State of Ransomware 2023

security-4038164_1920

I love this time of year. Whilst most people are thinking about summer holidays and time off work, instead I’m eagerly anticipating the result from the Sophos State of Ransomware Report for 2023. Perhaps I’m a little unusual in that regard, but nevertheless the report is a veritable treasure-trove of information that gives us a unique perspective on the current cybersecurity landscape and glimpse into the murky underworld of the cybercriminal. If you aren’t familiar with the report, you might be wondering what the format is and what the statistics tell us. If you’re interested, you’re invited to read on.

Let’s begin with the headline statistic – of the 3,000 organisations worldwide that were randomly selected and participated this year, 66% of them experienced at least one ransomware incident in the 12 months preceding the survey. Allow that to settle in, two in three organisations had ransomware, as if that number wasn’t shocking enough, it’s a mirror of the results last year that tell us, perhaps unsurprisingly, that ransomware is, and continues to be a significant challenge for organisations across the globe. What is also rather concerning is that of those attacks, in 76% of cases, the criminals managed to encrypt at least some of the target data. I should probably emphasise at this point, that the respondents were selected at random and are most likely not current Sophos customers. Needless to say, this tells us that the security measures and ransomware protection these organisations were pinning their hopes on have sadly let them down. The final two stats (for now) are that 46% of the victims elected to pay the ransom and place their faith in the honesty of crooks and that the average cost of a ransomware incident is now an eye-watering $1.82 million.

Thanks to the very public disagreement within the Conti ransomware group with regards to their cyber-support of the Russian invasion of Ukraine and the subsequent data leaks we already know that the criminal gangs are highly organised and structured groups that are a far cry from the images the media images that portray hoodie-toting teenagers hiding out in their mother’s basement. It is clear that these groups have a wealth of resources, both fiscal and human and that these are deployed tactically to maximum effect. One of the interesting insights that the State of Ransomware Report gives us, is who the cybercriminals target, and from that we can infer a lot about their motivations and methodologies. Not all sectors suffer equally, and those that are hit hardest are perceived by the cybercriminals to be the softest targets and / or the most likely to pay. Conversely, the sectors that are seen to be more strongly defended or exhibit a lower propensity to pay are typically avoid the attentions of the criminal gangs, after all, in the main, the groups are motivated by return on investment decisions that are not dissimilar to the processes a legitimate business would go through.

To illustrate the variances and disparities that exist, the sectors that experience the most incidents of ransomware are the upper and lower education sectors, 80% of respondents in these sectors experienced a ransomware incident. At the opposite end of the spectrum, 50% of the respondents in the communications and high technology sectors had a similar incident. The fact that high technology invests the most in cybersecurity whilst education is typically under-funded goes a long way to explaining the disparity. Interestingly, organisation size when expressed by head count has little to no correlation with the likelihood of attack, but an organisation’s turnover has a distinct link.

ransomware report

A common question that inevitably comes up whenever I discuss these statistics is ‘how much will the bad guys demand and should I pay them?’. In a somewhat cynical manner, the cybercriminals will already have worked out exactly what their victim’s ability to pay is and will target their ransom accordingly. Setting a demand that’s too high will turn a victim away, conversely, they do not want to leave money on the table with a demand that is too low, its something the criminals have down to a fine art. Should you pay – well that’s not an easy question to answer. Of course, in an ideal world you shouldn’t pay the ransom demand, after all you are effectively perpetuating the problem by encouraging the trade. Victims often don’t get a fair deal by paying, there are some outlying groups who have no intention of restoring aces to your data, whereas other gangs might want to try, but their decryption tools are not fully tested. These decisions are perhaps a little less clear cut when we move from the theoretical to the reality of a hospital in which doctors cannot access patient records or a factory that is idle due to the corruption of data. What is certain is that paying up isn’t a quick win, with organisations who elect to pay typically experiencing longer recovery times and as much as double the overall cost of an incident when compared to restoring from a back up.

Analysis of this data within the State of Ransomware is an interesting academic exercise in its own right, but there is much we can learn that can be turned into practical ways to better defend ourselves. 

ransomware report

The first thing we can glean is that email is a popular attack route for the criminals which encompasses about 30% of attacks with a little rounding. Essentially as we get better at defending our estates technically, social engineering is becoming an increasingly important part of the cybercriminal arsenal. Much can be done in educating users in spotting phishing attacks and also not oversharing data online that can, and is, exploited by the gangs to create ever more timely and compelling phishing campaigns.

