Data encryption from ransomware at 4 year high: Sophos’ Annual State of Ransomware reveals
Paying the ransom doubles recovery costs Rate of Ransomware Attacks Remains Steady, with 66% of Organizations. Surveyed Reporting They Were a Victim of Ransomware.
Sophos, a global leader in innovating and delivering cybersecurity as a service, today released its annual “State of Ransomware 2023” report, which found that in 76% of ransomware attacks against surveyed organizations, adversaries succeeded in encrypting data. This is the highest rate of data encryption from ransomware since Sophos started issuing the report in 2020.
The survey also shows that when organizations paid a ransom to get their data decrypted, they ended up additionally doubling their recovery costs ($750,000 in recovery costs versus $375,000 for organizations that used backups to get data back). Moreover, paying the ransom usually meant longer recovery times, with 45% of those organizations that used backups recovering within a week, compared to 39% of those that paid the ransom.
Overall, 66% of the organizations surveyed were attacked by ransomware—the same percentage as the previous year. This suggests that the rate of ransomware attacks has remained steady, despite any perceived reduction in attacks.
“Rates of encryption have returned to very high levels after a temporary dip during the pandemic, which is certainly concerning. Ransomware crews have been refining their methodologies of attack and accelerating their attacks to reduce the time for defenders to disrupt their schemes," said Chester Wisniewski, field CTO, Sophos.
“Incident costs rise significantly when ransoms are paid. Most victims will not be able to recover all their files by simply buying the encryption keys; they must rebuild and recover from backups as well. Paying ransoms not only enriches criminals, but it also slows incident response and adds cost to an already devastatingly expensive situation,” said Wisniewski.
When analyzing the root cause of ransomware attacks, the most common was an exploited vulnerability (involved in 36% of cases), followed by compromised credentials (involved in 29% of cases). This is in line with recent, in-the-field incident response findings from Sophos’ 2023 Active Adversary Report for Business Leaders.
Additional key findings from the report include:
In 30% of cases where data was encrypted, data was also stolen, suggesting this “double dip” method (data encryption and data exfiltration) is becoming commonplace
The education sector reported the highest level of ransomware attacks, with 79% of higher education organizations surveyed and 80% of lower education organizations surveyed reporting that they were victims of ransomware
Overall, 46% of organizations surveyed that had their data encrypted paid the ransom. However, larger organizations were far more likely to pay. In fact, more than half of businesses with revenue of $500 million or more paid the ransom, with the highest rate reported by those with revenue over $5 billion. This could partially be due to the fact that larger companies are more likely to have a standalone cyber insurance policy that covers ransom payments
“With two thirds of organizations reporting that they have been victimized by ransomware criminals for the second year in a row, we’ve likely reached a plateau. The key to lowering this number is to work to aggressively lower both time to detect and time to respond. Human-led threat hunting is very effective at stopping these criminals in their tracks, but alerts must be investigated, and criminals evicted from systems in hours and days, not weeks and months. Experienced analysts can recognize the patterns of an active intrusion in minutes and spring into action. This is likely the difference between the third who stay safe and the two thirds who do not. Organizations must be on alert 24x7 to mount an effective defense these days,” said Wisniewski.
“Sophos’ latest report is a clarion reminder that ransomware remains a major threat, both in scope and scale. This is particularly true for ‘target-rich, resource-poor’ organizations that don’t necessarily have their own in-house resources for ransomware prevention, response and recovery,” said Megan Stifel, executive director of the Ransomware Task Force and chief strategy officer, Institute for Security and Technology. “One way to boost security, which is aligned with Sophos’ findings in the report, is to implement the Ransomware Task Force’s Blueprint for Ransomware Defense, a framework of 48 safeguards based on the CIS IG1 Controls. It’s past time for the private and public sector to band together and collectively fight ransomware, which is why we are excited to work with cybersecurity providers like Sophos.”
Sophos recommends the following best practices to help defend against ransomware and other cyberattacks:
Strengthen defensive shields with:
Security tools that defend against the most common attack vectors, including endpoint protection with strong anti-exploit capabilities to prevent exploitation of vulnerabilities, and Zero Trust Network Access (ZTNA) to thwart the abuse of compromised credentials
Adaptive technologies that respond automatically to attacks, disrupting adversaries and buying defenders time to respond
24/7 threat detection, investigation and response, whether delivered in-house or by a specialist Managed Detection and Response (MDR) provider
Optimize attack preparation, including making regular backups, practicing recovering data from backups and maintaining an up-to-date incident response plan
Maintain good security hygiene, including timely patching and regularly reviewing security tool configurations
Data for the State of Ransomware 2023 report comes from a vendor-agnostic survey of 3,000 cybersecurity/IT leaders conducted between January and March 2023. Respondents were based in 14 countries across the Americas, EMEA and Asia Pacific. Organizations surveyed had between 100 and 5,000 employees, and revenue ranged from less than $10 million to more than $5 billion.
Read the State of Ransomware 2023 report for global findings and data by sector.
Learn more about:
Attacker behaviors, techniques and tactics in the 2023 Active Adversary Report for Business Leaders, based on analysis of Sophos incident response cases
IT and cybersecurity leaders’ top challenges and priorities in “The State of Cybersecurity 2023: The Business Impact of Adversaries on Defenders”
Different ransomware threat actors, their TTPs and Sophos’ latest ransomware research in the Ransomware Threat Intelligence Center
The threat landscape and trends likely to impact cybersecurity in the 2023 Threat Report
Sophos X-Ops and its groundbreaking threat research by subscribing to the Sophos X-Ops blogs
Sophos is a worldwide leader and innovator of advanced cybersecurity solutions, including Managed Detection and Response (MDR) and incident response services and a broad portfolio of endpoint, network, email, and cloud security technologies that help organizations defeat cyberattacks. As one of the largest pure-play cybersecurity providers, Sophos defends more than 500,000 organizations and more than 100 million users globally from active adversaries, ransomware, phishing, malware, and more.
Sophos’ services and products connect through its cloud-based Sophos Central management console and are powered by Sophos X-Ops, the company’s cross-domain threat intelligence unit. Sophos X-Ops intelligence optimizes the entire Sophos Adaptive Cybersecurity Ecosystem, which includes a centralized data lake that leverages a rich set of open APIs available to customers, partners, developers, and other cybersecurity and information technology vendors. Sophos provides cybersecurity-as-a-service to organizations needing fully-managed, turnkey security solutions. Customers can also manage their cybersecurity directly with Sophos’ security operations platform or use a hybrid approach by supplementing their in-house teams with Sophos’ services, including threat hunting and remediation. Sophos sells through reseller partners and managed service providers (MSPs) worldwide. Sophos is headquartered in Oxford, U.K.
More information is available at www.sophos.com.