A new study from access management firm Delinea finds that the tide may finally be turning in the battle against ransomware, with surveyed organizations reporting a 61% drop in ransomware attacks versus the previous year’s findings.
However, there are numerous reasons to temper optimism over these results. Ransomware attacks surged from an already high pre-pandemic level during the big shift to remote work and cloud-based models, and may just be “normalizing” to what was already a very problematic rate in 2019. The average cost of an attack also remains high, even as the Delinea results show increasing complacency among organizations in keeping vital safety measures in place.
Ransomware attacks down, but costs (and security shortcomings) remain high
The Delinea State of Ransomware Survey Report 2022 surveyed over 300 IT and security decision-makers across the United States from a variety of industries. In 2021, 64% of respondents said that their organizations had experienced ransomware attacks. That number plunged to 25% for the 2022 period. While ransomware attacks dropped for companies of all sizes, smaller companies saw a 7% greater reduction as compared to those with over 100 employees; 56% of larger companies now say that they experienced a ransomware attack in the past year, compared to 13% of the SMEs.
That would initially seem to be cause for celebration. After a strong resurgence that has now lasted for over half a decade, are ransomware attacks finally on the wane? The report cautions that this is probably not the case. There are numerous factors that may be causing this decrease in reported attacks, and they may all be working in tandem to some degree. One is simply that companies are less frequently reporting ransomware attacks, as insurance for them becomes more expensive and harder to obtain.
The study finds that the overall volume of ransomware attacks did decrease in 2022, but at a substantially lower rate than the self-reported rate of successful attacks. Since that does not track with the overall drop in reported attacks, the last remaining explanation would be that organizational security is improving and doing a much better job of deflecting attempts. However, Delinea’s survey actually indicates that organizations are relaxing their security posture at worrying rates.
In 2021, 94% of organizations reported having a ransomware incident response plan in place. That number plummeted to 71% in 2022. And while 93% said that they had a discrete ransomware prevention budget in 2021, only 68% did in 2022. Organizations were also 4% more likely to increase their cybersecurity budget in the wake of a successful attack in the past year. And the amount that reported taking no action whatsoever to prevent ransomware attacks went up to 9% in 2022, from 1% in 2021.
Delinea also finds that ransomware costs continue to increase. The average payment amount jumped 71% to $1 million in the first half of 2022. Remediation expenses and insurance costs also remain high.
Organizations leaning on backups, password policies in fight against ransomware
Companies do appear to be more confident in their ability to remediate attacks, even if security is slipping somewhat overall. 68% report making payments now, down from 82% in 2021; additionally, no single industry had a payment rate below 72% in that year. And while organizations report a small increase in loss of revenue and lost customers, there were substantial decreases in reported reputational damage and layoffs due to ransomware attacks. 2% more also said that their ransomware attack ultimately had no negative effect whatsoever.
In terms of implementing ransomware defenses, companies are largely sticking with the basic best practices. The leading methods were regular backups, regular system and software updates, strong password policies and implementation of MFA. Far fewer are taking more advanced measures such as implementing application control, disabling macros, or adopting “least privilege” or “zero trust” frameworks. These advanced measures also all plummeted by notable amounts from what was reported in 2021.
Investments in ransomware prevention are also down across the board, from network and cloud security to endpoints and privileged access management. This comes in spite of increasing regulation requiring certain industries to improve their defensive measures.
One final piece of evidence that organizations have simply resigned themselves to just paying the ransom demand, trying to hush up the incident and hoping for the best is that support for making ransomware payments illegal plummeted between 2021 and 2022.
Delinea suggests that the findings indicate that elements such as endpoint security access control are going underlooked, and a surge in ransomware attacks could be on the horizon as threat actors take advantage of the more relaxed posture organizations appear to be settling into. Organizations that decide to snooze on security should also be prepared for remediation and associated costs to continue increasing in the near future, even if the overall volume of successful incidents continues to trend downward.