Edwin Weijdema, Field CTO EMEA e Lead Cybersecurity Technologist in Veeam wonders where the fight against ransomware stands and who is winning.
Ransomware emerged as the primary weapon of cybercriminals in 2020. Since then, it has been at the top of the global security agenda, plaguing businesses, public services and individuals. Organizations have had to rapidly change their cybersecurity, data protection and disaster recovery strategies to adapt to this new pandemic. But is it making a difference? Three years later, ransomware and cyber resilience remain the number one priority for most security teams. The headlines about high-profile ransomware victims keep coming. Is the end in sight? What has changed since 2020 and what still needs to happen to definitively close the ransomware loop?
Mixed signals?
Answering this first big question is not easy. For example, data suggests that the global number of ransomware attacks decreased significantly in 2022 (after doubling in 2021). Analysis from blockchain firm Chainalysis reports that the total value of ransomware payments paid in 2022 also decreased significantly. Both positive signs that globally ransomware is slowing down.
Let’s take stock of ransomware
However, the Veeam Data Protection Trends Report 2023 and Ransomware Trends Report 2023, both large-scale surveys of impartial organizations across EMEA, the Americas and APJ, paint a different picture. The first found that 85% of organizations have suffered at least one cyber attack in the past year (an increase of 9% from the previous year). The ransomware report, which exclusively surveyed companies that suffered an attack, found that a shocking 80% of companies paid a ransom to recover their data. Other industry surveys generally show similar results. So why is there a disconnect between global total numbers and what most individual companies are saying?
The results of the surveys
While targeted surveys can give us a valuable check on the temperature of a certain region or sector, overall global numbers are difficult. Of course size is an important factor. But when it comes to ransomware, there can be a reluctance to admit you’ve suffered a data breach. Additionally, some insurance policies prevent companies from doing so. Tracing cryptocurrency payments is also not an exact science.
Share information
Since many addresses have not been identified on the blockchain and are therefore absent from the global data. In some regions, such as EMEA, we are seeing more openness to sharing when it comes to ransomware. As leaders recognize that collaboration and information sharing can help advance the security sector and jointly build greater resilience.
What has changed?
So, in the midst of all this greyness, what has permanently changed? Of course, threats are constantly evolving and becoming more sophisticated. But this is a fundamental aspect of cybersecurity. The protection efforts and resilience improve hand in hand and the cat and mouse game continues. In the specific case of ransomware, we have seen that attitudes towards payment demands continue to fluctuate.
An example
Two years ago, one of the largest ransomware payments ever made was paid simply to “prevent any potential risk.” Since then, education about how unreliable, unethical and inappropriate this strategy is has been improved across the industry. But two more flies have landed in the nail that have made it much more difficult to permanently eliminate ransomware payments.
Fight against ransomware: the cyber insurance sector
One of these is cyber insurance. This is an industry that has changed dramatically since the rise of ransomware and remains highly volatile today. Cyber insurance isn’t a bad thing, of course. Ias it offers companies financial resistance against an almost certain threat. However, it also provided organizations with a means to pay ransomware claims. The Veeam Ransomware Trends Report 2023 found that 77% of respondents who paid claims did so with insurance money. Rising premiums could stop this, as could the growing number of policies that specifically exclude ransomware from their coverage.
An important factor
Perhaps the most important factor, and the reason why companies feel they have no choice but to pay ransoms, are attacks. They increasingly target backup archives. Recent reports revealed that cybercriminals have managed to target backup archives in three out of four attacks. If companies have no other offsite copies of this data or are simply unable to recover quickly enough, the board of directors may be tempted to give in to the requests. While company leaders want to do the right thing from a security perspective, ultimately their main priority is to keep the company running.
What remains to be done?
What needs to change to tip the scales in favor of ransomware and to start seeing attacks and payments decrease permanently? It’s still about training and preparation, particularly for those who are not part of security and backup teams. This includes dispelling myths about what happens before and after a ransomware attack. For example, encryption doesn’t happen as soon as an employee clicks on a malicious phishing link: months or even a year can pass between a system being breached, data being blocked, and a ransom being declared.
Ransomware, where is the fight and who is winning
Likewise, decryption doesn’t happen the moment a ransom is paid either: ignoring the fact that around a quarter of companies pay a ransom but fail to recover their data, even the best-case scenario can be incredibly slow to decrypt and recover . This is part of the business model, as most offer the option to purchase additional decryption keys on top of the ransom cost to speed up the process!
Always ready to react
Understanding the beast is the first step in being prepared to respond. A ransomware recovery plan should include three phases:
Preparation. Plan your recovery, make sure you have reliable backups (at least following the 3-2-1 rule). Then have a disaster recovery site set up and ready to go and ramp up training and drills to ensure the company and organization are prepared.
Answer. Following a predefined and tested incident response process, identifying and containing the breach, and analyzing backups to ensure they are not contaminated.
Restoration. Recover the environment without reintroducing malware or infected data into the production environment during recovery and business recovery.
The conclusions
In conclusion, although there is a certain degree of uncertainty On the state of the global fight against ransomware, what is not in doubt is that ransomware attacks remain an unavoidable eventuality for most businesses. This does not mean that there is no hope against these cyber criminals. However, it is important to understand that if companies are prepared and plan their recovery well, they can reach a point of 100% resilience against ransomware. This doesn’t mean that such attacks will have no impact on your business, but that you can recover quickly and say “no” to ransomware demands.