Almost all aspects of ransomware worsened in 2023 compared to 2022. Noticeably, criminals are increasingly focused on data extraction without necessarily using encryption payloads. The implication is the ransomware threat will continue to increase and evolve in 2024.
This is the only conclusion possible from a survey report published by Delinea. More than 300 US IT and security decision makers in multiple verticals were surveyed, and 2023’s results compared with the previous year’s survey.
The biggest problem with any survey is the degree of subjectivity involved in the analysis, and the inevitably small sample used, making it scientifically unfounded. At the same time, purely coincidentally, all surveys tend to recommend the publisher’s own products as a solution to the issues raised by the survey. We cannot escape from the reality that surveys are produced primarily for marketing purposes.
For such reasons, SecurityWeek has largely applied its own subjective analysis to the respondent facts surfaced by the survey.
The volume of ransomware attacks is not a constant and can be affected by many short term factors (take downs, criminal retirements, retooling, etcetera). 2022 showed a reduction, and some commentators suggested that the tide was turning against ransomware. 2023 has demonstrated this was a false dawn, with more than twice the number of victims in 2023 compared to 2022.
Anyone who believes ransomware will go away doesn’t understand the nature of criminality. Extortion has and always will be a primary criminal business plan. The current Delinea report demonstrates that the delivery of extortion can be fine-tuned (the evolution from encryption to data exfiltration), but the purpose remains the same, and the incidence will continue to increase.
The success of this business plan is demonstrated by an increase in the number of victims who have paid the ransom — up from 68% to 76% (and remember that is 76% of a higher number of victims). What cannot be measured is the effect of cyberinsurance on ransomware delivery and response. Some commentators believe that attackers look for victims with cyberinsurance, and the report notes, “One reason for the willingness to pay may be the rise of cyberinsurance.”
Insurance provides a financial safety net, making the decision to pay an easy option. This safety net may also partly explain why security budgets have increased more for ransomware prevention than recovery, something also highlighted by the report. Prevention can lead to lower premiums and may be an insurance condition, while the recovery costs are offset by insurance claims. If this assumption is correct, it helps to explain the increase in ransomware defense budgets coinciding with a decrease in recovery budgets – the latter now comes out of a possibly separate insurance budget.
Delinea’s analysis of ransomware attacks in 2022 and 2023 also demonstrates the basic reactionary problem for cybersecurity practitioners. Victims cannot escape negative effects from an attack, but the response to those attacks comes after the attack. For example, lost revenue increased from 56% to 62% and reputational damage increased from 43% to 48% during 2022 and 2023. However, security budget increases simultaneously decreased from 76% to 61% in the same period — perhaps partly in response to the lower attack levels of the previous year than the current situation.
It is also noticeable that board-level concern is currently high (although sadly there is no comparison with the previous year’s figures). Fifty percent of respondents report that executive leadership always has ransomware as an item on the agenda, while a further 26% say it is a top priority that is frequently discussed. What we can’t tell from the survey is whether this concern is static, increasing or decreasing.
Interestingly, Delinea comments on this: “Executives and Boards are listening but not all are acting.” There are no details to justify this statement. It may well be true, but it is not proven by the survey.
One of the most interesting sections of Delinea’s survey reports on the criminal motivations (in addition, of course, to gaining money). The answers are subjective, but come from people in the trenches of ransomware defense. Data exfiltration has increased from 46% to 64%, while a simple ‘money grab’ has decreased from 69% to 34%. This clearly reflects the criminals’ fine-tuning of the extortion process.
Other motivations include supply chain attacks up from 44% to 55% (reflecting increasing criminal professionalism in choosing the potentially most rewarding paths); creating chaos (up from 39% to 51%) and geopolitics and activism (up from 26% to 32%).
Overall, Delinea’s State of Ransomware 2024 (PDF) report tells us that ransomware quite closely parallels the overall cybersecurity ecosphere: it’s getting worse. This is perhaps not surprising when ransomware is a tool used by both cybercriminal groups (who are getting more professional and more sophisticated), and nation-state actors (who are becoming more active in an era of extreme geopolitical tensions).
Learn more at SecurityWeek’s Ransomware Resilience & Recovery Virtual Summit