Is Ransomware Less Scary in 2024? A Look at Emerging Lessons

  • Knowledge base
In today's digital era, no business is safe from the ever-present danger of ransomware attacks. The harsh truth is that these attacks are on the rise in frequency and complexity. A recent report by Sophos, a leading cybersecurity company, revealed that a staggering 59% of global organisations fell victim to ransomware in the past year alone

Liked this post? Share with others!

A recent report by Sophos, a leading cybersecurity company, revealed that a staggering 59% of global organisations fell victim to ransomware in the past year alone [1]. This equates to millions of attacks, causing significant disruptions and financial losses. In a record-breaking year, Chainalysis, a blockchain analysis company, reported that ransomware payments in 2023 exceeded a mind-boggling $1 billion [2]. These figures, from reputable sources in the cybersecurity industry, paint a stark picture: ransomware is a grave threat with a mounting impact on businesses of all sizes. However, there’s a silver lining to this dark cloud. The increasing prevalence of ransomware attacks offers a unique learning opportunity. The experiences of diverse organisations across various sectors can provide practical lessons and invaluable insights. Any business can harness these, empowering them to be better prepared and more cyber-resilient to ransomware attacks.

Emerging Lessons

  • Communication – Transparent, swift, and continuous communication is not just a buzzword, but a practical and effective strategy for managing a company’s reputation during a ransomware attack. Real-world examples include Maersk’s immediate and transparent communication following the NotPetya attack [3], which helped maintain customer trust and stabilise their share price, and Equifax’s delayed response to their 2017 data breach [4], which led to significant reputational damage and a sharp decline in share price, demonstrate the tangible benefits of this approach. Similarly, Travelex’s poor communication during its 2020 ransomware attack resulted in customer frustration [5] and financial loss. These examples underscore the importance of proactive, regular, and transparent communication in mitigating reputational damage during ransomware cyber attacks.

  • Cybersecurity Insurance -Investing in cybersecurity insurance is not just a precaution but a strategic move to mitigate ransomware attacks’ financial and operational impacts. It covers costs such as ransom payments, legal fees, and business interruptions, potentially saving your company from significant financial losses. For instance, Mondelez International utilised its insurance to recover part of the $100 million loss from the NotPetya attack in 2017 [6]. Additionally, insurance providers offer access to cybersecurity experts and incident response teams, as demonstrated when Baltimore’s insurer aided in their 2019 ransomware recovery [7]. Legal and regulatory support is another benefit, with Norsk Hydro’s insurance helping navigate compliance post-2018 attack [8]. Furthermore, insurance requirements often drive companies to adopt best practices and regular security assessments, enhancing overall cybersecurity, as seen with Beazley’s stringent measures reducing incident severity [9]. Lastly, a structured incident response facilitated by insurance can minimise downtime and damage, as illustrated by CWT’s rapid recovery from a 2020 ransomware attack [10]. 

  • Declining ransom payment -Declining ransom payment is a valid response strategy during ransomware attacks, offering multiple benefits and crucial lessons. However, this is only plausible if you have data backups. Companies can promote long-term security improvements, avoid funding criminal activity, and rely on robust backup systems for recovery. For example, the City of Baltimore refused to pay ransom during the 2019 attack [7], leading to significant cybersecurity enhancements. Similarly, Norsk Hydro did not pay the ransom in 2019, maintaining its corporate integrity by not supporting illegal activities [8]. Maersk demonstrated the effectiveness of comprehensive backup strategies by recovering operations after the NotPetya attack in 2017 without paying the ransom [3]. Additionally, refusing to pay ransom is not just a strategic move, but a crucial one that helps avoid potential legal repercussions. Paying might violate laws in some regions, as seen in the University of Utah’s 2020 case [11]. Furthermore, paying ransom does not guarantee data recovery or prevent further demands, as illustrated by the Kansas Heart Hospital attack in 2016. In this case, payment led to additional demands without data restoration, highlighting the potential risks of this approach. Thus, refusing to pay cannot only prevent further exploitation but also encourage the adoption of more robust cybersecurity measures [12].

