Virtually every organization hit with ransomware called the cops or the government last year, but the level of support they can expect in return remained mixed, according to security firm Sophos’s 2024 State of Ransomware report.
The annual survey, released in April 2024, found 97% of respondent organizations that reported being hit with ransomware in the last year globally had contacted either police or an official government body of some kind. While around six in 10 said they had received advice on how to deal with the attack and/or assistance with their investigation, just four out of 10 said they had received help recovering data.
John Shier, field CTO of threat intelligence at Sophos, told IT Brew that near-universal reporting by entities hit with ransomware is likely related to escalated efforts by governments the world over to combat cybercrime.
“Since we are seeing takedowns and indictments, and in very few cases, unfortunately, some actual arrests of individuals, I think people are saying that and going, ‘OK, well let’s be part of that,’” Shier said.
New regulations, such as the Securities and Exchange Commission’s mandate that publicly traded US companies disclose material cyber incidents, have likely also played a role.
“If you’re in an industry or in a country that requires notification for these kinds of things, then you’re more likely to do that to stay on the right side of the law,” Shier added.
Of the 3% of organizations that did not contact authorities, 27% said they didn’t do so because they anticipated negative impacts like fines, charges, or extra work, which Shier said “signals to me they are trying to hide” from regulatory obligations. Other common reasons included a perception that there wouldn’t be any benefit to disclosure or that authorities wouldn’t be interested in the attack, categories where Shier said the tide is clearly turning.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Sophos didn’t survey the respondents on how extensive or helpful the assistance from authorities was. Shier said that while advice on dealing with the attack could refer to anything from remediation to generalized security tips, investigative work by police often mirrors that provided by cyber incident response services.
“If you can determine which systems were compromised, then you know, at least, which ones you need to rebuild or restore, and that gives you some insight into the recovery effort that’s required,” he said.
Another major takeaway was that over one-half (56%) of organizations that had data encrypted admitted to paying a ransom to retrieve a decryption key, the first year since the survey was first conducted in 2020 where that percentage exceeded one-half. Almost seven in 10 (68%) reported using backups for restoration, while 26% reported using “other means” to retrieve data.
Respondents said 94% of attacks involved attempts to compromise backups, and 57% of the time, the attackers were successful. Just over two-thirds (67%) of organizations with compromised backups paid the ransom, as opposed to just 36% of those whose backups remained safe. Almost one-half of organizations with unaffected backups were able to recover within a week, as opposed to just a quarter of those without.
“Broadly speaking, if you are hit by ransomware where they encrypt your data, there are two ways to recover. One is to restore from backup,” Shier said. “And the other is to acquire the decryption key, whether that’s through law enforcement, or paying the ransom, or through other means, if you can figure it out.”
“Having those comprehensive, tested backups is absolutely crucial for any organization, really in any kind of data recovery scenario, but specifically for ransomware because it can save your bacon in the end.”