Fewer companies are paying ransoms, a nod to greater investments in backup and disaster recovery strategies and likely a greater understanding that paying ransoms is a poor security practice, according to a new report by Kaseya.
About 44% of the IT professionals surveyed by the IT and security management company said their organizations were victims of a ransomware attack over the past year. Of those, 11% paid the ransom. Another 26% refused, according to Kaseya’s Cybersecurity Survey Report 2024.
Chris McKie, vice president of product marketing networking, security and risk management solutions at Kaseya, said the numbers regarding ransom payments were surprising.
“This was the first time we’ve asked this question,” McKie told MSSP Alert. “However, based on anecdotal evidence, we expected the number to be higher. The response indicates that companies are much more resilient than we expected and more savvy when it comes to handling ransomware demands.”
Another point made in the report was that the impact of ransomware attacks appears to be lessening. Kaseya found that only 7% of those surveyed said they thought such an attack would have an extreme effect on their organization, a drop from last year’s report. In addition, those who expected a minimal impact from ransomware rose from 28% in 2023 to 33% this year.
“Overall, this suggests increased confidence in ransomware preparedness, with more organizations banking on their incident response and recovery plans to ensure less severe consequences if an attack occurs,” the report’s authors wrote.
A Focus on Backup and Recovery
Such numbers reflect a greater understanding by companies of the need for broad and robust security measures, McKie said.
“Part of the increase in spending on backup and recovery stems from the fact that good cybersecurity practices encompass more than protection technologies, such as AV, firewalls, secure email gateways, etc.,” he said. “Strong security results from having tools that increase visibility, and accelerate detection, response and recovery. For this reason, we are seeing spending spread more evenly across these segments, including backup and recovery.”
That was reflected in the actions taken by organizations that were attacked by ransomware and declined to pay the ransom. According to the report, 44% of those companies performed data recovery actions and restored everything from full backups. Another 17% said they reinstalled and reconfigured all of their systems from scratch, while 13% restored a portion of the systems and reinstalled and reconfigured the rest.
The remaining 26% said that no action was needed.
Paying a Ransom a ‘Gamble’
Of those who paid the ransom, 69% said they were able to fully decrypt the data and regain control of it, while 27% were able to decrypt some of it. Only 4% were unable to decrypt their data and lost all of it.
“Paying ransom is a gamble,” McKie said. “You are dealing with criminals; there is no guarantee that if you pay, you will get the keys to unencrypt your locked data. For that reason, it’s better to put money into backup and recovery, as well as detection and response solutions, like EDR [endpoint detection and response] and MDR [managed detection and response].”
Those companies attacked by ransomware groups were faced with much steeper ransom demands than they faced last year, according to the survey.
“There was a sharp increase in respondents indicating that their organization paid a ransom of $50,000,” the authors wrote. “The decline in smaller ransom payments suggests that attackers are looking to increase their income by increasing their ransom demands.”
More than 20% of those who paid the ransom said the cost was $50,000 or more, compared with about 5% who said the same thing in 2023.
Mixed Numbers
Cybersecurity companies are reporting a mix when it comes to the trend in ransom payments. Coveware – now part of Veeam – in January said that in 2019, 85% of victims paid the ransom, a number that dropped to 29% by the end of 2023. However, in a report this week, Hornetsecurity said that 16.3% of ransomware victims this year have paid a ransom, a significant jump over the 6.9% that paid last year.
Hornetsecurity also found that more data is being lost as a result of a ransomware attack and less is being recovered.
When it comes to options facing companies that have been attacked, smaller businesses often find themselves in a tighter squeeze. They don’t have the relatively deep pockets that enterprises do and often don’t have the necessary resources to quickly recover, McKie said.
“For SMBs, not paying is often the only choice should the ransom be too extreme,” he said. “Cyber insurance underwriters have made strides in making sure companies are better protected. For example, most policies today require security awareness training and EDR. As a result, those who are insured tend to be more security-mature, and have robust security measures in place.”
Supply Chain Attacks and AI
Other findings in the report include 19% of companies saying they were victims of a supply chain attack, a significant drop from the 61% that said the same thing last year. In addition, humans continue to be the weakest link in the cybersecurity chain, with 80% of respondents pointing to a lack of training or bad user behavior as the key factor in cybersecurity challenges.
Also, there were mixed opinions about the impact and usefulness of AI. About a third of survey respondents said they were reserving judgement on benefits the emerging technology will have for defenders, an indication of skepticism about AI.
