Ransomware Is About to Get Worse. Much Worse.

If your organization got hit with ransomware, what would you do? Would you pay the ransom?

As ransomware attacks once again take center stage in cybersecurity, more and more organizations are opting to pay the ransom: 91% of security and IT decision makers surveyed on behalf of ExtraHop say they made at least one ransom payment in 2023, up from 83% in 2022, according to the 2024 Global Cyber Confidence Index.

At the same time, the number of organizations refusing to make ransom payments is rapidly dwindling, from 28% in 2022 to 17% in 2023 to 8% in 2024.

It would be easy to conclude from these numbers that organizations remain unprepared for a ransomware attack and lack the operational resilience to rapidly recover without having to pay the ransom. Why else would they be so quick to wire multi-million-dollar payments to known cybercriminals?

At ExtraHop, we think the increase in the number of organizations paying ransoms and the corresponding decrease in the number of organizations refusing to pay speaks as much to other dynamics–specifically, to changes in ransomware business models, ransomware attack outcomes, and regulation–as it does to what may or may not be a systemic lack of preparedness.

Organizations are making a fiduciary decision to pay the ransom because the ransom payment in many cases will cost less than the fine they have to pay when regulators find out about the breach. As ransomware actors threaten to destroy organizations’ data and either leak it online or expose the breach to regulators, the ransom payment effectively functions as hush money designed to keep the incident out of the public eye.

Consider the size of the payments that ransomware actors have been demanding: UnitedHealthcare allegedly paid the BlackCat ransomware gang $22 million, $3 million less than the $25 million minimum GDPR fine. Typically, ransomware payments don’t exceed seven figures: 21% of ransomware payments fell within the $1 million to $5 million range, with the average payment hitting $2.5 million, according to the 2024 Global Cyber Confidence Index.

Even though paying the ransom has become more acceptable (despite admonitions to the contrary from the White House), there’s no guarantee doing so will keep companies out of regulatory hot water, nor is there any guarantee companies will get their data back intact and that it won’t end up on the dark web. Moreover, research has repeatedly shown that organizations that pay the ransom once are likely to get hit again.

If you think the ransomware situation is bad now, it’s going to get worse. As 2024 wears on, the general election in the US approaches, and global geopolitical tensions continue to escalate, cybersecurity and cyberwarfare experts predict intensifying ransomware attacks. So here’s our unsolicited advice:

1. Think like an attacker - Ransomware actors’ attack techniques are well documented across the MITRE ATT&CK framework, the DFIR report, and many other sources. Familiarize yourself with their tradecraft so you can proactively hunt for these threats, not just on your endpoints, but across your network.
2. Expand your visibility - Proactive threat hunting and detection on the network demands visibility into your organization’s east-west traffic, including encrypted network traffic. Consider deploying a sensor on your network in places where you don’t have good EDR coverage to augment your visibility.
3. Capture packets - Nothing compares with full packet capture (PCAP) to get to the ground truth of what’s happening on your network. Not only can full PCAP help you pick up on early-stage attacker behaviors that can’t be detected through other tools; it also provides you with immutable forensic data to speed investigation, remediation, and recovery.
4. Implement resiliency plans - Simulate an attack and determine what it would take to keep your organization going in the event of a ransomware attack.

Look, as an industry and a community of defenders, we can and will get through this. Collectively, we have good tech that keeps getting better, and more importantly, we have resourceful, passionate, hard working people. That’s why, against all odds, we remain optimistic and why we suspect respondents to this year’s Cyber Confidence Index study remain confident in their organization’s ability to manage ransomware, their biggest cyber risk.

Download the report.