67% of businesses classified as critical infrastructure (energy sector, oil-gas industry, and public utilities) were attacked with ransomware software in 2024. Research by Sophos also indicates that last year was the first in the history of the “State of Ransomware” report when these entities reported a greater tendency to pay a ransom than to use backups. Sophos expert highlights that situations in which meeting criminals’ demands accelerates the restoration of data and systems operations are exceptions, not the rule.
For the second year in a row, the ransomware attack rate on critical infrastructure entities remained at 67%. The average cost for these entities to recover data after a ransomware attack in 2024 was approximately $3.12 million, slightly less than in 2023, when it was $3.17 million.
The Sophos expert noted that survey participants often report stopping attacks before data is encrypted. “This is an important quality indicator for threat monitoring, threat hunting and cybersecurity team response speed. It remains at the same level as in 2023 but is lower than 2021-2022. This is concerning as the increasing popularity of XDR and MDR solutions should be improving this figure,” emphasizes Chester Wisniewski, Director of Technology at Sophos.
Rising willingness to pay ransoms
The report “State of Ransomware in Critical Infrastructure 2024” also reveals that criminals are increasingly demanding higher ransoms. In 2024 only 51% of surveyed companies recovered their data by using backups. Meanwhile, 61% of critical infrastructure entities paid ransom to recover data. This is a higher percentage than in 2023 and 2022, when 50 and 55% of surveyed businesses respectively met criminals’ demands.
“This shows that cybercriminals realize how destructive cyber attacks can be for these service providers and see it as an opportunity to make large amounts of money. In 2024, the average ransom paid by entities affected by ransomware was $2.5 million,” points out Chester Wisniewski.
The lack of multifactor authentication, outdated software, and the readiness to pay a high ransom indicate institutions’ vulnerability to cyber-attacks and reinforce criminals’ belief that these are ideal targets for additional attacks. At the same time, there’s no perfect method for victims to ‘buy their way out’ of the consequences of a cyber-attack.
“55% of the respondents took over a month to recover their data. In my opinion, for most of this time, victims negotiated with cybercriminals, purchased cryptocurrencies, and delayed rebuilding their systems. Meanwhile, recovering all files is almost impossible, and systems will still need repairing,” explains Chester Wisniewski.
In the expert’s opinion, the best solution for entities affected by ransomware is to refuse to pay the ransom and immediately begin the process of data recovery from their backup and restoration of the attacked software and devices.
Cybercriminals also attack backups
One method of quickly recovering data, which has been encrypted or destroyed as a result of a cyberattack, is to use backups. However, the Sophos study showed that attackers also willingly target backup environments. 98% of energy, oil-gas and public utility entities affected by ransomware software in 2024 reported that cybercriminals attempted to breach their backups during the attack. Four out of five (79%) such attempts were successful, which is the highest indicator of successful attacks on backups across all surveyed industries.
This year’s results from the critical infrastructure industry show a clear change compared to the previous two years, when impressive backup use indicators ranged from 70-77%. In 2024, only 51% of the surveyed entities used a backup.
What can critical infrastructure institutions do to protect themselves from attacks?
Chester Wisniewski emphasizes that representatives of the critical infrastructure industry need to understand that ransomware attacks are a serious threat and ensure that their organizations are as resistant as possible to ransom demands.
“This is entirely achievable. The focus should be on basic cybersecurity measures. In 83% of companies, a ransomware attack was a consequence of phishing, credential theft or security system flaws. To prevent this, the first step should be to ensure multifactor authentication and system software updates. These are remedial measures that do not generate additional or high costs,” adds the Sophos expert.
Chester Wisniewski also reminds that if a company is attacked, it should not pay a ransom to cybercriminals. This does not guarantee recovering data access and may involve huge costs. Moreover, data stolen by cybercriminals can end up on the dark web, and paying the ransom will not remove it.
About the report
The data from the “State of Ransomware in Critical Infrastructure 2024” report comes from a survey conducted from January to February 2024 among 5,000 cybersecurity leaders, including 275 from the energy, oil/gas, and public utilities industry. Respondents came from 14 countries across the Americas, Europe, Asia, and the Pacific area. The surveyed companies employed between 100 and 5000 workers and their annual revenues varied from less than $10 million to over $5 billion.
[1] Multiple choice question.
Source: https://managerplus.pl/sophos-podmioty-infrastruktury-krytycznej-coraz-czesciej-placa-okup-za-odzyskanie-danych-39057