Let’s review Sophos’ annual study of real-world ransomware experiences and discuss what you can learn from it.
Introduction
Sophos has released its study of the real-world ransomware experiences of IT professionals
working at the frontline has revealed an ever more challenging attack environment
together with the growing financial and operational burden ransomware places
on its victims. It also shines new light on the relationship between ransomware
and cyber insurance, and the role that is playing in driving changes to cyber
defenses.
About the Survey
Commissioned research agency Vanson Bourne to conduct an independent,
vendor-agnostic survey of 5,600 IT professionals in mid-sized organizations
(100-5,000 employees) across 31 countries. The survey was conducted during
January and February 2022, and respondents were asked to respond based on their
experiences over the previous year.
Attacks Are Up and Their Complexity and Impact are Increasing
66% of organizations were hit by ransomware in the last year, up from 37% in 2020. This is a 78% increase over the course of a year, demonstrating that adversaries have become considerably more capable at executing the most significant attacks at scale. This likely also reflects the growing success of the Ransomware-as-a-Service model which significantly extends the reach of ransomware by reducing the skill level required to deploy an attack. [Note: “hit by ransomware” was defined as one or more devices impacted by the attack but not necessarily encrypted.]
Adversaries have also become more successful at encrypting data in their attacks. In 2021, attackers succeeded in encrypting data at 65% of attacks – an increase on the 54% encryption rate reported in 2020. There was, however, a reduction from 7% to 4% in the percentage of victims that experienced an extortion-only attack where data was not encrypted but the organization was held to ransom with the threat of exposing data.
The increase in successful ransomware attacks is part of an increasingly challenging and broader threat environment. Over the last year, 57% experienced an increase in the volume of cyberattacks overall, 59% saw the complexity of attacks increase, and 53% said the impact of attacks had increased. 72% saw an increase in at least one of these areas.
Organizations are Getting Better at Restoring Data After an Attack
As ransomware has become more prevalent, organizations have gotten better at getting at dealing with the aftermath of an attack. Almost all organizations hit by ransomware in the last year (99%) now get some encrypted data back, up slightly from 96% last year.
Backups are the #1 method used to restore data, used by 73% of organizations whose data was encrypted. At the same time, 46% reported that they paid the ransom to restore data. These numbers reflect the fact that many organizations use multiple restoration approaches to maximize the speed and efficacy with which they can get back up and running. Overall, almost half (44%) of the respondents whose organization’s data had been encrypted used multiple methods to restore data.
While paying the ransom almost always gets you some data back, the percentage of data restored after paying has dropped. On average, organizations that paid got back only 61% of their data, down from 65% in 2020. Similarly, only 4% of those that paid the ransom got ALL their data back in 2021, down from 8% in 2020.
Ransomware Has a Major Commercial and Pperational Impact
The ransom sums are just part of the story, and the impact of ransomware ranges much more widely than just the encrypted databases and devices. 90% of those hit by ransomware in the last year said the most significant attack impacted their ability to operate. Furthermore, among private sector organizations, 86% said it caused them to lose business/revenue.
Overall, the average cost to an organization to rectify the impact of the most recent ransomware attack in 2021 was US$1.4M. This welcome drop from US$1.85M in 2020 likely reflects that, as ransomware has become more prevalent, the reputational damage of an attack has lessened. In parallel, insurance providers are better able to guide victims swiftly and effectively through the incident response process, reducing the remediation cost.
It’s worth noting that in many cases the where the ransom is paid, the insurance provider, rather than the victim, foots the bill. We cover this in more detail later in the report.
On average, organizations that suffered attacks in the last year took one month to recover from the most significant attack – a long time for most companies. The slowest recovery was reported by higher education and central/federal government where around two in five took over one month to recover. In contrast, the fastest sectors were manufacturing and production (10% took over one month) and financial services (12% took over one month), likely a result of the high levels of recovery planning and preparation.
Furthermore, some organizations continue to put their faith in ineffective defenses. Of the respondents whose organizations weren’t hit by ransomware in the last year and don’t expect to be hit in the future, 72% are basing this on approaches that don’t stop organizations from being attacked: 57% cited backups and 37% cited cyber insurance as reasons why they don’t anticipate an attack, with some selecting both options. While these elements help you recover from an attack, they don’t prevent it.
Organizations are Unable to Use Their Budgets and Resources Effectively to Stop Ransomware
The survey revealed that simply throwing people and money at the problem is not the solution; instead, you need to invest in the right technology and have the skills and know-how to use it effectively. Without this, your return on investment is low. 64% of those hit by ransomware in the last year say that they have more cybersecurity budget than they need, while a further 24% say they have the right amount of budget. Similarly, 65% of ransomware victims say they have more cybersecurity employees than they need and 23% believe they have the right level of staffing. These findings suggest that many organizations are struggling to deploy their resources effectively to face the accelerating volume and complexity of attacks.
Similarly, the results also indicate that organizations may not realize that they do not have the right skills to stop the latest attack techniques: 58% that were hit by ransomware describe their organization as mostly/completely on top of reviewing logs to identify suspicious signals or activities, and 56% say they are mostly/completely on top of the latest attack tools/methodologies.
Conversely, among the organizations that were not hit by ransomware in the previous year and do not anticipate a future attack, the #1 reason behind this confidence is having trained IT security staff or an internal security operations center (SOC) that is able to stop attacks.
Conclusion
The ransomware challenge facing organizations continues to grow. The proportion of organizations directly impacted by ransomware has almost doubled in twelve months: from just over a third in 2020 to two thirds in 2021. In the face of this near-normalization, organizations have got better at dealing with the aftermath of an attack: virtually everyone now gets some encrypted data back and nearly three quarters are able to use backups to restore data. At the same time, the proportion of encrypted data restored after paying the ransom has dropped, down to 61%, on average. Despite this, there was a near threefold increase in the percentage victims paying ransoms of $1 million or more.
The survey revealed that simply throwing people and money at the problem is not the solution; rather you need to invest in the right technology and have the skills and know-how to use it effectively. Organizations should look to partner with experts that can help them improve the return on their cybersecurity investments and elevate their defenses. Most organizations are choosing to reduce the financial risk associated with an attack by taking cyber insurance. For them, it is reassuring to know that insurers pay some costs in almost all claims. However, it’s getting harder for organizations to secure coverage, which has driven almost all organizations to make changes to their cyber defenses to improve their cyber insurance position.