In 2023, the average ransomware demand from cyber criminals increased by 20% to $600 000 (R11 million).
This is according to Jason Oehley, regional sales director at cyber security firm Arctic Wolf, speaking yesterday at ITWeb Security Summit 2024.
Oehley cited findings from Arctic Wolf’s State of cyber security: 2024 trends report, based on a global survey the company commissioned from Sapio Research of over 1 000 senior IT and cyber security decision-makers from over 15 countries.
“What’s interesting is that in as much as it [$600 000] is a global figure, we see similar trends in our market in South Africa.”
He added that the other highlight of the report is that only 3.4% of the organisations reported being hit by zero-day attacks.
Out of all the organisations that are breached, he said, 96% of them disclosed some aspect of the incident, while about 66% disclosed the breaches publicly.
“I can tell you that in South Africa, it’s a lot less. We’ve had some incidences in South Africa where the threat actors have actually exposed the companies after the breach. We are starting to see a different trend – 45% of the organisations that we spoke to admitted to being a victim of a ransomware attack within the last 12 months.”
Oehley noted that 91% of the reported ransomware attacks included a data exfiltration component, and 83% of the ransomware victims paid some or all of the ransom demanded by the cyber criminals.
“At Arctic Wolf, we recommend organisations never pay the ransom, but I fully understand the pain and extent of data breaches.”
Impact on productivity
Oehley added that 94% of those companies that suffered a ransom incident experienced significant downtime and delays in productivity, while 50% reported productivity impacts of four months to a year following the attack.
“That’s a massive cost implication for the business. For us, the CIOs [chief information officers] and CISOs [chief information security officers] making the board understand the relevance and the risks associated with these attacks is really important.”
Oehley also noted that 70% of the organisations that purchased an incident response (IR) retainer for their network acknowledged experiencing an incident that required them to utilise their retainer in the past 12 months.
Furthermore, 30% of the IR retainer customers indicated their need to utilise the retainer two or more times within the last 12 months.
“We also found that 53% of the survey respondents were most concerned about rising premiums and stricter requirements for maintaining coverage.
“If we break this down and look at our investigations by case type, the interesting thing is that business e-mail compromise outnumbers ransomware by 10 times. However, in the report the percentage is lower because companies do not usually report business e-mail compromise attacks.”
Across the continent of Africa, he said, the most prominent ransomware group was LockBit, a cyber criminal group proposing ransomware-as-a-service. “We have had a lot of customers in South Africa who were affected by this.”
Looking at the ransomware demands by industry, Oehley said there was an overall increase of 20% across all industries last year.
In the healthcare industry, in 2022 the demand was $275 000 and it jumped to $450 000 in 2023. For construction in 2023 it was $500 000 ($375 000: 2022), while retail demand was $1.5 million in 2023 ($627 500: 2022).
“We have to start looking at how can we address this, and how can we be proactive about this. Prevention is far better than cure and far more cost-effective.”
Vulnerable e-mail
Business e-mail compromise is quite easy for cyber criminals to execute and has proved successful for the bad actors. According to Arctic Wolf, this accounted for 29.7% of incident response cases last year.
“What’s interesting is that organisations don’t look for help when they are impacted by business e-mail compromise. They are 15 times less likely to ask for help than when they are impacted by a ransomware attack, even if it leads to the business facing challenges.
“The key thing to remember about business e-mail compromise is that it’s not about attacking you [an individual]; it’s about attacking a group, demographic or an area. Business e-mail compromise is happening more than you think.”
According to the research, the top industries targeted by business e-mail compromise are finance and insurance, construction, education and non-profit organisations, manufacturing and legal, government and healthcare.
Oehley pointed out there will be increased cyber activity around 2024 elections worldwide. Ransomware-as-a-service and data exfiltration ecosystems will continue to evolve, while industrial espionage and IP theft will be prominent.
Ad security configuration will continue to represent a significant threat and AI-generated code will introduce security vulnerabilities into the development process.
Share