Cyberattacks, Malware, Ransomware , Cybersecurity

Fewer Organizations Pay Ransom, But Ticket Size Increases

Gartner Analyst Paul Furtado on the Changing Ransomware Landscape
Fewer Organizations Pay Ransom, But Ticket Size Increases
Paul Furtado, VP analyst, Gartner

Information Security Media Group met with Paul Furtado, VP analyst, Gartner, at the Gartner Security and Risk Management Summit in Mumbai. In this interview with ISMG, he speaks about the changing ransomware landscape and the impact it has on organizations, executives and boards.

See Also: 2023 Gartner® Magic Quadrant™ for Network Services, Global

Edited excerpts follow:

How is the ransomware landscape changing this year? What are you observing? Are more people paying ransom? Has the ticket size increased?

We're seeing a dip in the number of companies that are paying year over year. Since 2019, about 85% of companies were actually paying, but at the end of Q4 2022, it was down to 37%. This is due to a number of reasons [outlined below].

Certain industries, such as state-level government, are experiencing a decline due to regulations that prohibit the use of public funds for ransom payments.

Because of the sanctions imposed against Russia in the aftermath of its invasion of Ukraine, you will now actually be contravening federal laws for a lot of countries if you're doing business with Russia, and a lot of these groups are Russian-based. So you're no longer able to make that payment even if you wanted to.

Organizations are also ramping up their security measures, and if they're able to recover a lot faster, they feel more confident in their abilities to recover.

Interestingly, although [ransom] payments have been subsiding, the average payment is increasing. I also tried mapping that to the cryptocurrency market to see if that increase was followed because of the drop in the value of Bitcoin, and they don't actually align. It facilitates the growth of organizations that deploy ransomware and want to generate additional revenue. With the cryptocurrency decline, that's part of it, and the number of people not paying is also part of it.

That's why we're starting to see significant increase in the cost for those that have agreed to pay.

What new techniques will ransomware groups employ to put pressure on victims?

It started with double extortion, where cybercriminals encrypted sensitive data and threatened to publish it on dark web. However, since last year, we are starting to see a new trend of triple extortion. Here, they seek money not only from the breached organization but also from anyone who might be impacted by the public disclosure of that organization's data.

They are using AI/ML for business intelligence and seeking additional sources of revenue within the breached/stolen data set.

I can share three examples with you. One, unfortunately, was a health clinic in the Nordics. They suffered a ransomware attack. The threat actors found patient health records from the data set. They reached out to the patients directly and threatened to release the public health records. At the same time, they were trying to extort money from the clinic owners.

In the second instance, an organization that got hit by ransomware suffered a breach, resulting in the theft of data set that contained highly beneficial vendor contracts. The attackers approached the vendor and demanded ransom, threatening that they would reveal their pricing model to the other clients. That vendor sued the breached business for not implementing adequate security measures to protect their IP.

Here is the last example. One of our clients fell victim to a ransomware attack. The attackers had demanded a ransom of $2 million for the stolen data set. When the breached company informed the attacker that they didn't have the money to pay them, the attackers sent them a copy of their insurance policy, which was included in the stolen data set. That revealed that they, indeed, had $2 million worth of insurance coverage.

This data mining exercise they are employing adds additional risk to the data sets that we are securing. It's not just regulated data that needs encryption. Loss of non-regulated, business-critical data can have a detrimental impact on the organization.

What types of industries or companies are being targeted more frequently?

Healthcare, manufacturing, state and local governments, and education. They face the brunt of it. No one industry is exempt, and we see examples of it in different industries, whether it is banking and finance or other highly regulated industries. All those are being affected, just not necessarily at the same levels.

What has been the realization and impact from all these ransomware attacks?

A good thing that has come out of the ransomware scare is that we are having more executives and boards talk about cybersecurity and cyber resilience within their businesses.

We are seeing budgets being cut down. But most security budgets are staying flat or increasing This is a positive sign, especially in the current economic scenario.

Although businesses were underinvesting in cybersecurity previously, they are prioritizing it due to the evolution of threats. Due to the COVID-19 pandemic and the widespread adoption of remote work, organizations had to move to a new business operational model/architecture, and they had to implement additional security controls to support the change. They understand the risk and are continuing with that [security] investment.

About the Author

Brian Pereira

Brian Pereira

Sr. Director - Editorial, ISMG

Pereira has nearly three decades of journalism experience. He is the former editor of CHIP, InformationWeek and CISO MAG. He has also written for The Times of India and The Indian Express.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.