Ransomware, Threat Management

Ransomware resurgence after ‘strange year’ in 2022, insurance data shows

Is ransomware getting worse or better?

That’s the question on almost everyone’s minds these days, and new claims data from cyber insurer Resilience underscores how a lack of standardized reporting from ransomware victims leaves observers to grapple with a set of sometimes contradictory facts on the ground.

Resilience CEO Vishaal Hariprasad called 2022 “a strange year” in ransomware, with some metrics hinting at an overall slowdown in digital extortion activity while others indicate business has never been better.

Based on claims reports, there was a definite “resurgence” in ransomware activity over the back half of last year, as paying (or at least publicly reporting) ransoms has become more difficult, with economic sanctions placed on a number of ransomware groups that would make it illegal. Data from cryptocurrency tracking firm Chainalysis showed a $300 million drop in ransomware payments sent to monitored cybercriminal groups, but incident response data from Coveware suggests individual ransomware attacks are getting more lucrative, with the average ransom payment in 2022 coming out to more than $400,000 — their highest levels in the past five years.

Resilience’s claims data help to fill in the gaps, showing that while reported ransomware activity dropped by 25% in the first half of 2022, it ballooned by 300% in the back half and through 2023. The end result, despite some hopeful indicators, is still a criminal landscape flush with money and resources that insurers are still struggling to manage.

“From the victim's perspective, extortion-based cybercrime has gotten worse,” Hariprasad wrote in the introduction, later adding: “Resilience’s 2022 and Q1 2023 claims figures reveal several key trends that show a cyber insurance market still very much under crisis, as criminal activity remains a core driver for loss.”

The long tail of the COVID-19 pandemic — and the resulting rush by companies to engage with cloud providers and other remote services — is still being felt today.

Ransomware is not the only — or even primary — form of cybercrime giving insurers fits these days.

Phishing and social engineering remain the most frequent point of failure that leads to financial loss, while ransomware places second. Vendor data breaches come in at a close third, reflecting the increased importance that cloud companies and other service providers play in their clients’ security posture.

An annual security survey from Forrester found that in 2021, supply chain or third-party breaches, software and web application exploits were listed by companies as the top vector of infection for ransomware, while the No. 1 focus listed by companies who had been hit was improving their application security — reflecting a widespread belief that improving insecure third-party software was key to fending off future attacks.

“It’s very interesting and very difficult because you have a lot of providers you’re using as an enterprise, especially as you get to be one of these very large enterprises that have a lot of targets on their backs, and have a lot of people doing a lot of different things, trying to access a lot of different technologies,” Allie Mellen, a senior security analyst at Forrester, told SC Media recently. “And it provides such a faster way in than if you’re just looking at the company itself. Not only does it provide a faster way in, it provides access to a lot more companies than just that one.”

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.