How to improve ransomware attack outcomes

Malicious computer programming code in the shape of a skull.

There’s usually not much to be found in cybersecurity news that can be considered good, but here is something encouraging: The Sophos State of Ransomware 2024 report, based on a survey of 5,000 IT and cybersecurity leaders within 14 countries during January and February 2024, shows that ransomware attacks across the board are down, or flat, from the 2023 report.

While respondents with revenue of $500 million to $1 billion experienced the same number of ransomware attacks at 67%, companies with more than $5 billion dropped incidents year over year from 72% to 67%. As you can see in the chart below, small businesses (those with revenue of less than $10 million annually) experienced a significant decline from 58% to 47%.

As we recently covered, nearly all organizations hit by ransomware in the Sophos survey were able to identify the root cause of their incident. Software vulnerabilities proved to be the top initial, successful attack vector for the second survey in a row. Further, email communications were identified as the initial vector of attack by 34% of respondents, with around twice as many starting with a malicious email (i.e., a message with a malicious link or attachment that downloads malware onto the target endpoint) as phishing attacks. Sophos notes that phishing is typically used to steal login details and can be considered the first step in a compromised credentials attack.

While a drop in ransomware attacks, or even a stasis, is welcome news, the fact is that ransomware remains a significant threat to organizations of all sizes around the globe. And while the overall attack rate has dropped over the last two years, the impact of an attack on those that fall victim has increased. Defenders must keep pace as adversaries continue to iterate and evolve their attack techniques. And, let’s face it, greater than 60% of organizations suffering a significant ransomware attack is nothing to spike the football about.

Now that we have reviewed what went wrong regarding ransomware defenses, let’s look at how organizations can better protect themselves.

Better vulnerability management and MFA

If we’re going to see fewer successful ransomware attacks next year, organizations need to take a few reasonable steps toward a better defense quickly. With system vulnerabilities being the top successful attack vector, it would make sense to put more effort into patch management and attack surface management capabilities. Second, incorporating multifactor authentication (MFA) will go a long way in helping to secure compromised credentials.

Adopt zero trust, boost security awareness training

Many organizations would benefit by moving toward a zero-trust architecture that will make it more challenging for attackers to gain entry, and should they succeed in making headway into an environment, they will find it much more difficult to move laterally within the environment. Finally, Sophos suggests prioritizing ongoing user security awareness training and teaching how to identify phishing emails better.

Agile security

Motivated attackers will keep looking for other ways to succeed. That’s why a comprehensive and agile security program is essential so organizations can respond effectively as attackers alter their methods. Such a security program will reasonably defend endpoints, emails, applications, cloud systems, and networks. Consider capabilities such as TLS inspection. Regarding email, multilayer filtering and attachment sandboxing should also be considered.


It’s also not enough to simply deploy antimalware and various firewall technologies and then let them run unmanaged. Security defenses need to be continuously observed and optimally set and configured. Regularly updating software, operating systems, and firmware will help eliminate known security gaps exploited by ransomware. Consider leveraging a managed detection and response service for 24/7 threat monitoring, threat hunting, and incident response. Of course, even the best defenses will fail from time to time. If an organization is going to be resilient to ransomware, it needs to be able to detect and respond to ransomware attacks adequately. Detection technologies range from traditional signature-based detection technologies to behavior-detection network traffic analysis. More esoteric detection techniques include honeypot files designed to trap ransomware on endpoints and detect any unauthorized changes to these files, which can indicate ransomware or other attack type.

Protected backups

Organizations need to maintain frequent offline backups and make sure those backups are well protected by compromise, as it’s common for ransomware attackers to target backups for compromise. Also, such backups should be regularly tested and validated to ensure that the backups are intact and that restoring systems from backups are functioning correctly.

The will to adapt

Finally, ransomware attackers are constantly tweaking their tactics, and nearly every organization’s environment is continually in flux. Security strategies must be reviewed regularly and updated to match current conditions. While there’s no guaranteed way to avoid being a victim of a ransomware attack entirely, focusing on prevention, adequate response and recovery, and adapting the security program when necessary can go a long way in achieving resilience.

George V. Hulme

An award winning writer and journalist, for more than 20 years George Hulme has written about business, technology, and IT security topics. He currently freelances for a wide range of publications, and is security blogger at InformationWeek.com. From

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.