Despite advances in cybersecurity technologies, including artificial Intelligence (AI), organizations continue to find it difficult to detect and prevent ransomware attacks.
Research conducted by The Ponemon Institute and sponsored by Illumio, Inc. has found that eighty-eight percent of organizations experienced one or more ransomware attacks in the past three months to more than 12 months. According to the research, based on the hours and practitioners involved organizations spent an average of $146,685 to contain and remediate the largest ransomware attack experienced. In 2021, the average cost was slightly higher at $168,910.
The purpose of this research is to learn the extent of the ransomware threats facing organizations and the steps being taken to mitigate the risks and their consequences. Ponemon Institute surveyed 2,547 IT and cybersecurity practitioners in the U.S. (578), U.K. (424), Germany (516), France (471), Australia (256) and Japan (302) who are responsible for addressing ransomware attacks.
In addition to the 2024 findings, the report also presents research from a ransomware study Ponemon Institute conducted in 2021 and published in 2022. A comparison of the studies reveals changes in ransomware risks and the practices used to reduce the threats in the past three years. Since 2021, while the perception that their organization is a target of ransomware has declined from 68 percent to 54 percent of respondents, the consequences of a ransomware attack such as downtime, loss of significant revenue and brand damage has increased.
“Ransomware is more pervasive and impactful than ever, with more organizations forced to suspend operations or experiencing major business failure because of attacks,” said Trevor Dearing, Director of Critical Infrastructure at Illumio. “Organizations need operational resilience and controls like microsegmentation that stop attackers from reaching critical systems. By containing attacks at the point of entry, organizations can protect critical systems and data, and save millions in downtime, lost business, and reputational damage.”
Since 2021 organizations have become more vulnerable to the risks of ransomware because of AI-generated attacks and unrestricted lateral movement in cybersecurity.
AI-generated attacks refer to cyber threats that leverage AI to deceive and compromise individuals, organizations and systems. These attacks are becoming increasingly sophisticated, imitating the language and style of legitimate emails to trick users into letting the ransomware in. Other attacks use AI to improve the ransomware’s performance or automate some aspects of the attack path. Fifty-one percent of respondents say their organizations are highly or extremely concerned that their organizations may experience such an attack.
Lateral movement refers to methods cyber criminals use to explore a compromised network to find vulnerabilities, escalate access privileges and reach their ultimate target. It is called lateral movement because of the way the attacker moves sideways from device to device, a hallmark of most successful ransomware attacks.
According to the findings, since 2021 unpatched systems have become increasingly vulnerable to being exploited by attackers moving laterally. Fifty-two percent of respondents in this year’s research say unpatched systems are targeted for lateral movement, an increase from 33 percent of respondents in 2021. Targeting cached credentials increased from 42 percent of respondents in 2021 to 48 percent of respondents in 2024.
The following findings highlight organizations’ efforts to mitigate ransomware attacks.
Organizations are slow to adopt AI to combat ransomware. Although AI is considered helpful for reducing ransomware attacks by increasing overall SecOps efficiency and detecting ransomware activity within the environment, only 42 percent of respondents say their organizations have specifically adopted AI to help combat ransomware.
Since 2021 more organizations believe their security controls will protect them from ransomware attacks. Confidence in mitigating a variety of ransomware risks has increased significantly, especially with respect to their current security controls (32 percent of respondents in 2021 vs. 54 percent of respondents in 2024). Multi-factor authentication and automated patching/updates are the top two technologies used to combat ransomware, 37 percent and 36 percent of respondents, respectively. Only 27 percent of respondents say their organizations use segmentation/microsegmentation.
Since 2021, more organizations are assigning responsibility for stopping ransomware attacks to one organizational function. Ninety-two percent of respondents say one person or function is most responsible for addressing the threat of ransomware. The most responsible are the CISO (21 percent of respondents) or the CIO/CTO (21 percent of respondents). In 2021, 82 percent of respondents said one person or function was most responsible.
To prevent ransomware attacks, organizations should secure the cloud and endpoints. Forty-nine percent of respondents say the cloud is most vulnerable in a ransomware attack followed by the endpoint, at 45 percent of respondents. Desktops/laptops continue to be the devices most often compromised by criminals.
Phishing continues to be the most common way ransomware is delivered. Phishing and Remote Desktop Protocol (RDP) compromises continue to be the primary methods used to unleash ransomware. Ransomware is typically spread through emails that contain links to malicious web pages or attachments. Infection can also occur when a user visits an infected website and malware is downloaded without the user’s knowledge. RDP is one of the main protocols used for remote desktop sessions.
Insider negligence can delay an effective response to ransomware and increase the negative consequences. To improve prevention and reduce the time it takes to respond, organizations should address negligent user behavior and the lack of security awareness. Training programs should focus on how users can make better decisions about the content they receive through email, what they view or click in social media, how they access the web and other common practices. Because no cybersecurity control can prevent every attack, containment and response strategies ware equally critical.
Forty-four percent of respondents say their organizations are not prepared to quickly identify and contain the ransomware attack. This indicates the importance of having incident response plans, skilled respondents and key controls to stop an attack from spreading.
Ransomware attacks can reduce revenues due to downtime, lost customers and brand damage. Since 2021, organizations that had to shut down to recover from the attack increased from 45 percent to 58 percent in 2024. Respondents that report a loss of significant revenue increased from 22 percent of respondents to 40 percent of respondents.
Since 2021, more organizations are reporting that brand damage was a consequence of the ransomware attack (an increase from 21 percent to 35 percent of respondents). The findings also reveal that recovering from damage to brand can cost organizations the most following a ransomware attack. In 2021, the highest cost was due to legal and regulatory actions.
Part 2. Key findings
In this section of the report, we provide an analysis of the research. Whenever possible, we present the findings from the 2021 study to show three-year trends in ransomware threats and risks. The complete audited findings are presented in the Appendix of this report. We have organized the report according to the following topics.
- The ransomware security gap
- Anatomy of a ransomware attack
- The response to ransomware demands
- Country differences
The ransomware security gap
Fewer organizations pay the ransom. Since 2021, more respondents say their organizations will never pay the ransom even if it means losing data, an increase from 43 percent of respondents to 51 percent of respondents. In an October 2, 2019 Public Service Announcement (PSA), the FBI urges victims not to pay the ransom. According to the PSA, the payment of the ransom does not guarantee that the exfiltrated data will be returned, as shown in this research. The FBI also warns that paying might embolden attackers to target other victims.
Other trends are the decline in the belief that their organizations are targeted, (54 percent of respondents in 2024 vs 68 percent of respondents in 2021). A little more than half of respondents continue to say prevention of ransomware is a high priority.
To read the rest of this study, visit Illumio’s website.