Ransomware resurgence underscores the dynamic nature of cyber risk

By Catherine Lyle, Coalition

The cybersecurity threat landscape is dynamic and rapidly evolving. On any given day, a hacker’s preferred attack method can change. Businesses should be mindful of this shifting landscape and take proactive steps to mitigate potential losses from various cyber threats rather than focusing on preventing a particular attack method that is making headlines.

Following these trends closely can be tremendously valuable, but it’s important to remember that there’s no certainty with cyber risk: an upward trend in one specific attack method doesn’t mean a cyberattack is imminent, and, conversely, a downward trend doesn’t mean the threat has disappeared.

To understand how quickly cyber risk can change, let’s take a closer look at the past six months of ransomware-related cyber claims and discuss how businesses should think about these evolving cyber trends.

The (temporary) decline of ransomware

Coalition analyzed all 2022 cyber insurance claims to better understand how attackers’ methods change over time. We found that ransomware incident frequency dropped 54% year-over-year from 2021, possibly due to geopolitical instability amidst the ongoing conflict between Russia and Ukraine or companies having other methods to restore data and bring systems back online without paying the ransom. 

Additionally, we observed that the average ransomware demand also decreased from $1.2 million in 2021 to $1 million in 2022 — a 17.5% drop year-over-year. More specifically, businesses with less than $25 million in revenue experienced the sharpest decline (53%) in demand amounts, shrinking from $1.1 million to $400,000.

Ransomware returned with increasing demands

Ransomware claims began increasing at the end of 2022 — though not enough to offset the full-year statistics — and this trend has continued into the first quarter of 2023.

Coalition observed a 78% spike in ransomware claims between Q3 and Q4 in 2022, followed by a 16% jump between Q4 2022 and Q1 2023. We also found that the average ransom demand in Q1 2023 was $1.64 million, up 64% from the 2022 average.

The increase in ransomware claims holds true across the cybersecurity industry. March 2023 was the most prolific month recorded by cybersecurity analysts in recent years, with 459 attacks, a 91% increase from the previous month and 62% compared to March 2022.

Many of the 2023 claims are connected to Royal Ransomware, a sophisticated malware strain, and the impacted policyholders were using an end-of-sale (EOS) firewall appliance. In Coalition’s past experiences with Royal Ransomware, most ransom demands were in the millions, with the highest demand we’ve seen reaching above $2 million.

How should businesses think about cyber trends?

Based on our analysis, the most crucial cyber trend to pay attention to is unpatched critical vulnerabilities. New vulnerabilities regularly emerge within many businesses’ most essential technologies — and the way to resolve these issues is quick and consistent remediation.

Among Coalition policyholders, businesses with one unresolved critical vulnerability were found to be 33% more likely to experience a claim.

Secondly, businesses should also be cautious about using outdated software. End-of-life (EOL) software, meaning technology no longer supported or updated by the original developers, is often highly vulnerable to cyber-attacks. Coalition policyholders using EOL software were three times more likely to experience a cyber claim in 2022.

Upgrading and patching all internet-facing software is a critical step toward improving an organization’s cyber posture, along with implementing a process to ensure the most up-to-date versions of these popular technologies are being used. In the long run, following these security best practices will help businesses stay secure regardless of attack trends.

Trends in the evolving landscape

The cyber threat landscape moves so quickly that it’s impossible to stay 100% up-to-date and current with trends. Not only do vendors take time to analyze data, but targeted organizations may not always promptly report attacks on their digital infrastructure.

Ultimately, as seen in our trend analysis, implementing cyber best practices to maintain hygiene is the most effective and efficient way to stay on top of evolving threats rather than tracking and planning for a specific attack type.

With that in mind, implementing multi-factor authentication (MFA), a system that requires a user to verify login using an access code from another device, is one of the easiest things an organization can do to start implementing cyber best practices today. It is simple, and nearly every major email provider has it.

Catherine Lyle is Head of Claims for Coalition.