  • Help is arriving -Successful law enforcement actions against ransomware operators provide valuable lessons for companies facing such threats, highlighting the importance of
    • collaboration,
    • timely reporting, and
    • leveraging insights to enhance security measures

Let’s recap the key lessons from the 2021 law enforcement actions. The arrest of REvil ransomware gang members, who targeted companies like JBS Foods and Kaseya, highlighted the power of collective efforts [13]. The takedown of the DarkSide group after the Colonial Pipeline attack underscored the critical role of prompt reporting and information sharing [14]. These successes were not achieved in isolation, but through the collective efforts of businesses, law enforcement, and cybersecurity professionals. They demonstrate that we are not alone in this fight against ransomware. Thanks to law enforcement, the disruption of the Emotet botnet in early 2021[15] provided insights that demonstrated how we can strengthen our defences against future threats. The arrest of Egregor ransomware affiliates in 2021 [16], served as a clear deterrent for future attacks, showing that cybercriminals are not beyond the reach of the law. These successes also help restore trust among stakeholders, as seen in Garmin’s recovery from a 2020 ransomware attack bolstered by subsequent arrests [17]. These success episodes, although drops in the ocean, reinforce the united front against ransomware, further strengthening the importance of collaboration, timely reporting, leveraging law enforcement insights, deterring future attacks, and restoring trust.

  • Successful ransomware defence controls -It is crucial to learn from other businesses how their security controls have feared against ransomware attacks and which controls have given them the best value for their money in managing ransomware attacks. Here are specific controls mentioned in protecting, detecting, responding and recovering from ransomware attack scenarios 
  • Immutable backups: Isolated and unalterable, these backups offer a fast recovery route
  • Network segmentation: Limits ransomware spread by reducing the blast zone and hindering lateral movement within the system
  • Endpoint Detection and Response (EDR): Detects and isolates suspicious activity on devices before data encryption
  • Cybersecurity awareness training: Empowers employees to identify phishing attacks, a common ransomware entry point
  • Incident response plan: Minimises downtime and damage through a coordinated response

While there is no silver bullet in cybersecurity, businesses should implement the above mentioned security controls, supplemented with additional controls to ensure defence in depth. It’s important to remember that the threat landscape is constantly evolving, and so must our defences. By implementing these controls and actively staying informed about evolving threats, we can significantly strengthen our organisation’s defences against ransomware.Staying informed is not just a suggestion; it’s a necessity in today’s digital landscape. It’s the key to staying one step ahead of cybercriminals and protecting our businesses from potential threats.

In summary, while the destination in the fight against ransomware remains distant, there’s a growing arsenal of strategies to combat it. The rise in ransomware attacks, which affected 59% of global organisations last year, serves as both a stark warning and a valuable learning opportunity. As we navigate this evolving threat landscape, practical lessons from past incidents highlight the importance of transparent communication, strategic investments in cybersecurity insurance, and the benefits of declining ransom payments. Law enforcement successes against ransomware operators, such as the takedown of the REvil gang and the DarkSide group, underscore the power of collaboration and timely reporting. As one industry expert noted, “These successes, although drops in the ocean, reinforce the united front against ransomware.” This united front, built on shared knowledge and collective action, is our strongest defence. Moving forward, continued vigilance and enhanced collaboration within the cybersecurity community are essential to fortify our defences further and mitigate the impact of these pervasive threats.

