Ransomware attacks are on the increase despite concerted international efforts to disrupt ransomware business models. According to the Apricorn annual survey of IT and security decision makers, the risk of ransomware is rising steadily. This year, 31% stated their organisation had suffered an attack over the past twelve months in the UK. This figure is a noticable rise compared to 24% in 2023. Ransomware is now the most sought-after type of cover when organisations take out cyber insurance. Double the number of respondents required ransomware cover in 2024, up from 16% in 2023.
Attempting to break this pattern, the Home Office has launched a new consultation. The document seeks opinions in response to three new proposals by April, 2025. The first entails a targeted ban on the payment of ransoms in the public sector and by critical national infrastructure. The second is a payment prevention regime. This would require victims to report plans to pay before doing so, which could potentially be blocked by the government. And third, the government would make mandatory the reporting of ransomware incidents.
It’s not yet clear if incident reporting will apply across the board to all commercial organisations. It’s possible a threshold will determine the scale of attack that must be brought to the government’s attention. If the latter, reporting will be encouraged even among those who fall out of scope. This will help the government understand the scale, type and source of ransomware threats.
The report itself will need to be filed within 72 hours of the attack. A full report will then need to be provided within 28 days. The initial report will need to contain details on whether the organisation can recover using its existing resilience measures, like if it can use backups to restore data and resume operations.
Failed ransomware recoveries
Worryingly, this is often far more difficult than organisations think. Despite having backup processes in place, these are not always fully tested. This can mean that, when the time comes, data restoration is only partially successful.
The Apricorn survey found that 50% of respondents had to resort to using their backups to recover data last year. Of those, only half were able to so successfully. A quarter of respondents had to settle for partial recovery and 8% were unable to recover any data at all.
To make matters worse, ransomware attackers are also actively targeting those backups to thwart recovery.
The 2024 Ransomware Trends report found that 96% of ransomware attacks are now aimed at backup repositories. The Apricorn survey found automated backup to both central and personal repositories has surged to 30%, up from 19% the year before, which is a positive step as it means less are doing so manually, a practice which can see errors occur or the user simply forget to backup their data. But with those repositories now being actively targeted, it’s clear that organisations need to make backups of their backups.
This is precisely the thinking behind the 3-2-1 strategy. It advocates that data be backed up at least three times, with at least two copies of that data held on different media, one of which should be offsite.
One copy of the data should be offline, for example, effectively airgapping the data and a good example of this would be on an encrypted removable hard drive that can be disconnected from the network. In this way, the organisation can guard against the risk of their backups being compromised.
Testing the process
Taking such proactive measures provides a belt and braces approach to recovery but it’s also important to diligently test the recovery process on a regular basis. The Apricorn survey found 9% of those questioned acknowledged their systems were not robust enough to allow a rapid recovery from an attack, indicating there is still work to be done in this regard.
But those that do get to grips with improving their backups stand to reap additional benefits. For instance, the survey found a striking 46% of respondents now consider robust backup policies as the most important factor for meeting cyber insurance compliance, a substantial increase from 28% in 2023.
It’s better not to pay
There’s also a growing realisation that paying a ransom offers little guarantee of the business being reunited with its data. The 2024 Ransomware Risk Report found that over a third of victims (35%) either did not receive decryption keys or received corrupted keys leaving them unable to recover their data. What’s more, they were often extorted multiple times. Of the 78% that paid the ransom, 72% paid multiple times and 33% four times or more. It’s also commonplace for victims to be targeted again if they pay, with 74% reporting being attacked multiple times.
It’s for these reasons that organisations’ approach to ransomware has to change with a move away from negotiations and payments to more resilient business processes that make recovery possible. The advice from the Information Commissioner’s Office (ICO) and National Cyber Security Centre (NCSC) has always been not to simply resort to payment and that doing so does not fulfil the organisation’s regulatory obligations in terms of mitigating the risk posed to data.
The recommendation was to report the incident but the introduction of mandatory reporting will now formalise that process. In doing so it will make organisations much more aware of the need to detail the resilience measures they have in place and hopefully that will translate into much more diligent backup strategies.
- Cybersecurity
