Ransomware has evolved into one of the most devastating cyber threats of modern times, creating previously unimaginable financial and operational hardships for entities in every sector. As malicious actors employ increasingly sophisticated tools, honing their tactics and spreading their tentacles, understanding the key trends, targeted industries, and financial impact is at the heart of successfully mitigating risks.
With this in mind, the Cyentia Institute, a data-driven cybersecurity research company, has released its Information Risk Insights Study on Ransomware, which offers a 'detailed analysis of the frequency and impact of ransomware events. To compile the report, the company uses a vast dataset containing more than 14,000 ransomware events that made up over a billion data records and led to projected financial losses topping a staggering $270 billion over the last five years.
In this blog, we'll look at some of the key findings of this report.
Attacks Vs. Incidents
The report makes a clear distinction between ransomware attacks (attempts detected and blocked by defenses) and ransomware incidents (successful breaches causing operational or financial harm). This sees that the findings reflect the true impact of ransomware rather than the volume of attack attempts alone.
Financial losses were adjusted for inflation, and statistical modeling was used to estimate the total economic impact, even for incidents where precise costs were not reported.
Ransomware Incidents: Low Frequency, High Impact
While firms may experience frequent ransomware attack attempts—often dozens or even hundreds per month—only a fraction result in successful incidents. These incidents, however, cause disproportionate financial and operational harm:
- Ransomware costs outstrip other cyber events: The geometric mean loss for ransomware incidents is $1.4 million, over 12 times the average loss for non-ransomware events.
- Extreme financial impact: At the 95th percentile, ransomware-related losses soar to $50 million, compared to $22 million for other types of incidents.
- Rising costs: The 25th percentile loss for ransomware in 2023 matched the typical loss in 2019, highlighting the growing economic burden of these attacks.
The Total Economic Impact of Ransomware
The financial impact of ransomware has reached staggering levels. Using statistical modeling to estimate losses for incidents without reported costs, the total global impact of ransomware over the past five years is estimated at $276 billion, with $95 billion in 2023 alone - a figure Cyentia expects to climb even higher as new data comes out.
These numbers highlight ransomware's ability to inflict economic harm on a scale that rivals natural disasters.
Targeted Industries: Uneven Impacts
Certain sectors bear a disproportionate share of ransomware's financial toll. The data shows that ransomware accounts for the majority of cyber-related losses in industries where operational disruptions are particularly damaging:
- Transportation, Education, and Manufacturing: Ransomware accounts for ~80% of all reported cyber losses in these sectors.
- Healthcare and Hospitality: These sectors also report significant financial impacts, reflecting the high-stakes environments in which they operate.
- Financial and Professional Services: While these sectors report fewer ransomware incidents, they remain high-value targets due to the sensitive data they handle.
Midsize entities ($100M–$1B in revenue) face the highest proportional ransomware losses, with ransomware accounting for 50% of their cyber-related costs. Mega-corporations ($100B+) are less affected proportionally, with ransomware representing less than 1% of their losses.
Ransomware Campaigns and Active Groups
The report compiled a list of the most frequently identified ransomware from the core incident dataset.
The list covers incidents that occurred between 2019 and 2023, featuring a mix of ransomware gangs and strains. Some of these are no longer active, while others have fluctuated in terms of activity over time.
It's important to remember the nature of the dataset: it is based on events that impacted individual entities, not on campaigns, malware detections, variant counts, ransom payments, or simple infections that were dealt with internally. The incidents listed here were significant enough to be publicly reported.
Additionally, multiple factors contribute to the prevalence of ransomware observed in this dataset. For instance, the prominence of the Cl0P (also known as CLOP, TA505) ransomware gang can largely be attributed to its exploitation of the widely known "MOVEit" vulnerability in 2023. Such attacks are more scalable, affecting a broader range of targets compared to more specific, targeted campaigns.
The top groups emerged as:
- Cl0P 1840
- Lockbit 3.0 978
- Conti 711
- Alphv/blackcat 573
- Lockbit 529
- Revil/sodinokibi 353
- Blackbasta303
- Lockbit 2.0 301
- Play 231
Top Techniques: How Ransomware Operators Succeed
The MITRE ATT&CK framework is widely adopted as a standard for detailing adversary tactics, techniques, and procedures (TTPs) in cybersecurity. Its main advantage lies in offering accessible definitions, examples, and related resources on threat groups, malware, and mitigations. However, public reports of security events often lack detailed ATT&CK mappings, which usually require digital forensic evidence.
By leveraging analytical methods, more than 40% of ransomware incidents in a dataset were mapped to ATT&CK techniques by Cyentia. These are categorized into three phases:
Initial Access
Adversaries often rely on phishing and exploiting vulnerabilities in public-facing applications to breach environments. Exploiting applications tends to cause more severe financial losses than phishing. While attacks that exploit trust relationships with third parties are less frequent, and generally cause greater damage due to the reliance on trusted connections.
Post-Compromise
After gaining initial access, malefactors typically escalate privileges and move laterally across the network. The top post-compromise techniques involve persistence, evading detection, and establishing command and control channels. These techniques are widely used by many ransomware groups due to their effectiveness and the patterns established by earlier successful attacks.
Exfiltration and Impact
Ransomware attackers typically aim to encrypt data for extortion, but more and more, they are using data exfiltration to carry out double or triple extortion. These attacks often target system recovery capabilities to prevent victims from easily restoring operations, thereby ensuring greater financial and operational impact. Additionally, attackers may disrupt defensive systems to prolong the attack and increase the pressure on victims.
Mitigation
The report advises entities to follow guidance from StopRansomware.gov for prevention, mitigation, and response strategies, including sector-specific advice and no-cost resources.
Additionally, addressing vulnerabilities in widely used software is crucial. Initiatives like CISA's Secure by Design aim to reduce vulnerabilities by promoting secure software development practices. This would reduce common defects, improve product safety, and lower the chances of successful ransomware attacks.
The Road Ahead
Ransomware is not just a cybersecurity challenge; it is a business risk with far-reaching implications for reputation, compliance, and financial stability. As malefactors continue to innovate and expand their reach, organizations must remain vigilant, leveraging insights from incident data to refine their defenses and response strategies.
Collaboration across industries, governments, and cybersecurity vendors and practitioners will be key to limiting ransomware's impact and building resilience in an increasingly digital world.
Editor's Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Tripwire.
