Fewer ransomware attacks encrypting data, new report finds

Dive Brief:

• Only half of ransomware attacks on organizations this year have involved data encryption, once the attack’s defining feature, according to a Sophos report published on Tuesday.
• Both the average ransom demand and average ransom payment have dropped significantly over the past year (by 34% and 50%, respectively).
• Less than a third of respondents in the survey who paid a ransom said the amount matched the attackers’ initial demand, with 53% of victims paying less and 18% paying more.

Dive Insight:

Ransomware has remained a major threat to businesses for years, but cybercriminals’ tactics have shifted over time. The new report highlights one of the most significant examples of that evolution: the decline in data encryption as part of a ransomware attack.

The 50% figure that Sophos found this year is a stark decline from last year, when 70% of attacks involved data encryption. This finding suggests that “organizations are more capable of stopping attacks before the encrypted payload is deployed,” according to Sophos. Encryption most seriously affected large organizations (3,001-5,000 employees), which experienced the problem in 65% of attacks. That may be due to their size making it more difficult to detect and block encryption attempts, according to Sophos.

While encryption declines in popularity, extortion-only attacks are on the rise. The number of such cyberattacks doubled this year, to 6%, according to the report. Smaller organizations were more likely to face this kind of attack — 13% of companies with 100-250 employees reported experiencing one, compared to 3% of companies with 3,001-5,000 employees.

Allan Liska, a threat intelligence analyst and ransomware expert at Recorded Future, told Cybersecurity Dive that Sophos’ report largely matched his own company’s findings about attack trends — with one notable exception. Sophos found that ransomware actors most commonly accessed victims’ systems by exploiting software vulnerabilities, but according to Liska, “Most reporting has listed leaked/stolen credentials as the initial attack vector.” 

Sophos found that the percentage of attacks beginning with credential compromises dropped from 29% last year to 23% this year. Liska noted that different research firms “have different views into the attack surface.”

Ransomware attacks have lasting human consequences, as Sophos’ report highlighted. The company found that 41% of IT and cybersecurity workers experienced more stress or anxiety about future attacks after responding to one. 

“This is not unexpected, but it’s often not accounted for in incident response plans,” Recorded Future’s Liska said. “Organizations should be thinking about how they are going to help incident responders deal with the stress of recovering from an attack.”