Ransomware attackers reportedly extorted $456.8 million from victims in 2022, a 40% decrease from the previous year's $765.6 million. However, celebrating the decrease in the number of successful attacks is premature, given the changing tactics of attackers. The recent hack of Euler Finance, where $135 million in staked Ether tokens (stETH) was drained from the protocol, is an example of these evolving attack methods.
A recent poll by Naoris Protocol, a decentralized cybersecurity platform, reveals that 70.8% of respondents would not pay the ransom and would instead report the attack to relevant authorities. However, only 42% of companies that fall victim to ransomware attacks actually report them. It is easier to take the moral high ground when the question is theoretical, but when faced with the reality of a ransomware attack, businesses may be more reluctant to take a moral stance, considering the potential costs in terms of business, brand, and reputational damage.
Of the remaining respondents in the Naoris Protocol poll, 16.55% said they would not pay the ransom or report the attack and would instead rely on backups to restore data. However, research indicates that only 57% of businesses are successful in recovering data from backups. In addition, more than a third of companies that paid a ransom to retrieve their data were targeted a second time and charged even more than the first attack, with 41% failing to recover all of their data.
Ransomware attacks are evolving, and attackers are resorting to “double extortion” tactics, where they threaten to sell the data if the ransom is not paid. They also use Denial of Service attacks and harassment via email or phone. The number of ransomware payouts has decreased, but the average ransomware amount is increasing, with the average ransom demanded in 2021 being approximately $2.2 million, a 144% increase from the average demand of $900,000 from cases analyzed in 2020.
It is challenging to estimate the number of successful ransomware attacks, given the opacity and inconsistency in reporting. However, it is estimated that between May 2021 and June 2022, there have been 3,640 successful ransomware attacks globally. Roughly 73% of organizations have suffered at least one ransomware attack in the past 24 months, and 60% of companies admitted that cybercriminals had been working inside their company for up to 6 months before the attack.
It is worth noting that the makeup of sample audiences in cybersecurity surveys can vary widely, potentially biasing some results. Surveying a group of enterprise CEOs versus an SME cohort would present material variances in the way they approach cybercrime.
One issue that is not being addressed is what happens to the stolen data. Criminals will still have the files and could sell the information on the dark web with impunity. Ultimately, even if a company that has been subjected to an attack gets their data back and manages to avoid reputational damage by not reporting it, their clients and networks will still pay the price of the breach. Worse still, they may not even know their data is in the hands of criminals.
While it is ethically wrong, it is understandable why companies do not want to reveal that they have been a victim of an attack.
