Dan Lattimer, Area VP UK&I at Semperis, breaks down the industry’s best route to recovery in the wake of a ransomware attack.

When did ransomware truly ramp up? Historically, many victims didn’t document successful attacks. This makes it hard to say with any certainty when this now widespread technique kicked into the mainstream arsenal of threat actors.

The rise of ransomware 

With that said, I feel as though a shift started in the late 2010s – and reports from others have corroborated my hunch.

The UK’s National Cyber Security Centre (NCSC), for example, stated that “ransomware has been the biggest development in cybercrime” since it published its 2017 report on online criminal activity. Similarly, the New Jersey Cybersecurity & Communications Integration Cell affirmed that “after 2017, the number of ransomware attacks have become more prevalent and continue to increase each year”, tallying with the growing popularisation of cryptocurrencies at that time which have enabled payments to be sent anonymously.

Since then, ransomware has remained an ever-present threat. Indeed, by the third quarter of 2021, Gartner revealed that new ransomware models had become the top concern facing executives.

In response, companies of all shapes and sizes have gradually begun to work towards protecting themselves from the evolving threat of ransomware, working to establish effective security policies and protocols. Further, the fightback has also stemmed from other areas, be it the continual evolution of defensive technologies or the heightening of regulations, with enterprises now required to implement more stringent security measures to ensure compliance and avoid fines.

However, without question, there are still several gaps that need to be bridged.

The state of ransomware in 2024

To explore just how effective (or ineffective) enterprises have become in defending against the impacts of ransomware attacks, Semperis recently carried out a survey of  nearly 1,000 IT and security professionals from global organisations across multiple industries in the first half of 2024.

Looking at the data, it’s clear that the threat of ransomware remains a significant problem, with attacks having become both frequent and continuous. According to the report, ransomware attacks impacted 85% of UK organisations in the past 12 months. Almost half of all organisations (45%) were attacked three times or more.

Repercussions of ransomware 

What is more concerning, however, is the rate at which companies are failing to combat these attempts. Indeed, hackers using ransomware successfully breached more than half (54%) of the UK companies we surveyed were in the space of 12 months – sometimes within the same day.

The damages associated with ransomware attacks are well known. From regulatory fines to business downtime and reputational damages, such threats can cause domino effects of problems for firms, with very few respondents having managed to avoid any kind of impact. Globally, almost nine in 10 (87%) experienced some level of disruption, while for a significant group, the effects were much greater. Indeed, 16% had their cyber insurance cancelled, 21% saw layoffs, and one in five (20%) had to close their business permanently.

Given the potentially devastating consequences, firms can feel cornered into cooperating with threat actors. In fact, more than three quarters of respondents in our survey that had suffered such an attack opted to pay the ransom, with 32% having paid out four or more times in the space of just 12 months.

Further, these sums are not insignificant. Indeed, 62% of UK companies that paid a ransom stumped up funds of between £200,001 and £480,000.

It shouldn’t just be the astronomical sums involved here that cause alarm bells to ring. Equally, it is vital for firms to understand that there is no guarantee that meeting the demands of cybercriminals will make their problems disappear during a ransomware attack. In fact, our findings show that more than a third of organisations that paid ransoms failed to receive decryption keys or were unable to recover their files and assets.

Don’t overlook recovery

Such a status quo cannot continue. Instead, enterprises must go back to the drawing board, working to establish more reliable and effective cybersecurity and system recovery strategies that work effectively against the ever-present threat of ransomware.

As part of this rework, companies must continue to test and trial their methods. This is vital to ensure they work when the company needs them. Indeed, our survey shows that 63% of UK companies took more than a day to recover their systems to a good state, while one in eight took over a week.

This is a problem. Indeed, downtime is more than just an inconvenience. Every second that passes during an outage translates into lost revenue, diminished customer trust and lasting damage to an organisation’s reputation. From sales slipping away to consumers questioning the reliability of your company, the implications can be massive.

On the right track to recovery

Promisingly, it appears that many organisations are on the right track, with nearly 70% of respondents stating that they had an identity-focused recovery plan in place. However, despite this, only 27% actually maintained dedicated systems for recovering Active Directory, Entra ID, and identity controls – the Tier 0 infrastructure that all systems depend on for recovery.

Organisations must bridge this gap. For many companies worldwide, AD is the backbone of their operations, serving as the primary identity platform. Cybercriminals are acutely aware of its significance and continue to target it. If they can gain control of an enterprise’s AD, they can effectively bring everything to a halt, applying immense pressure on unprepared organisations.

To avoid such a scenario from unfolding, organisations must prioritise establishing a dedicated system for backing up and recovering AD, ensuring they can restore operations with both speed and integrity in the event of an attack.

Less than a quarter of firms currently have such a system in place, and that needs to change. Yes, preventative measures are important. However, recovery is an aspect that organisations cannot afford to overlook.

  • Cybersecurity

Related Stories

We believe in a personal approach

By working closely with our customers at every step of the way we ensure that we capture the dedication, enthusiasm and passion which has driven change within their organisations and inspire others with motivational real-life stories.