The Ponemon Institute conducted a survey recently on behalf of Illumio, a provider of a zero-trust segmentation platform. Based on the survey results, 88% of participant organizations had encountered at least one ransomware attack in the last 12 months. The survey also explored the difficulty that organizations experienced while defending against ransomware attacks. The survey participants included 2,547 IT and cybersecurity experts in the United Kingdom, United States, Germany, Japan, France, and Australia. 7% of survey participants were involved in the healthcare and pharmaceutical industries. The survey results were posted in the Global Cost of Ransomware Report by Illumio.
Most organizations spend about 33% of their IT budget on cybersecurity, particularly ransomware protection. Still, 88% suffered a ransomware attack, indicating that money is not the problem. The problem is what they do with the information about ransomware defense. Cybersecurity controls for dealing with ransomware include multifactor authentication, attack prevention/detection systems, automated patching, segmentation/micro-segmentation, and email security. Although AI helps battle ransomware attacks, users of this technology comprise only 42% of organizations. 46% of AI users stated it enhances SecOps efficiency, 44% reported it registers ransomware activity, 42% reported it inhibits the deployment of ransomware, and 41% stated it allows them to respond and handle ransomware cases.
Of all the surveyed organizations that reported encountering at least one ransomware attack, 54% stated their ransomware protection is effective. 47% of respondents claimed their third-party vendors implement privacy and security practices to minimize the chance of a data breach. Companies were not very positive about the capability of their workers to recognize social engineering and phishing attacks, which is very concerning. When asked about the initial access vector used by attackers, the survey responses were: Phishing 45%, RDP compromise 32%, and exploitation of software vulnerabilities 19%. Vulnerabilities are used for initial access in about 20% of ransomware attacks and are also used for lateral movement after initial compromise. According to 52% of survey participants, threat actors exploited systems with unpatched vulnerabilities, 47% said weak passwords and 35% said local administrator vulnerabilities.
In 47% of ransomware attacks, the threat actor extracted data and leveraged it to compel the victim to give ransom payment, 45% were victims of DDoS attacks, and 34% of victims received reports that the threat actor communicated with stakeholders and customers. Many threat actors do not do file encryption any longer, since data theft and leaking data are usually enough to pressure the victims to give ransom. Just 34% of attacks included data encryption.
Ransomware attacks lead to high downtime costs. 58% of companies reported they had to close operations, 40% sustained substantial revenue loss, and 35% suffered brand ruin. It usually took 132 hours, with 17.5 employees to control and resolve the biggest attack costing an average of $146,685. In 2021, it took 190 hours with 14 employees to contain/remediate an attack with an average cost of $168,910.
In 2024, the threat actors asked for a $1.2 million ransom demand on average, and 51% of victims confessed that they paid the ransom. Those who paid the ransom indicated the following reasons: to prevent data leaks (47%), to avoid downtime (47%), to cover cyber insurance (41%), and all of the above reasons (40%). For 49% of victims who refused to pay the ransom, their reasons include encryption/theft of non-critical information (49%), being able to recover the data from unencrypted backups (48%), company policy forbids ransom payment (47%), not confident that the threat actor would give the decryption keys (46%), and following law enforcement not to pay the ransom (40%). Of those who paid the ransom, only 13% recovered all encrypted data, 40% reported that data was still exposed, and 32% stated the threat actors asked for more payments or threatened with more attacks. Because of these experiences, 51% of survey respondents said they now follow a no-ransom payment policy. HIPAA encryption of sensitive data is also recommended for all entities.
The Federal Bureau of Investigation (FBI) recommends not paying a ransom and immediately informing the FBI in case of an attack. The survey showed only 28% of victims informed law enforcement about an attack because: they didn’t want publicity (39%); the attacker gave a short deadline to pay the ransom(38%), fear of retaliation (38%), and not high extortion demand (24%).
Image credit: Andrey Popov, AdobeStock
