Never before so many data encryptions by ransomware

According to the global study "State of Ransomware 2023" by Sophos, cybercriminals in Switzerland succeed in encrypting data in 91 percent (76 percent internationally) of ransomware attacks on organizations. From an international perspective, it is the highest rate of data encryption by ransomware since the IT security service provider first published its annual Ransomware Report in 2020. Three thousand cybersecurity/IT executives from 14 countries were surveyed between January and March. 

Ransom payments double recovery costs

From a global perspective, the survey shows that companies that paid ransom to decrypt their data additionally doubled their recovery costs ($750,000 recovery costs versus $375,000 for companies that used backups to recover data). In addition, paying the ransom typically means a longer recovery time: 45 percent of companies that used backups were able to recover data within a week, compared to 39 percent of companies that paid the ransom.

Number of data encryptions at a high level

Overall, 75 percent of the companies surveyed in Switzerland (66 percent internationally) were attacked by ransomware. This indicates that the number of ransomware attacks has remained consistently high after all, despite the supposed decline during the pandemic years. "Encryption rates have returned to very high levels after a temporary decline during the pandemic, which is concerning. Ransomware criminals have refined their attack methods and accelerated their attacks to shorten the time it takes for defenders to foil their plans," Chester Wisniewski, Field CTO, Sophos, classified the study findings. "The cost of incidents increases significantly when ransoms are paid. Most victims will not be able to recover all their files by simply buying the encryption keys; they will also need to import backups. Paying ransom not only enriches the criminals, but also slows down the incident response and increases costs in an already devastating situation," Wisniewski continues.

Vulnerabilities exploited

When analyzing the cause of ransomware attacks, the most common starting points in Switzerland were an exploited vulnerability 27 percent (36 percent internationally) and compromised credentials 25 percent (29 percent internationally). This is consistent with recent Incident response findings from the "2023 Active Adversary Report for Business Leaders" from Sophos to respond to incidents in the field.

The study also shows the following additional findings:

• In 34 percent of ransomware cases involving data encryption in Switzerland, the attackers also stole data. This indicates that this "double-dip" method (data encryption and data exfiltration) is becoming more common.
• Internationally, the education sector reports the most ransomware attacks, with 79 percent of higher education organizations surveyed and 80 percent of lower education organizations surveyed reporting that they have been victims of ransomware.
• Overall, 38 percent (46 percent internationally) of the organizations surveyed in Switzerland whose data was encrypted paid a ransom and received data back. However, ransomware payments were far more common among larger organizations from an international perspective. More than half of organizations with revenues of $500 million or more paid the ransom, with the highest rate reported by organizations with revenues of more than $5 billion. This may be due in part to the fact that larger companies are more likely to have a standalone cyber insurance policy that covers ransomware payments.

Tips against ransomware and data encryption

"Two-thirds of organizations report being a victim of ransomware for the second year in a row. The key to reducing this risk is to dramatically shorten both the time to detection and the time to response. Human-led threat hunting is very effective at stopping these criminals, but alerts must be investigated and the criminals removed from systems within hours, not during weeks and months. Experienced analysts can spot the patterns of active intrusion within minutes and take immediate action. This is likely the difference between the one-third of companies that remain secure and the two-thirds that do not. Companies need to be on alert 24/7 to build effective defenses these days," Wisniewski said.

IT security specialists offer the following three tips to protect against ransomware, data encryption and other cyberattacks:

1. Reinforce the defensive shields by:

• Security tools that defend against the most common attack vectors. These should include endpoint protection with strong anti-exploit capabilities to prevent vulnerability exploitation and Zero Trust Network Access (ZTNA) to thwart the misuse of compromised credentials.
• Adaptive technologies that automatically respond to attacks, disrupt attackers and buy defenders time to respond
• 24/7 threat detection, investigation and response. Either in-house or through a specialized managed detection and response (MDR) provider.

2. Optimize attack preparation, including regular backups, testing to recover data from backups, and maintaining an up-to-date incident response plan
3. Maintain good security hygiene, including timely patching and regular review of security tool configurations

Source: Sophos