Is the long-term plague of ransomware finally starting to ease up? A new study from Delinea finds that ransomware attacks are sharply down, but there are markers that indicate it is not yet time for organizations to drop their guard.
61% fewer organizations say that they experienced ransomware attacks in 2022, a remarkable drop from the 2021 numbers. However, it is important to note that ransomware has also surged tremendously since 2020 and was already at a very high level in 2019, so this may be something of a post-pandemic correction back to the state of affairs before Covid-19 hit and the sudden shift to remote work created boundless new opportunities for criminals.
Companies more prepared for ransomware remediation, but security is becoming more lax
Aside from the big drop in reported ransomware attacks, the Delinea report has several other very interesting findings. One is that organizations appear to be shifting focus away from proactive security and toward simply recovering when hit. In 2021, 82% of organizations reported having a policy that allows for making ransomware payments; that number has shrunk to 68%. This is accompanied by an increase in preparation for remediation and recovery: organizations now say their first line of defense is regular backups.
On the security end, organizations have upped the basics: they are pushing more regular updates, stronger password policies, and an increasing range of mandatory multi-factor authentication measures. But they are falling behind in more advanced security measures, such as application control and privileged access management.
Could relaxed security postures spur more ransomware attacks?
In 2021, organizations were facing pretty good odds of experiencing a ransomware attack (64%). Those odds declined tremendously in 2022 (25%). The reduction in these incidents was greater for smaller companies (under 100 employees), with the larger firms seeing just an 8% drop in those hit by ransomware attacks.
Of course, there is one big question mark hanging over all of these self-reported numbers. These stats represent the ransomware attacks that companies are willing to talk about; often there are substantially more that stay off the record and are never reflected in these sorts of studies. A major increase in the cost of insurance and the difficulty in obtaining adequate ransomware coverage could very well be contributing to a reduction in the amount of incidents that are making it onto the official records.
The study also focuses on successful ransomware attacks. The overall volume of attempts did also decrease, but not proportionally with the rate of successful compromises. That raises more questions, especially when one gets to the general state of security postures. In 2021 nearly all of the respondents had a discrete security budget for dealing with ransomware, which plummeted to just 68% in 2022. And while only 1% said that they were taking no action at all to defend against ransomware attacks in 2021, that number went up to a very concerning 9% in 2022.