Attackers targeting state and local governments demanded the lowest ransom payments of any sector surveyed, but victims were more likely to pay, according to a recent report.
Ransomware is getting worse – in just about every way.
Between the growing number and sophistication of attacks and the increasing financial burden it places on state and local governments, the impact is immense.
Ransomware attacks have increased 78% between 2020 and 2021, with 68% of organizations hit by ransomware in the last year, according to Sophos’ The State of Ransomware 2022 report. Attackers encrypt data in 65% of attacks, up from 54% in 2020, according to the global survey of 5,600 IT professionals, which included public sector respondents.
Plus, attackers have been demanding more in ransom, especially from those they consider most able to pay, such as manufacturing or utility companies. Attackers targeting health care and state and local governments demanded the lowest payments, but victims in those sectors were more likely to pay, the report said.
The highest payout rates – hovering around 50% -- were seen in K-12, state/local government and health care. Manufacturing and financial services firms were less likely to pay ransoms, and they were also among the fastest to recover from an incident thanks to disaster recovery planning, according to Sophos.
On the plus side, organizations are getting better at recovering after an attack. Now, just about all get some encrypted data back: Nearly three-quarters recover data from backups, but almost half are paying the ransom to restore data.
Cyber insurance was used to pay nearly all (98%) ransoms. Even when a ransom is paid, victims do not get all their data restored. For state and local governments, only 59% of the encrypted data was unlocked.
To make matters worse, cyber insurance is getting more expensive and difficult to obtain. One county recently got a $1 million policy that covers costs associated with credit monitoring, ransom payments and system restoration. Last year, it got $2 million in coverage for half the cost.
“It's worth remembering that while cyber insurance will help get you back to your previous state, it doesn’t cover ‘betterment’ i.e., when you need to invest in better technologies and services to address weaknesses that led to the attack,” the report said.
Baltimore has become the poster child for ransomware response. When an attack knocked out city services in May 2019, the city refused to pay the $76,000 in bitcoin the attackers demanded. Some services were down for months, and the city ultimately spent $10 million on IT recovery, according to documents obtained by Technical.ly. A November 2020 ransomware attack on Baltimore County Public Schools is still affecting 9,000 retirees, the Washington Post reported, even though the county has paid nearly $10 million for recovery services.
Ransomware attacks have become increasingly easy for cybercriminals to launch, thanks to as-a-service attack components, making the likelihood of attack even greater. With cyber insurance policies growing more strict and expensive, organizations may become less able to pay to have their data returned.
“We may have reached a peak in the evolutionary journey of ransomware, where attackers’ greed for ever higher ransom payments is colliding head on with a hardening of the cyber insurance market as insurers increasingly seek to reduce their ransomware risk and exposure,” said Chester Wisniewski, principal research scientist at Sophos.
Investing in the right technology and ensuring staff with the skills and know-how to use it effectively, is critical, the report concluded. Organizations should review their defenses, harden networks, make backups, proactively hunt for threats -- and prepare for the worst, Sophos advised.