Ransomware Attacks Evolve as Average Ransom Demand Tops $1.26 Million – Source: securityboulevard.com

Ransomware claims surged by 64% year-over-year, particularly among mid-market and emerging businesses. There was a sharp rise in “indirect” ransomware incidents, which grew by more than 415% compared to 2022.

These were among the key findings from At-Bay’s investigation into the anatomy of ransomware attacks in the U.S. in 2023, which also calculated that attackers’ average ransom demand exceeded $1.26 million.

Despite the eye-watering initial cost, companies ended up paying $282,000 on average — representing a steep 77% drop in price.

“Negotiation really paid off in 2023 when it came to handling ransomware demands,” said Adam Tyra, general manager of security services at At-Bay. “This big decrease shows just how helpful negotiating can be when dealing with ransomware threats.” A ransom payment was avoided in more than half (54%) of the incidents At-Bay examined.

Chainalysis recently reported law enforcement crackdowns on high-profile cybercrime operations, such as LockBit, BlackCat and QakBot, have also contributed to reducing the amount of ransom paid out by targeted companies.

In 2023, At-Bay recorded 41 different types of ransomware strains used, with LockBit and BlackCat/ALPHV being the most common. These two strains made up 35% of all reported attacks.

Tyra noted threat actors also started using “double leverage” tactics more often. “This means they not only locked up companies’ data but also stole it, which led to higher ransom demands and payments compared to just locking or just stealing the data,” he explained.

Double leverage attacks pose a significant threat due to their downstream domino effect. When a victim’s operations are disrupted through encryption, they not only suffer immediate consequences but also face the risk of sensitive data being captured and exposed through exfiltration. This becomes especially problematic if the data belongs to the victim’s customers or partners.

The repercussions of this domino effect are further magnified when the victim company is vertically integrated, as is often the case with Software-as-a-Service (SaaS) companies catering to specific market segments.

Remote Access Tools Targeted

Remote access tools were the top entry vector for ransomware attacks in 2023, comprising 58% of direct ransomware attacks.

Attackers particularly targeted self-managed virtual private networks (VPNs). Whether implemented on-premises or maintained by in-house IT teams, VPNs accounted for 63% of ransomware events where remote access was the initial entry vector.

Some brands did worse than others, though the report noted all self-managed VPNs identified in At-Bay’s portfolio were associated with worse security outcomes. Companies using self-managed VPNs by Cisco and Citrix were 11 times more likely to fall victim to a ransomware attack than those who did not use a self-managed VPN at all.

As Tyra explained, ransomware tactics have evolved from primarily exploiting RDP to increasingly targeting self-managed VPNs. “This shift reflects attackers’ ability to get around the security measures many companies have taken in better securing RDP,” he said.

Attackers are also exploiting CVEs commonly found in remote access technologies, like those seen in 2023 related to Cisco ASA and Citrix SSL (CitrixBleed), Tyra noted.

Direct Costs of Ransomware Fall

Several factors likely contributed to the decrease in the average cost of a direct ransomware attack in 2023, including increased use of backups. “More organizations successfully restored their data from backups, reducing the likelihood they would need to make a ransom payment and lowering related recovery costs,” Tyra said.

Enhanced security tools and practices, as well as more successful incident response measures, also likely helped mitigate the severity of some attacks.

“With the support of our claims managers and response and recovery team, businesses were able to better navigate and negotiate ransom demands,” Tyra said. This resulted in lower average ransom payments, allowing organizations to get back on their feet faster and lowering costs related to systems restoration or business interruption.

“Organizations should reevaluate which vendors or partners should hold their data, what protections are put in place, and whether that partner will be able to reimburse them for damages resulting from an indirect ransomware attack,” Tyra advised.

Photo credit: SEO Galaxy on Unsplash