[1] Sophos State of ransomware 2024 (no date) SOPHOS. Available at: https://www.sophos.com/en-us/whitepaper/state-of-ransomware (Accessed: 20 June 2024).
[2] The Chainalysis 2024 crypto crime report (no date) Chainalysis. Available at: https://go.chainalysis.com/crypto-crime-2024.html (Accessed: 20 June 2024).
[3] Rebuilding after notpetya: How Maersk moved forward (2019) CSO Online. Available at: https://www.csoonline.com/article/567845/rebuilding-after-notpetya-how-maersk-moved-forward.html (Accessed: 20 June 2024).
[4] Financial watchdog fines Equifax Ltd £11 million for role in one of the largest cyber security breaches in history (2023) FCA. Available at: https://www.fca.org.uk/news/press-releases/equifax-ltd-fine-cyber-security-breach#:~:text=There%20were%20known%20weaknesses%20in,Inc%20had%20discovered%20the%20hack. (Accessed: 20 June 2024).
[5] Tidy, J. (2020) Travelex: Banks halt currency service after cyber-attack, BBC News. Available at: https://www.bbc.co.uk/news/business-51034731 (Accessed: 20 June 2024).
[6] Mondelez and Zurich reach settlement in Notpetya Cyberattack Insurance suit (2022) Cyber Security News | The Record. Available at: https://therecord.media/mondelez-and-zurich-reach-settlement-in-notpetya-cyberattack-insurance-suit# (Accessed: 20 June 2024).
[7] (MD), B.S. (2019) Baltimore to purchase $20M in Cyber Insurance as it pays off contractors who helped city recover from Ransomware, InsuranceNewsNet. Available at: https://insurancenewsnet.com/oarticle/baltimore-to-purchase-20m-in-cyber-insurance-as-it-pays-off-contractors-who-helped-city-recover-from-ransomware (Accessed: 20 June 2024).
[8] 16, W. by B. Briggs Published December, Briggs, W. by B. and Briggs, B. (2023) Hackers hit Norsk Hydro with ransomware. the company responded with transparency, Source. Available at: https://news.microsoft.com/source/features/digital-transformation/hackers-hit-norsk-hydro-ransomware-company-responded-transparency/ (Accessed: 20 June 2024).
[9] Cyber incident response services (no date) beazley. Available at: https://www.beazley.com/en-US/cyber-customer-centre/cyber-risk-management-tools/cyber-incident-response-services/ (Accessed: 20 June 2024).
[10] ‘payment sent’ – travel giant cwt pays $4.5 million ransom to Cyber Criminals | reuters. Available at: https://www.reuters.com/article/idUSKCN24W26O/ (Accessed: 20 June 2024).
[11] Ransomware payments may violate sanctions laws, U.S. Treasury Department warns: Faegre Drinker Biddle & Reath LLP (no date) Publications | Insights | Faegre Drinker Biddle & Reath LLP. Available at: https://www.faegredrinker.com/en/insights/publications/2020/10/ransomware-payments-may-violate-sanctions-laws-us-treasury-department-warns (Accessed: 20 June 2024).
[12] Ransomware attackers collect ransom from Kansas Hospital, don’t unlock all the data, then demand more money (2016) Healthcare IT News. Available at: https://www.healthcareitnews.com/news/kansas-hospital-hit-ransomware-pays-then-attackers-demand-second-ransom (Accessed: 20 June 2024).
[13] Russia arrests Ransomware gang responsible for high-profile cyberattacks (2022) NBCNews.com. Available at: https://www.nbcnews.com/tech/security/russia-arrests-ransomware-gang-responsible-high-profile-cyberattacks-rcna12235 (Accessed: 21 June 2024).
[14] Pipeline to peril: Unpacking the ALPHV attack on Trans-Northern (2024) SOCRadar® Cyber Intelligence Inc. Available at: https://socradar.io/pipeline-to-peril-unpacking-the-alphv-attack-on-trans-northern/ (Accessed: 21 June 2024).
[15] World’s most dangerous malware EMOTET disrupted through global action (no date) Europol. Available at: https://www.europol.europa.eu/media-press/newsroom/news/world%E2%80%99s-most-dangerous-malware-emotet-disrupted-through-global-action (Accessed: 21 June 2024).
[16] Ducklin, W. by P. (2021) Egregor ransomware criminals allegedly busted in Ukraine, Sophos News. Available at: https://news.sophos.com/en-us/2021/02/15/egregor-ransomware-criminals-allegedly-busted-in-ukraine/ (Accessed: 21 June 2024).
[17] Garmin begins recovery from ransomware attack (2020) BBC News. Available at: https://www.bbc.co.uk/news/technology-53553576 (Accessed: 21 June 2024).

Let's help your organisation manage its cybersecurity risk

We’ll be happy to answer all your questions and help support you in delivering cybersecurity compliance.

contact us

Let's help you manage your cybersecurity risk