Is ransomware in retreat as the top threat? - Photo by Google DeepMindUnderstanding risk and exactly which threats are dominant is key to defending the IT estate, but it’s a constantly changing picture. The top threat over recent years has been ransomware. It has been buoyed by the emergence of Ransomware-as-a-Service (RaaS). However, attacks have seemingly been in decline.

The IBM X-Force Threat Intelligence Index 2023 reported a fall from 21% in 2021 to 17% in 2022. Likewise, the Data Security Incident Trends Report 2023 by the UK’s Information Commissioner’s Office (ICO) shows a decline from 739 ransomware incidents reported in 2022 to 667 in 2023.

Ransomware has well and truly been toppled from the top spot but what has replaced it? An Integrity360 survey exploring the principal cybersecurity concerns of IT security decision-makers revealed that over half (55%) regarded data theft as the number one issue. That was followed by phishing (35%), with ransomware coming in third (29%).

What’s more, CIOs (30%) and CTOs (33%) also ranked Advanced Persistent Threats (APTs), which can have national-level implications such as espionage or destruction of infrastructure, as a bigger concern than ransomware or targeted attacks. However, as we shall see, the evolution of ransomware aligns with organisations’ top concerns.

Prevalent attack types

Threat levels are not just a matter of perception. Those views have been corroborated by the types of attacks these personnel have dealt with over the past 12 months. The most common type of attack reported was phishing (46%). It was followed by data theft (27%). APTs and targeted attacks came in fourth place as the most frequent type of cybersecurity incident (20%). Ransomware was in fifth place (15%), making it the least common.

However, this doesn’t mean the ransomware threat has gone away. What’s happened during this period is that ransomware operators have had to adjust their modus operandi. Frustrated by better defences such as endpoint detection and response (EDR) and extended detection and response (XDR), which stop ransomware attacks faster, and more diligent data backup processes, the number of organisations paying out is falling.

In 2019, reports claimed that 76% of victims paid the ransom. It fell to 41% in 2022. The authorities have also actively discouraged payment. The ICO and NCSC recently pointed out that paying a ransom will not reduce any penalty or enforcement action against the breached organisation which is still deemed to have failed to safeguard data adequately.

In response, ransomware groups have been forced to resort to extortion techniques rather than solely encrypting data and demanding a ransom. Extortion sees the exfiltration of data with the threat to publish and effectively renders backups as a defence obsolete. Similarly, triple extortion, whereby the attacker also goes after the target’s customers, is rising.

What’s important to note here is that the objective is no longer encrypting the data and demanding a ransom for its decryption but stealing it and threatening to publish. In effect, ransomware has morphed into data theft. This is corroborated by a recent report that found data theft occurred in approximately 70% of ransomware incidents, up from 40% in 2021.

It brings ransomware back to the top spot again, as data theft was the number one concern of responders to the Integrity360 survey. It’s just that they were not associating it with ransomware per se.

Defending against data theft

Dealing with this latest incarnation of ransomware will, therefore, require a concerted focus on data protection. It will require round-the-clock vigilance to guard sensitive data using monitoring systems and EDR or XDR. Wider security monitoring, containment, and effective incident response are also needed to stop advanced attacks in their tracks.

However, the same Integrity360 survey referenced earlier revealed significant challenges in incident response (IR) capabilities. Insufficient budgets were highlighted as the top challenge by almost a third. It was followed by the complexity of incidents and lack of board-level understanding of IR. The shortage of IR skills, experience, and tools was also seen as a major hurdle.

It’s a complex situation for today’s business. On the one hand, it can’t find the personnel needed to conduct IR. On the other, it is overburdened with a multi-technology cybersecurity stack that is resource-intensive to maintain and manage.

IT environments have become increasingly complex. Many enterprises now employ multi-cloud strategies and multiple security products for different aspects of their security. This leaves security gaps, resulting in unnecessarily underutilised and overlapping tools. The way to rationalise this stack is through deliberate consolidation to reduce the number of tools and vendors in place.

Doing so can confer real benefits by eliminating silos, reducing costs and strengthening the overall security posture. Many areas of cybersecurity are converging into common domains and tools. However, it’s not easy to achieve, which is why the survey found it is the number one thing keeping CIOs awake at night as they wrestle with the problem.

Focusing resources

To solve the issues of budgetary constraints, the need to consolidate the stack and concentrate efforts on data protection, detection, containment, and incident response, many organisations are now looking to pare down the number of vendors they use.

It has seen some look to outsource critical functions such as Detection and Response and IR to a Managed Security Services Provider (MSSP). Outsourcing can give the business access to the latest technology and expertise on-tap 24/7. As a result it can allow them to respond far more swiftly and effectively which can make all the difference when dealing with data theft and other damaging forms of cyber threats.

In summary, businesses need to recognise that the game has changed. Adding more and more products and solutions or implementing cutbacks isn’t the best way to address an evolving threat. Ransomware operators are diversifying and are no longer just chasing big game corporations. They are targeting small and medium-sized businesses, meaning everyone is a target.

Far from becoming less of a threat, ransomware is now focused on data theft. It makes prioritising cybersecurity resources more important than ever in order to protect the organisations’ most prized asset – its data. Because if it follows that data theft is a top concern, then so too is ransomware.

Integrity360Integrity360 is one of Europe’s leading cyber security specialists operating from office locations in Ireland, UK, Bulgaria, Italy, Sweden, Spain, Lithuania, and Ukraine with Four Secure Operation Centres (SOC) located in Dublin, Sofia, Stockholm and Naples.

The group employs approx. 500 cyber security experts and industry professionals and provides a comprehensive range of professional, support and managed cyber security services that help customers identify and assess risk posture, protect against and prevent attack, detect and analyse threats, and respond to and recover from cyber incidents. Working either independently or as an extension of an organisation’s own team, Integrity360 strengthens security postures for SME, mid-market, enterprise, public sector, and non-profit organisations across a wide range of sectors including financial services, insurance, government, healthcare, retail, telecoms and utilities.


Please enter your comment!
Please enter your name here