4/9
  • Pages
  • Editions
01 Welcome to CRII
02 Intro: What is ransomware now?
03 The year ransomware declined (for some)
04 Trends: Attack Severity and Pay Ratio
05 Trends: 2023 Early Indicators
06 Trends: Targeted Industries
07 Industry Focus: Healthcare
08 Recent Vulnerabilities
09 Thanks for Reading

Ransomware Trends

Attack Severity: No Reprieve If ransomware attacks in the US fell significantly in 2022, did the smaller pool of victims also experience less severe attacks?

Unfortunately, that’s not the case. The average ransom payment among Corvus policyholders rose to the highest levels we have ever seen across a full year. In fact, we saw the largest year-on-year jump in average payments on record in 2022, with an increase of 63% over the previous year. Coveware, an incident response firm, had similar findings through 2022 on the trajectory of ransom payments, including a spike in Q4 2022 to reach the highest average ransom payments on record for a quarter, a finding that’s consistent with internal Corvus data.

To summarize: when attackers succeeded in 2022, they made it count — likely because those successes were fewer and farther between. Knowing that their chances for a payday are lower than in the past, threat actors may have chosen to target larger organizations or swing for the fences with larger demands. Or both.

Average ransom payment among Corvus policyholders by year

Picking on the little guy

Of course, these costs are not evenly distributed. We found that — unsurprisingly — the size of a business’s annual revenue factors heavily into the costs they bear in cyberattacks. When it comes to ransomware and other attacks like fraudulent funds transfers, attackers have gotten better over time at matching their ambition to the ability of the business to pay (or in the case of FFTs, how much money can flow out of the business without raising an eyebrow). There’s a clear relationship: each tier of revenue is higher than the last, except for the largest category, $500M and up. As for that last category bucking the trend, our team notes that because the consequences of an incident rise along with the size of business, large companies tend to devote a greater percentage of their IT budget to security, and are more likely to have a CISO on staff. These investments likely improve resiliency and impact the cost of claims.

One thing to note is that while there is a clear trend, it’s not exactly fair. A business with $250M in revenue is five times “larger” than a business with $50M, but the larger business’s typical claim cost is only about two times bigger than the small business’s. In other words: the smallest businesses bear the brunt of attacks as a percentage of revenue.

To illustrate this point, we took a hypothetical business that sits at the top end of each of the ranges used in the chart above and divided their revenue by the average claim cost for that tier. We found that the smallest two tiers see around twice the claim cost (as a percentage of revenue) as the next tier up the chain.

Take your demand and…

One trend that we reported on as a rare bright spot during ransomware’s rise to infamy has continued to hold up through 2022, even in the face of larger payments. That is the rising share of victims who face down their attackers and refuse to pay a ransom. As understanding of ransomware has grown (and as insurers provide better advice on security controls) we have seen greater adherence to best practices around backups and incident response planning. This helps companies stay in the driver’s seat when faced with a demand, keeping multiple options on the table and potentially avoiding paying a ransom. In line with this progress, last year the percentage of Corvus policyholders who paid up when confronted with a ransom dipped below 30% for the first time. This is progress over prior years within Corvus data and also significantly lower than the broader market estimate of a 41% ransom payment rate reported by Coveware, an incident response firm, for 2022.

Percentage of Corvus policyholders who paid the ransom when attacked with ransomware

Share with others!

Legal Disclaimer: This report is intended for general guidance and information purposes only. This report is under no circumstances intended to be used or considered as specific insurance or information security advice. Please consult your broker with respect to the information presented herein.

Continue ﹥