The other elements are more technology-based problems, for example using compromised credentials or exploiting a vulnerable system. Although there are technical mitigations exist in some scenarios, this too is, at its heart a human problem. Cybercrime tactics continue to evolve and a common approach is to utilise existing and legitimate software with in victim’s environment in a technique known euphemistically as ‘living off the land’. Intrusions of this nature are incredibly hard for technology alone to combat and often renders endpoint protection trapped in an ineffectual cycle of being unable to determine if the actions are those of a legitimate administrator or nefarious third party. In essence, the tech lacks the ability to apply context and intuition to these events, in a way that is second nature to skilled human threat hunters. The solution is to employ these experts to investigate suspicious events and respond according when the need arises.

Cybercriminals have become much more coordinated and act collaboratively to meet their goals. Perhaps the greatest defence that we have is to also similarly pool resources using Managed Detection and Response services to concentrate threat hunting skills and deliver better cybersecurity outcomes to all users by learning from one incident and applying that knowledge to all subscribers. At Sophos we have built a sophisticated process so that when an investigation is conducted in one organisation, the findings become baked into our protection solutions within mere minutes, even when that telemetry may have come from another vendor’s cybersecurity product.

The cybercrime war will continue to rage on, and our best hope is to work collectively within the MDR framework, to ensure that there are more of us doing good things than there are bad actors intent on harm.

Jon Hope – Senior Technology Evangelist, Sophos

Jon will be speaking in more detail about the State of Ransomware 2023 report at our online Optimise event on 19th September. Jon will also be on hand to answer any of your questions after the webinar.

Register for your place at this and one of our other webinars from our cyber security partners here

In this post

    You may be interested in

    Businesses are losing money and jeopardising security to IT sprawl and quick fixes, says Espria

    IT Leaders must take action on unchecked technology sprawl and shadow IT that are draining budgets, increasing cyber risks, and complicating their digital environment. According to a recent study, budgets towards insider risk management have doubled in the past 12 months, with 81% of business leaders looking to secure their internal business infrastructure as geopolitical tensions escalate and remote workforces become the norm. ‘Digital transformation ushered in new possibilities and solutions for computing, but it also introduced a potential for sprawl that burdens IT teams everywhere,’ said Brian Sibley, Virtual CTO at Espria. ‘When faced…

    Read the article

    Espria launches Espria Connect, enhancing Microsoft Teams with Advanced Unified Communications

    The new product, Espria Connect, isn’t just another telephony solution. It’s a game-changer, offering a cost-effective, scalable, and secure telephony solution for SMBs, mid-market and enterprise customers. Combining the power of Microsoft Teams with Cloud-Based Unified Communications, Espria, the leading managed services provider, is excited to introduce Espria Connect. This powerful solution streamlines business communication infrastructure and addresses the growing demand for a unified communication solution that supports hybrid work environments. Designed for businesses of all sizes, Espria Connect allows users to manage voicemail, make and receive calls, and access a diverse range of other…

    Read the article

    Reimagining education: How AI is changing the way we teach, learn, and collaborate in schools

    Technology has long been used by educators to support teaching and operations, facilitating staff with a wide range of platforms and resources. A particular tool that has sparked both controversy and curiosity is the inclusion of artificial intelligence (AI). A study by BCS, the Chartered Institute for IT, found that most teachers are reluctant to use AI for pupil learning with 84% of educators not changing the way they assess their students’ work. This comes after Ofsted recently launched an independent review on the use of AI in schools and how to develop the understanding of…

    Read the article

    Espria launches CSP renewal assessment service

    Leading managed service provider launches new service to address the costs associated with software sprawl, helping to drive down OpEx as businesses increasingly feel the financial squeeze. Espria, a leading digital solutions provider, has launched a free M365 Licence Assessment programme to help businesses save costs by reviewing existing licence estates and identifying those licences not in use or no longer being utilised. With Microsoft recently changing how they sell and structure licenses, businesses must now reassess their current M365 licenses, looking for ways to reduce costs and keep the capabilities they need as they…

    Read the article

    Your guide to leveraging NCE pricing to get the best value

    Renewing your Microsoft Licensing Agreement is an opportunity to align your IT strategy with your business goals. It allows you to take advantage of the latest technologies, optimise costs, and ensure compliance with industry standards. While this might seem straightforward at first glance, to achieve the best value and biggest discounts, it’s often more complex than it appears and navigating the renewalprocess requires careful planning. In this Blog we will walk through what you need to know about the new Microsoft Licensing rules,when to get the best value from your renewal, and how to review…

    Read the article

    Loving your customers with AI, cybersecurity and peace of mind with MSP support

    2024 has marked a massive shift for SME IT needs, as creating an appropriate and optimised business strategy has become an increasingly difficult challenge for business owners and IT operators nationwide.

    Read the article