Ransomware is (slightly) on the decline, cyberinsurance company says

Ransomware attacks began to become both less common and less costly in the first half of 2022, as payments to attackers and the number of attacks that resulted in paid ransoms both shrank, according to new data released today by cyberinsurance company Coalition.

After increasing sharply at the outset of the pandemic, the frequency of ransomware claims made by Coalition policyholders shrank sharply during the first six months of the year, dropping from a peak of 0.66% of all policyholders in the second half of last year to 0.41% in early 2022—a figure lower than the initial 0.44% seen in 2020’s second half, when the COVID crisis was at its height.

Part of the reason for this decline, according to the Coalition report, is the growing prevalence of offline backup systems at major companies, which means that more ransomware targets can simply restore their data without having to engage with their attackers. Additionally, the company said, outside sources like recovery services provider Coveware and Verizon indicate that the average size of a ransomware payoff has declined precipitously in recent months.

Strategy of ransomware groups evolve

It’s important to note, however, that the organized groups behind many of the most prominent ransomware attacks have constantly evolving strategies, Coalition said.

“Over the last three years, cyberattacks have evolved into a viable criminal business model with threat actor groups such as Conti, Lockbit, and Hive continuing to make headlines,” the report said.

Moreover, one of those evolutions seems to be a shift toward targeting smaller businesses, which are often less able to cope with the consequences of ransomware attacks. The average cost of a cyberincident claim for a small business in the first half of 2022 was $139,000—a hefty sum for a small company.

“Cyberincidents have the power to put very small organizations out of business,” Coalition warned.

Gartner senior director analyst Jon Amato agreed that, while ransomware is somewhat in decline, it remains a “profit center” for cybercriminals, and is still a critical danger to vulnerable organizations.

“Tamper-resistant backups and better detection methods have helped here, as have legislative solutions banning or strictly regulating ransom payment,” he said. “In addition, many organizations (both in the public and private sectors) have simply taken the position that they will not pay under any circumstances.”

Amato noted that related attack techniques, which don’t rely on completely locking victims out of their systems, can be more difficult to deter with purely technical solutions.

“For example, data exfiltration and the threat of sensitive data disclosure is becoming an increasingly prevalent attack technique, which can in some cases make having good backups and recovery processes irrelevant to the pay/no-pay decision,” he said.