Report reveals lag in disclosure of ransomware attacks in 2023
Silobreaker has published its most recent research on ransomware trends, revealing a significant lag in the disclosure of attacks by organisations.
Named 'Ransomware? What Ransomware? 2024 Report Insights,' the study was unveiled by researchers Hannah Baumgaertner and Peter Kroyer Bramson during a detailed presentation.
Baumgaertner and Bramson outlined a comprehensive analysis of 922 ransomware attacks that occurred in 2023, showing that over 50% of affected organisations do not admit to an attack until it is already publicly known. Additionally, in cases where customer data is breached, there is an average 90-day delay before customers are informed.
Bramson noted an increase in non-disclosure practices, highlighting a trend where nearly half of the victims did not publicly acknowledge a ransomware attack at all in 2023. This is a marked increase from 2022 when nearly a quarter of the victims refrained from making such disclosures. "This represents quite a significant increase in non-disclosures because in 2022, nearly a quarter of victims did not provide a disclosure, which then increased to nearly half of victims in 2023," he stated.
The report also identified delays in public reporting and disclosures.
Bramson elaborated that public reporting of ransomware incidents happens, on average, 41 days after the initial attack, which is a slight improvement from the previous year's 46 days. Yet, this improvement is overshadowed by a decline in rapid reporting, with less than 5% of incidents being reported within a day of occurrence in 2023, down from nearly 9% in 2022.
Another notable finding is the increased exploitation of vulnerabilities by threat actors. Baumgaertner cited the 2023 attack on Progress Software's MoveIt managed file transfer program as a key example, affecting over 2000 companies worldwide. "This attack is just a prime example of the kind of supply chain risk that comes with these ransomware attacks," she pointed out.
When analysing the sectors most frequently targeted, healthcare, education, and government were identified as the top three for 2023, similar to the previous year. However, education overtook the government sector this year. According to Baumgaertner, the likelihood of these sectors having poor security and a higher willingness to pay ransoms are contributing factors to their targeting. "The reason for the targeting of these three sectors is likely because there's a higher chance of the target having poor security, probably due to lack of funding, to implement these kinds of security measures, so they're easier to infiltrate," she said.
Baumgaertner also mentioned that Western countries, particularly the United States, continue to be primary targets for ransomware attacks. U.S. organisations are a popular target for "big game hunting" due to their substantial financial resources. "One of the main reasons that the US might be a popular target for ransomware actors is it's a good place for this so-called big game hunting that ransomware actors like to do," she added.
The research highlighted the evolving tactics of ransomware actors, with a shift towards vulnerability exploitation and data theft without encryption. Baumgaertner explained, "One of them is Ransom VC. They're well known to only steal data and then leak it. Other ransomware actors might still continue with encryption but use intermittent encryption and just shows that the main goal is no longer necessarily the encryption of data."
The data from this research underscores the importance of utilising open-source intelligence (OSINT) and monitoring dark web leak sites for a more accurate picture of the ransomware threat landscape. As Bramson noted, "Throughout our time looking at the leak sites, we have often observed that an actor will list the victim, and then a day after or some days after, a researcher writes about it."
The report concludes by recommending that organisations must refine their cyber defence mechanisms and remain vigilant against emerging ransomware tactics. The study suggests that comprehensive patch management systems and thorough staff training on cybersecurity threats are necessary to mitigate the growing risks associated with ransomware attacks.