The share of ransomware victims whose data was encrypted by their extorters grew to 76% over the past year, the highest since Sophos began recording these trends, the vendor claimed today.
The Sophos State of Ransomware 2023 report was compiled from interviews with 3000 cybersecurity/IT leaders carried out in the first quarter of 2023. Responding organizations were located in 14 countries and had between 100 and 5000 employees, with revenue ranging from less than $10m to more than $5bn.
The encryption rate in 2022 is the highest since the report series began in 2020, when it was 73%. Sophos claimed that this is evidence of an “ever-increasing skill level of adversaries who continue to innovate and refine their approaches.”
Only the IT, technology and telecoms sector managed to buck the trend, with an encryption rate of just 47%.
Read more on ransomware: Firms Who Pay Ransom Subsidise 10 New Attacks: Report.
In just under a third (30%) of cases where data was encrypted it was also stolen, in double extortion attacks. However, only in 3% of cases were victims held to ransom without data being encrypted.
Interestingly, those who choose to pay their extorters double recovery costs: from an average of $375,000 for those who use backups to $750,000. They also run the risk of extending recovery times: 45% of organizations using backups recovered within a week, versus 39% of those that paid the ransom, Sophos said.
Around half (46%) of victims that had data encrypted elected to pay a ransom, rising to over half for higher-wealth businesses more likely to have standalone cyber-insurance policies.
These findings are slightly at odds with blockchain analysis, which revealed the total value of ransomware payments declined by 40% year-on-year in 2022. It also contradicts a Trend Micro report from February that estimated just 10% of victims pay their extorters.
Sophos claimed that ransomware victim rates remained high in 2022, at 66%. That’s the same as the previous year.
Sophos field CTO, Chester Wisniewski, argued that victim rates had now likely reached a plateau.
“The key to lowering this number is to work to aggressively lower both time to detect and time to respond. Human-led threat hunting is very effective at stopping these criminals in their tracks, but alerts must be investigated, and criminals evicted from systems in hours and days, not weeks and months,” he explained.
“Experienced analysts can recognize the patterns of an active intrusion in minutes and spring into action. This is likely the difference between the third who stay safe and the two thirds who do not. Organizations must be on alert 24×7 to mount an effective defense these days.”