Latest Survey Spotlights Top Causes of Ransomware
Unpatched vulnerabilities, phishing/malicious emails, and stolen credentials are leading causes of ransomware
The latest ransomware survey confirms what previous surveys and studies have shown—that the leading causes of ransomware remain unchanged in recent years. In addition to revealing more about the root causes, the survey conducted by Sophos in January and February 2024 and released in April offers new insights into the size of ransom demands, who pays the ransoms, and how much they pay. Still, the important lessons lie in the root causes of ransomware, for those smart enough to learn from them.
Growth of Ransomware
Ransomware is a form of malware that encrypts files on a device (or in a network or system) and renders them unusable unless a ransom is paid to decrypt and restore the files. These extortion schemes cost organizations in the U.S. and globally millions of dollars, primarily to recover their ransomed data and resume business operations. The best defense is to backup data frequently and test the backups to ensure the data will be accessible when you need it. 
More than 317 million ransomware attempts occurred in 2023. This has been a rising trend since 2017 with the exception of spikes during the peak of COVID, when cybercriminals of all types were hyperactive. And while not all attempts are successful, ransomware remains a lucrative business that continues unabated year after year.
In another measure of ransomware growth, research firm Statista noted that organized extortion groups offering Ransomware as a Service grew from 19 in the first quarter of 2021 to 31 groups in the first quarter of 2022—an increase of almost two thirds in just 12 months. Again, this surge occurred during the peak of COVID when cybercrime was mushrooming in the void.
For more than a decade, the FBI has advised against the payment of ransoms in an effort to check the growth of ransomware. More recently, federal and state legislation has been enacted to compel more effective cybersecurity behaviors among government entities and the organizations who work with them. These new laws include promptly reporting ransomware attempts and incidents and prohibiting government entities from paying ransoms.
Cybercriminals Encrypt Data to Force Payment
Data encryption is the primary method used by cybercriminals to deny organizations access to their data pending payment of a ransom. According to the Sophos survey, the great majority of ransomware attacks (70%) in the past year resulted in data being encrypted and rendered inaccessible to the victim organization. Over the past five years, data has been encrypted in an average of 68% of ransomware exploits per year.
What occurred during the other incidents? Across the same five-year period, an average of 28.4% of ransomware attempts were able to be stopped before data was encrypted. Most often, early detection by the targeted organization helped to thwart the attack and mitigate the outcome.
For the same period, an average of 4% of attacks still held data for ransom, although the data had not been encrypted. Sometimes the threat of having one’s sensitive data sold on the dark web is more than enough to compel a ransom payment.
The Top Causes of Ransomware
The Sophos Ransomware Survey mines a rich vein of information, not the least important being the causes of ransomware attacks. Virtually all victim organizations surveyed (99%) were able to identify the root cause of the attack.
Exploited Vulnerabilities. For two years running, exploited vulnerabilities were the most commonly identified front doors. In far too many cases, these vulnerabilities were the result of unpatched software, which normally includes security updates to address known vulnerabilities. This negligence continues to open the doors to data breaches of all kinds, including ransomware. “Larger organizations are more likely to experience an attack that starts with an unpatched vulnerability,” notes the Sophos report.
According to the latest Verizon Data Breach Investigations Report, analysis of the Known Exploited Vulnerabilities catalog maintained by the Cybersecurity Infrastructure and Security Agency (CISA) revealed that it takes organizations an average of 55 days to remediate just half of their critical vulnerabilities once software patches are made available. That’s almost two months for an IT team to find time to install 50% of all critical security updates to software applications used by their organizations. With unpatched vulnerabilities consistently among the top three causes of ransomware and other data breaches across the board, it is hard to imagine what more important tasks could be keeping IT teams from prompt and thorough software patching.
Compromised Credentials. Lost or stolen login credentials, including user names and passwords, rank consistently among the top three causes of ransomware and other data breaches. This threat is the primary driver of the implementation of multifactor authentication (MFA) among organizations large and small. It’s a bit of a Chicken vs. the Egg question, however, since very often those credentials are stolen as the result of a data breach or phishing exploit.
Email Exploits. Malicious emails and phishing emails were identified as the root cause of 34% of ransomware attacks. This is up slightly from 31% the previous year. Malicious emails deliver malware through embedded links or attachments, and often seem completely innocent to the untrained employee. Phishing schemes also rely heavily on email messages designed to trick readers into revealing information they shouldn’t share, such as login credentials or account numbers and passwords.
According to a Cyber Resilient Organization Study published by IBM in 2021 based on survey data from the Ponemon Institute, organizations who experienced a ransomware attack reported that in 45% of cases it was the result of a phishing or other social engineering scheme.
Another 22% pointed to employee visits to unsecured or spoofed websites. Labeled “Download” in the Sophos chart above, drive-by downloading occurs when an unsuspecting user visits an infected website, thereby triggering the installation of malware on the user’s device without their knowledge. Depending on how a network is configured, an infection on one device can quickly affect others.
Ransom Demands and Payments
According to the Sophos survey, ransomware victims rarely pay the initial sum demanded by the attackers. Fewer than one third of organizations (31%) reported paying the original ransom demand.
And while nearly one quarter paid a sum greater than the original demand (24%), the majority negotiated their ransoms and paid less than the original demand (44%).
Two industry sectors (Business and Professional Services, and Financial Services) proved most likely to negotiate a reduced ransom payment, with two thirds (67%) noting they paid less than the original demand. Similarly, 65% of victims in the Manufacturing and Production sector paid less than the original demand. 
%20of%20ransomware%20attacks%20demand%20$1%20million%20or%20more%20in%20payment..jpg?width=244&height=340&name=Almost%20two%20thirds%20(63%25)%20of%20ransomware%20attacks%20demand%20$1%20million%20or%20more%20in%20payment..jpg)
Conversely, two sectors (Education, and Healthcare) paid more than the original demand. Specifically, two thirds of higher education institutions paid more (67%), 57% of healthcare organizations paid more, and 55% of lower education organizations paid more than the original demand.
The Sophos report speculates that perhaps these latter industries are less able to access professional ransom negotiators to help reduce their costs or may feel more pressure to recover the data regardless of cost due to their more public nature.
In any case, ransomware attackers seem open to payment negotiations.
Although nearly two thirds of ransomware attacks (63%) demand $1 million or more in payment, a group called Dark Angels is becoming known for stealing enormous volumes of data from large organizations and extorting equally enormous payments for its recovery. According to reports, this summer Dark Angels collected more than $50 million in ransom from Johnson Controls, a multinational conglomerate headquartered in Ireland.
Dark Angels is unique in operating alone, keeping a low profile, targeting one organization at a time, and preferring massive data theft over business disruption, according to several security articles. To prove they’re serious, the group operates a site called Dunghill where the data of uncooperative victims can be readily offered for sale.
Summary
Ransomware continues to pose serious threats to businesses and governments of all sizes and types as cybercriminals organize for greater impact and profit. Exploiting unpatched vulnerabilities and leveraging phishing and other malicious email schemes are the leading causes of ransomware attacks.
More than 317 million ransomware attempts occurred in 2023, and an average of 68% of attacks in the past five years have seen data encrypted as part of the ransom process. Unless sensitive information has been backed up and tested routinely, facing the payment of a ransom to unencrypt your organization’s data is enough to create alarm in the most seasoned C-Suite. Failing to learn how to defend against ransomware, organizations who fall victim to this preventable crime must continue to make their own decisions for dealing with it.
