Ransomware payments: Ever present or on the decline? - Image by Tumisu from PixabayThe ransomware landscape has morphed and changed significantly in 2024. Threat actors are continually refining their techniques and expanding their targets.

While supply chain attacks have grabbed headlines, they’re far from the only weapon in the arsenal of modern cybercriminals. According to a recent Deloitte report, sophisticated ransomware groups increasingly deploy zero-day exploits as a preferred method of access. Over a third of ransomware victims are now breached in this way.

We’ve also seen the emergence of new ransomware variants, like DragonForce. They continue to up the stakes by employing double extortion tactics. It places maximum pressure on victims by exfiltrating sensitive data and threatening to leak it if ransom demands aren’t met.

Further, question marks remain over the potential implications of generative AI platforms and how these will alter the balance between threat actors and defenders on a long-term basis.

Ransom payments are in decline

Behind all of this, there’s a growing conversation about how victims are responding. Specifically, some reports suggest that there are signs that fewer victims are giving in to extortion demands despite ransomware attacks growing in volume and sophistication.

Deloitte estimates that ransomware inflicted over $400 million in damages during the first half of 2023. However, it highlights an “encouraging decline in ransomware payments globally,” particularly in critical sectors like healthcare and financial services.

A June 2024 report from Marsh reinforces this trend. It notes that only 23% of its clients affected by cyber extortion in 2023 chose to pay the ransom, a significant drop from the 37% recorded in 2021.

These figures are undeniably promising. Awareness of the importance of robust security measures has been steadily increasing year upon year. This is driven in part by growing demands from regulators, partners, customers, and insurers, all of whom are pushing for the adoption of stronger cybersecurity practices.

However, Marsh’s report also suggests that there may be other factors at play. For example, it reveals that the median ransom request surged to $20 million in 2023, up from $1.4 million in 2022. It indicates that an increasing refusal to pay might also be due to a greater unwillingness to meet such audacious demands.

In cybersecurity, caution is always advised

In an effort to explore the payments question, Semperis recently surveyed nearly 1,000 IT and security professionals from global organisations across multiple industries in the first half of 2024.

We found that ransomware is very much still rampant. 85% of UK organisations have been hit by attacks in the past 12 months. However, one of the most striking differences in our survey results is the prevalence of ransom payments.

The results contradicted the decline observed in Marsh and Deloitte’s data. Our survey reveals that a significant majority – 78% – of UK companies that suffer a ransomware attack still choose to pay the ransom. Alarmingly, 73% paid multiple times, with 62% having paid a ransom between £200,001 and £480,000.

Despite the variations in reports, one fact remains consistent: ransom payments are still being made, and demands are escalating.

With the stakes higher than ever, it’s vital for enterprises to take proactive measures to protect themselves. It has resulted in some organisations becoming more resilient. However, all three reports acknowledge that a considerable number still feel compelled to meet cybercriminals’ demands, often repeatedly, as the only recourse to recover their business.

Embracing effective, multi-layered ransomware strategies

While technically legal, paying the ransom should never be a strategy that organisations rely on. It fuels the criminal industry and incentivises future attacks. Importantly, our findings also highlight the significant risks involved.

Repeat attacks are common. Paying a ransom does not guarantee that access to your data and systems will be restored. 42% of UK organisations (35% globally) that paid a ransom either never received decryption keys or were unable to recover their files and assets.

Moreover, even those that do regain access often suffer long-term collateral damage. This can include reputational harm, financial loss, and the erosion of trust among customers and partners.

For this reason, firms must prioritise strengthening their defences and establish robust, regularly updated backups. By doing so, they can effectively combat, respond to, and recover from ransomware attacks without cooperating with threat actors.

At present, the recovery aspect is all too often overlooked, and that’s a major problem.

A shift in mindset is needed. Every firm must recognise that even the most robust organisations will fall victim to cyber-crime. Therefore, every organisation must assume that a breach is imminent.

In taking this stance, the need for a well-developed, tested recovery plan that will ensure the rapid restoration of business operations will naturally become essential. But what exactly does such a plan look like?

The importance of Active Directory

At its core, a comprehensive recovery strategy must prioritise Active Directory (AD).

AD is the central pillar of business operations, serving as the identity platform for most organisations. Cybercriminals know this all too well, which is why gaining control of AD is the primary aspiration. If attackers compromise AD, they can gain access to everything within the organisation. Conversely, if AD becomes unavailable, it will paralyse an enterprise’s entire infrastructure and applications, halting business operations.

Given the stakes, organisations need a dedicated system for backing up Active Directory to ensure they can recover from attacks with integrity and speed. However, our survey found that only 23% of UK respondents currently have a dedicated, AD-specific backup system.

This isn’t to suggest that firms aren’t prioritising cybersecurity. Rather, many are not using their limited resources to protect their most critical assets properly. Yes, endpoint protection is important. However, it’s crucial to acknowledge that determined attackers may eventually find ways to bypass this first line of defence.

For this reason, firms must strike a more balanced approach. Modern threats require modernised defences, and for most organisations that begins with protecting the identity platform – Active Directory.

LEAVE A REPLY

Please enter your comment!
Please enter your name here