Have you seen the latest ransomware numbers? Recent research commissioned by Cohesity found that most companies polled paid a ransom in the past two years—with 79% of respondents saying their company was the victim of a ransomware attack between June and December 2023.

  • All respondents said they needed over 24 hours to recover data and restore business processes.
  • 94% said their company would pay a ransom to recover data.
  • 90% said their organization paid a ransom in the prior two years.

Now, there’s a big headline from a new report from blockchain analyst Chainalysis. Ransomware gangs took more than $1.1B from their victims in 2023.

Does this staggering figure say more about a sophisticated adversary? Or is it an indictment of our resilience to cyberattacks? Well, it’s a bit of both.

Ransomware history

The ransomware—or digital extortion—business is thriving globally and gaining the kind of funds that attract new players and pay for new techniques and resources. Neither the U.S. government’s attempts at sanctions last year nor investigative successes against a number of ransomware groups have prevented record payouts. Company managers must expect that ransomware gangs will continue to adapt their extortion techniques.

It all began with the encryption of files, the origin of the ransom idea can be traced back to the AIDS Trojan from 1989, which demanded the transfer of a modest $189 US dollars to a post office box in Panama to receive the decryption key. Because ransom payments like this couldn’t be scaled easily, these attacks remained largely a niche for just over 20 years. The invention of cryptocurrencies in 2010 made it easier for ransomware gangs to collect ransoms.

Today, ransomware gangs blackmail their victims twice over: First, the victim’s data is encrypted, and if they don’t pay the ransom to decrypt it. Then the data is exfiltrated from the company network and they’re threatened again that it will be published online.

Inhumane scams create even more pressure

In the meantime, cybercriminals have found new ways to put even more pressure on victims. Another scam: triple blackmail. Here, the data is not only encrypted, then threatened with publication, but in a third attempt to extract cash—the criminals target everyone whose data has been stolen and harass them to exert even more pressure on the victim organisation.

Several cases in the U.S., in which hospitals were blackmailed, show just how ruthless the groups are. The hackers used stolen patient data to threaten these people with swatting. Swatting involves reporting a serious crime with weapons to the police at the target’s place of residence so that police SWAT teams travel to the alleged crime scene heavily armed. People have been killed in swatting operations in the U.S.

Recently, ransomware groups have involved authorities in their tactics. To promote transparency in cyber incident reporting, regulators are introducing much stricter breach notification rules, one example being the U.S. Securities and Exchange Commission (SEC). Shortly after the new reporting requirement was published, the first case of quadruple extortion occurred. After the usual encryption, extortion, and threats to publish data, the ransomware gang involved then threatened to denounce the victim organisation to the regulator for failing to comply with the reporting requirement for successful cyberattacks.

Imagine being hit by ransomware. Then threatened. Then the attackers file an SEC complaint against you.

Generative AI use by ransomware gangs

All these new developments have massively increased the pressure on organisations to pay ransoms. However, they are by no means the most worrying trend in ransomware. The use of generative AI by ransomware gangs has made detecting phishing by trained users and technical means much more difficult. And the evolution of the entire ransomware business to a ransomware as a service (RaaS) model is disruptive.

Thanks to the economies of scale of the RaaS platform and its thousands of paying subscribers, its operators can now afford to exploit vulnerabilities much faster than even organisations with the most efficient vulnerability management system can. This has led to several highly effective campaigns targeting file transfer services and internet fraud infrastructures over the past year.  Such RasS platforms also have resulted in many new entities conducting ransomware attacks, as these “affiliates” no longer need the prerequisite technical expertise to conduct the attacks.

Neglected stress tests at companies

And then there’s the other side of the equation, which is how are organizations equipped to respond to and recover from ransomware. Many IT operations teams and backup administrators prepare for cyber incidents as they would for a business continuity or disaster recovery scenario. The problem? BC/DR incidents have a limited number of root causes that can be quickly identified, so for those types of incidents, we can largely orchestrate and automate the response and recovery efforts.

In cyber incidents, we are dealing with an adversary that is constantly adapting. We need to fully understand the incident first before we can take the appropriate steps to mitigate the risk of further attack before we bring the systems back online:

  • What are my regulatory obligations to notify data subjects and regulators based on data exfiltrated?
  • What controls were missing, failed to stop or detect the attack, or were circumvented?
  • What persistence mechanisms were added by the attacker to re-propagate the ransomware?
  • What malicious accounts were added? And other artifacts?

The importance of ransomware preparedness

Taking these investigatory steps when your communications, collaboration, security tools, and backups have been compromised by ransomware is a challenge. Trying to use endpoint security agents for investigation when you have quarantined your network to contain the spread of the ransomware, or trying to classify impacted data to determine reporting requirements after it has been encrypted is impossible. Many organisations think their RTO to a cyber incident is down to the speed of disk, pipe, and recovery solution—yet they often fail to factor in the time the response process will take.

Ransomware preparedness is the single most important success factor organisations can take to increase their cyber resilience by ensuring both their response and recovery processes are effective and efficient. There are invaluable lessons from taking part in a realistic tabletop exercise conducted by resources who have dealt with ransomware outbreaks, such as those Cohesity is running, that allow business decision-makers to go through a simulated ransomware attack and allow them to find out whether they are well prepared, where they have gaps, and what suitable practices exist to close these gaps.

Learn more:

Field CISO Headshots James Blake
James Blake
Field CISO Headshots James Blake
James Blake

Global Cyber Resiliency Strategist

James leads cyber resilience strategy at Cohesity. He brings extensive hands-on experience in leading incident response in dozens of ransomware and wiper incidents; as the former CISO of Mimecast and Global Director of Cyber Transformation at JPMorgan Chase; and having led a consultancy practice that built the end-to-end security operation center capability for over 91 organizations including over two dozen in the FORTUNE 100.

See All Authors
Global Cyber Resiliency Strategist
Field CISO Headshots James Blake
James Blake
Global Cyber Resiliency Strategist
Field CISO Headshots James Blake
James Blake

Global Cyber Resiliency Strategist

James leads cyber resilience strategy at Cohesity. He brings extensive hands-on experience in leading incident response in dozens of ransomware and wiper incidents; as the former CISO of Mimecast and Global Director of Cyber Transformation at JPMorgan Chase; and having led a consultancy practice that built the end-to-end security operation center capability for over 91 organizations including over two dozen in the FORTUNE 100.
See All Authors

You may also like

Blog

Why governance matters—An insider’s POV into NIST 2.0 updates

- By James Blake

Learn more
Blog

Cyber resilience in the ransomware era: Introducing new Cohesity DataHawk capabilities

- By Megan LaFlamme

Learn more
Blog

How Cohesity and Cisco XDR help you reduce data loss and recover faster with automated threat response

- By Eleonor Lee

Learn more
X image
Icon ionic ios-globe

You are now leaving the German section of www.cohesity.com/de/ and come to an English section of the site. Please click if you want to continue.

Don't show this warning again

Icon ionic ios-globe

You are now leaving the German section of www.cohesity.com/de/ and come to an English section of the site. Please click if you want to continue.

Don't show this warning again