Ransomware’s Decline Reveals Value of Improved Defenses
Reductions in ransomware attacks and payments point to the efficacy of strong defenses and response plans — and also underscore the importance of continued vigilance.
- The number of reported ransomware attacks, the total value of ransomware payments, and the likelihood of companies’ paying ransoms all declined in 2022, compared with 2021.
- Experts attribute this downward trend to stronger cybersecurity, data backups, and improved incident response.
- This dip in ransomware impact illustrates the value of ongoing vigilance and cybersecurity investments, particularly as cybercriminals continue to evolve their ransomware tactics.
It’s often hard to prove the value of a negative — say, the return on an investment in keeping a cyberattack from landing. But that’s exactly what recent reports of decreases in ransomware attacks and payouts demonstrate.
Savvy cybersecurity leaders, in response to increasing requirements from cyber insurers, have taken a stronger, layered defense-in-depth approach to what has been a mounting ransomware threat. And, by most accounts, it’s working.
Both the number of reported ransomware attacks and resulting losses decreased last year, the FBI’s Internet Crime Complaint Center (IC3) says. In 2022, the IC3 received 2,385 ransomware complaints (down from 3,729 in 2021), with adjusted losses of more than $34.3 million (down from more than $49.2 million in 2021), according to its recently released Internet Crime Report. Mimecast’s State of Email Security 2023 (SOES 2023) report also revealed a drop in the prevalence of ransomware attacks with significant repercussions. The number of global respondents who said a ransomware attack had significantly impacted their businesses in the previous year fell to 29% this year (from 38% in the 2022 report). One-third of U.S. respondents said the same this year, down from 41% in last year’s report.
In addition, ransomware experts say companies’ propensity to pay off attackers has fallen precipitously. Just 42% of victimized companies paid a ransom in 2022, down from 75% in 2019, according to ransomware incident response and recovery provider Coveware. The overall value of ransomware payments appears to have decreased as well, according to blockchain data platform Chainalysis, which analyzes cryptocurrency movements to identify illegal activities including ransomware plots. Ransomware attackers extorted approximately $456.8 million from companies in 2022, down from $765.6 million the prior year, according to Chainalysis.
But now is not the time for companies to take their foot off the gas. Rather, declines in the overall effectiveness of ransomware plots underscore the importance of stronger cyber defenses, and incident response and recovery plans, these reports suggest.
Companies with layered defenses and rehearsed incident response processes are not only in a better position to fend off ransomware attempts, but they’re also less likely to see the kinds of impacts that would force them to pay a ransom — which is likely the reason for this downward trend. While cybercriminals follow the money — and may be backing off some traditional ransomware approaches — they will continue to evolve, both in terms of variants and approaches to extortion. And thanks to the thriving ransomware-as-a-service market, these threats can scale quickly. As the FBI’s IC3 warns, ransomware remains a serious threat. That means smart security leaders will need to remain vigilant, continuing to invest in key cybersecurity controls.
Insurers, Regulators Raise the Cyber Status Quo
Payments and losses, two of the biggest drivers behind the shrinkage in ransomware attacks over the last year, are the more stringent requirements being put in place by both cyber insurance providers and government regulators.
Unrelenting increases in successful cyberattacks, in general, have had an impact on cyber insurers’ claim costs in recent years. As a result, companies providing cyber insurance have become more demanding — charging higher premiums, raising deductibles, and requiring better evidence of risk management. They’ve tightened their underwriting terms, looking for specific evidence of an applicant company’s cyber operating environment and risk controls.
Likewise, increasing regulatory requirements are raising the bar for cybersecurity and incident response. The net result has been stronger cyber defenses and greater business resiliency in many organizations. Companies with better and layered security controls in place are reducing their attack surfaces. And those with practiced incident response plans and data backups are better prepared to sustain attacks without the significant business disruption that might pressure them to pay off their extorters.
What This Means for CISOs
The overarching headline for security leaders is that layered security controls can be an effective deterrent to ransomware and being prepared for a ransomware attack pays dividends. It’s more important than ever to have a threat-informed cyber risk management program in place.
In order to continue to keep pace with ransomware gangs and other threat actors, organizations should redouble their focus on SecOps fundamentals and fortify their defense-in-depth strategies, says Mimecast regional CISO Neil Clauson. Clauson advises that security leaders review their cybersecurity portfolio to shore up any missing controls in order to protect against the most common and damaging threat vectors.
Cyber insurers, based upon analysis of their own actuarial data, have come up with a list of the most effective security controls. Many now require their insured companies to provide evidence of these defensive measures. Their requirements can provide a benchmark for organizations seeking to shore up their protections against ransomware and other threats. Insurer Marsh, for example, has published a list of a dozen cybersecurity controls it requires, including email filtering and web security; secure, encrypted and tested backups; cyber awareness and anti-phishing training; digital supply chain risk management; and systems hardening.
The Bottom Line
Declines in reported ransomware attacks and payouts in 2022 point to the efficacy of layered cybersecurity defenses and cyber incident response planning. But security leaders should take care to ensure their executive leadership, business partners, and boards of directors don’t misinterpret the data. Recent reports support ongoing investments in a defense-in-depth cybersecurity approach and the security controls that many cyber insurance companies now require. Read more about how Mimecast and its partners come together to increase an organization’s resilience to ransomware.
 “Federal Bureau of Investigation Internet Crime Report 2022,” Internet Crime Complaint Center
 “Ransomware Revenue Down As More Victims Refuse to Pay,” Chainalysis
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!