From the outside, it can be challenging to understand how cyber threats evolve, especially a threat as volatile as ransomware. For our Cyber Claims Report, we observe how claims change over time to understand frequency of incidents and their financial severity.
While the return of ransomware was the “hot topic” in 2023, businesses must be mindful that the threat landscape is never static. Remember: An upward trend in one specific attack method doesn’t mean a cyberattack is imminent, and, conversely, a downward trend doesn’t mean the threat has disappeared. Instead of focusing on preventing a particular headline-grabbing attack, organizations should focus on taking proactive steps to mitigate potential losses from various types of cyber threats.
Now that I’ve stated the obvious, let’s dive into how ransomware has evolved in 2023.
Ransomware Rebounded in 2023
In the first six months of 2023, ransomware frequency increased by 27% from the second half of 2022. The largest contributor to this spike was the massive increase during May, which marked the most ransomware claims in a single month in Coalition history. In fact, ransomware was the largest driver of the overall increase in claims frequency that Coalition observed this half, accounting for 19% of all reported claims.
Ransomware claims severity also reached a record high in 1H 2023, with an average loss of more than $365,000. This spike represents a 117% increase within one year. Unsurprisingly, the average ransom demand increased alongside more frequent and severe attacks. The average ransom demand in the first half was $1.62 million, a 74% increase over the past year.
Claims frequency increased for all revenue bands, but businesses with more than $100 million in revenue saw the largest increase at 20%. Businesses with more than $100 million in revenue were also hit the hardest, experiencing a 72% increase in claims severity.
Contributors to the Return of Ransomware
Ransomware activity is constantly winding up and down, but in reflecting on the first half of the year, we can see clear factors to which we can attribute the spike. For example, in April 2023, Coalition alerted policyholders to the increased risk of Royal Ransomware, which ended up accounting for 12% of reported ransomware claims in 1H 2023. According to Coalition Incident Response (CIR), Coalition’s affiliate incident response firm, this sophisticated malware strain saw an increase in the first half of the year, with associated ransom demands of up to $2 million.
Multiple cases associated with this variant involved the use of an unpatched, end-of-sale firewall appliance, highlighting the importance of establishing a regular patch cadence and deprecating legacy technologies.
The Cl0p ransomware gang was also especially active this half, capitalizing on what started as one zero-day vulnerability in MOVEit. Cl0p compromised hundreds of organizations globally — notably using only data exfiltration and not data encryption — and published the data through the Cl0p ransomware leak site. Recorded incidents related to MOVEit peaked in June. While the influx of incidents has now slowed to near-zero among Coalition policyholders, many organizations will likely find themselves indirectly impacted via third-party usage of the MOVEit vulnerability, given the breadth of the Cl0p victim list.
3 Things Businesses Can Do
There are three crucial steps that businesses can take to minimize their exposure, reduce vulnerabilities, and, ultimately, prevent the financial impact of an attack.
Consistently create offline backups of important data.
Regularly patch all software and firmware.
Reduce their overall attack surface.
First, it’s critical for businesses to maintain credible offline backups of their most sensitive and important data. When attackers attempt to hold a business for ransom, they’re really threatening a business with leaking confidential customer information or stealing valuable information, like intellectual property. By implementing and testing offline backups, restoration becomes possible without paying a hefty demand.
The second step is for organizations to consistently patch all the software and firmware they use. A regular patching cadence, combined with timely alerts, can help organizations act quickly and prioritize their response to critical vulnerabilities. Among Coalition policyholders, businesses with one unresolved critical vulnerability were 33% more likely to experience a claim. This patching cadence is especially important because ransomware gangs tend to take advantage of outdated software by exploiting old bugs.
Sometimes, especially with a zero-day vulnerability, a patch or update isn’t yet available. That’s why the third key step that organizations must take involves reducing their overall attack surface. This includes deprecating legacy and risky technologies. End-of-life (EOL) software, or technology no longer supported and updated by the vendor, can signal to cyber attackers that a business has weak security. Coalition policyholders using EOL software were three times more likely to experience a cyber claim in 2022.
Organizations should also deprecate or remove risky technologies from the Internet, such as those with known vulnerabilities; for example, the guidance for remediating the MOVEit vulnerability was to remove it from the Internet or put it behind a VPN. To reduce the likelihood of a cyber claim, businesses should avoid outdated software and technologies with a history of critical vulnerabilities when possible.
Thinking About the Future
Even with the most top-notch security team, it’s impossible to stay 100% current on the latest threat trends. Ultimately, implementing a few vital best practices helps organizations cover their bases without tracking and planning for a specific attack type. Understanding how the landscape evolves — and keeping in mind that nothing is permanent — can help businesses of all sizes maintain cyber hygiene and potentially stay one step ahead of the next attack.