransom or relying on backups. Recovering at all can sometimes be a long and difficult process regardless of payments.
Does this research tell us anything new? Sometimes that can be a hard question to answer on a year-to-year basis. The drawback of any report is it spots trends while missing the innovations that might turn out to be significant. It’s the effect of averaging anything – you see the bigger picture in an industry where less noticeable innovations sometimes turn out to hold the key to the future.
To speculate, it could be that while no organization wants to experience ransomware, larger businesses are now resigned to treating attacks as another commercial cost. And yet, arguably, the issue of ransomware might no longer simply be about what it costs, who pays ransoms, and how long it takes for businesses to reinstate themselves after an incident.
That’s too narrow and too corporate a lens for such an important matter. In many of the successful attacks mentioned in the report, data was lost, some of it personally identifiable information (PII). This data can never be recovered and is now building up on the fringes and darker recesses of the internet. The consequences of this could live on for years or decades in ways nobody yet understands. If what’s unfolding here is the normalization of data breaches, that might turn out to be a mistake with major long-term consequences.