This year is turning out to be a stunning year for ransomware news. Law enforcement disrupted the LockBit ransomware group following an international police effort earlier this year, with two arrested in Poland and Ukraine. On May 7, the U.S. Justice Department released a 26-count indictment against a Russian national and an alleged leader of the LockBit organization. The syndicate is estimated to have stolen $120 million from victims globally.
The disruption and arrest of ransomware criminals is good news and a small step in the right direction, though it's unlikely law enforcement will be able to make a meaningful dent in the overall ransomware threat. That battle will be won or lost on how soundly organizations protect their data and systems from such attacks. The Sophos State of Ransomware 2024 report, which analyzes events from 2023, found some additional good news: The number of organizations who reported being hit by ransomware dipped modestly.
In the just-published Sophos study, based on a survey of 5,000 respondents in 14 countries, ransomware attacks let up in 2023. While 59% of survey respondents were hit by ransomware last year, it is a 5% decrease from the 66% who were hit in 2022 and 2021. It is a small win, but with the ransomware scourge, organizations will take the wins they can get.
However, Sophos Field Chief Technology Officer John Shier warns organizations should not let the dip in ransomware attacks give them a sense of complacency. "Ransomware attacks are still the most dominant threat today and are fueling the cybercrime economy," Shier said.
That's both accurate and good advice. The average ransom payment increased 500% last year, and those organizations that did pay a ransom paid a median of $2 million. That's up considerably from 2022, when ransom payments were $400,000. The 2024 report also found that 63% of ransom demands were for $1 million or more, with 30% of demands for over $5 million.
The costs of ransomware
Ransomware gangs are demanding, on overage, ransoms of $4.3 million with a median demand of $2 million, and 63% of demands were $1 million or higher. It turns out that 76% of victims end up paying less than the initial ransom demand. It pays to negotiate.
The number of attacks that involve data encryption fell from 76% in 2022 to 70% in 2023. 32% of encryption incidents also involved data theft.
Now for the bad news:
Nearly all victims report attackers attempting to compromise their backups as part of the attack. When attackers do target backups, they succeed 57% of the time. Not surprisingly, when backups are compromised, the ability to negotiate drops and it shows in the numbers. Those with compromised backups paid more than six times higher ransoms than those that didn't suffer a compromised backup, the average being $2.3 million vs $1 million.
What is the cost to recover from these attacks? That's also up considerably to $2.73 million from $1.82 million in 2022. The time it takes to recover fully significantly increased, with up to 34% of victims taking more than a month to recover. It was 24% in 2022.
Targeted industry sectors, regional impacts
When it came to sectors targeted, the federal government experienced the highest attack rate among all industries with 68% experiencing an attack. State and local governments, conversely, reported 34% having experienced a ransomware attack. For retail, that figure is 45%.
Otherwise, ransomware attacks were relatively consistent across industry sectors, ranging from 60% to 69% of organizations being hit in 11 of the 15 sectors Sophos examined. Healthcare was one of five sectors that reported an increase in attack rate over the last year, up from 60% to 67%. IT, telecoms, and technology no longer have the lowest attack rate, with 55% of organizations hit in the last year, an increase from the 50% reported in 2023. The education sector no longer reports the two highest rates of attack, coming in at 66% (higher education) and 63% (lower education) this year vs. 79% and 80%, respectively, last year.
Regarding regional differences, 74% of the organizations in France reported being hit with a ransomware attack. That was followed by South Africa (69%) and Italy (68%). The lowest reported attack rates were by respondents in Brazil (44%), Japan (51%), and Australia (54%).
Vectors of attack that lead to ransomware
The most common exploitation vectors that initiate ransomware attacks mirror the findings of other reports over the years: software vulnerabilities, compromised credentials, and phishing emails. Breaking down the numbers, that comes to exploited vulnerabilities (32%), compromised credentials (29%), and email (23%).
It's also of note that organizations in which the attack began with exploited vulnerabilities endured the worst damage and outcomes: a higher rate of compromised backups (75%), data encryption (67%), and the propensity to pay the ransom (71%) compared to those attacks that began with compromised credentials. These organizations also cited more significant financial and operational hits, with initial vectors being credentials. The average recovery cost hit $3.58 million compared with $2.58 million when an attack started with compromised credentials and a more significant proportion of attacked organizations taking more than a month to recover.
"Managing risk is at the core of what we do as defenders. The two most common root causes of ransomware attacks, exploited vulnerabilities and compromised credentials, are preventable yet still plague too many organizations. Businesses need to critically assess their levels of exposure to these root causes and address them immediately. In a defensive environment where resources are scarce, it is time for organizations to impose costs on the attackers. Only by raising the bar on what's required to breach networks can organizations hope to maximize their defensive spend," said Shier.