What businesses need to know about ransomware in 2024
Published
Read time
- Ransomware is still the costliest form of cyber attack
- The severity and frequency of attacks is on the rise, according to Howden’s latest analysis in the 2024 cyber insurance report: Risk, resilience and relevance
- Businesses can build resilience with tools like multifactor authentication
Thousands of cancelled operations, tens of thousands of blood tests destroyed, millions of patients’ data stolen
Watch a short interview on ransomware with Julian Alovisi, Head of Research, and Shay Simkin, Global Head of Cyber (51 seconds)
That was the fallout after hackers targeted the UK’s National Health Service (NHS) in June, in one of the largest ransomware attacks of its kind in Britain.
The attackers demanded £40 million after hacking Synnovis, a pathology services provider for the NHS, and when the ransom wasn’t paid, they leaked 400 GB of highly sensitive data into the dark web, including personally identifying information and test results for cancer, HIV and other conditions.
Perhaps even more concerning, this attack is not an isolated incident – it’s part of a clear trend marked by increasingly frequent, targeted and aggressive ransomware attacks over the past few years.
Howden experts analysed multiple data sources and found evidence that ransomware is changing.
Frequency is up and recovery costs are rising – although the fall in the number of victims paying ransoms underscores increased resilience globally and means insured companies are typically less susceptible to prolonged disruption today than they were three or four years ago.
These findings are from our latest, in-depth analysis of the ransomware landscape in the 2024 Cyber report: Risk, resilience and relevance.
Read the report.
High ransomware threat
When it comes to losses in the cyber environment, ransomware is still the top offender.
Global ransomware attacks continue to test recorded highs, with the number of incidents so far this year more than double what they were in 2021 (see Figure 1).
Unfortunately, the current frequency and severity of attacks – which is driven by the vulnerability of many organisations combined with potentially large pay days for hackers – also suggests ransomware will be a source of significant losses for some time to come.
Source: Howden analysis based on data from NCC Group
What’s driving the frequency of attacks?
A perfect storm of activity from established gangs facing depleted funds following a drop in revenues in 2022, combined with the emergence of new groups, is driving frequency.
The ongoing profitability of attacks, as well as easily accessible, low-cost ransomware kits, also known as ransomware-as-a-service (RaaS), also offer huge incentives for cybercriminals.
What’s law enforcement doing?
In response, law enforcement agencies have increased pressure on gangs, including by disrupting some of the worst offending groups, such as LockBit and BlackCat.
While this has played a part in driving activity down from the peak levels recorded in late 2023, it hasn’t had a decisive impact.
Recorded incidents in the first six months of this year are up 17 per cent on 2023’s already elevated levels.
In fact, the law’s inability to catch hackers has emboldened them to hit back at critical infrastructure.
Earlier this year, US healthcare providers Change Healthcare and Ascension fell victim to ransomware attacks, which caused significant disruption and triggered substantial claims.
A geopolitical twist
A number of UK hospitals also suffered serious disruption in June following the ransomware attack on Synnovis.
These hacks also show how rising geopolitical tensions are driving up ransomware attacks on previously off-limits critical infrastructure.
Intelligence sources believe tacit support from hostile governments is part of an increasingly forceful and flagrant campaign to destabilise Western powers in a crucial election year.
What’s driving the severity of attacks?
The severity of losses from ransomware attacks is a crucial part of the story.
Losses comprise of ransom payments, downtime costs – including business interruption and lost productivity – and other expenses.
Costs can even extend to intangible impacts, such as reputational damage, which are tricky to measure.
However, it’s vital to try because available data on recent large-scale attacks tells us that the ransom payment is often just the tip of the iceberg when it comes to losses.
Marked fall in number of companies making ransom payments
Ransoms paid in dollars have increased in value in recent years – data shows that revenue generated by threat actors from ransomware breached US$1 billion for the first time on record last year.
But this is coinciding with an equally important trend away from paying ransoms at all.
The proportion of companies paying ransoms fell from an average of 70 per cent in 2020 to 28 per cent in early 2024, according to data from ransomware experts, Coveware in Figure 2.
Behind this startling change is companies’ investment in risk controls and crisis management. This is rebalancing cost-benefit considerations for some firms when it comes to paying ransoms.
Source: Howden analysis based on Coveware data
Business interruption is the real cost
Although ransoms grab the headlines, recovery costs are often much higher, with business interruption typically the biggest cost of a significant event (as shown by Figure 3).
Source: Howden analysis based on Coveware and Sophos data
How can business build resilience
Hardened cyber defences and secure backups are helping to mitigate business interruption losses, insulating insured companies from prolonged disruption or outsized losses.
Multifactor authentication (MFA) is a good example of a powerful tool that can improve defences.
In 2023, six in ten of the biggest cases S-RM responded to resulted from direct network access via VPNs not protected by MFA.
Businesses should use MFA to protect their network perimeter and prevent hackers from accessing privileged accounts needed to complete key steps in the attack chain, such as deleting backups and removing antivirus.
The future for cyber insurance
As cyber continues to live up to its dynamic reputation, there’s never been a better time for businesses to make sure they’ve got the best insurance protection possible.
The market is maturing at pace – and that matters to businesses because it means increased appetite to cover a wide range of incidents, alongside expert advice in implementing the most effective risk controls.