Ransomware Trends - Veeam 2023 Global Report
Lessons learned from 1,200 victims and nearly 3,000 cyber attacks
According to the 2023 Data Protection Trends Report, 85% of organizations suffered at least one cyber attack in the preceding twelve months; an increase from 76% experienced in the prior year.
To better understand the preparedness and recoverability of cyber attacks, an independent research firm conducted a blind survey of 1,200 unbiased IT leaders whose organizations suffered at least one ransomware attack in 2022. Organizations of all sizes from 14 different countries across APJ, EMEA and the Americas were represented.
The survey asked about the impact that ransomware had on their environments,
as well as what their IT strategies and data protection initiatives are moving
forward. While analysts forecasted growth in overall IT spending for 2023 between
4.5% by IDC and 5.4% by Gartner, respondents in this survey expect their cyber security (preventative) budgets to grow by 5.6% and their data protection (remediation) budgets to grow by 5.5% in 2023.
60% of organizations need significant or complete overhauls between their backup and cyber teams
While many organizations may say that “ransomware is a
disaster "and therefore include cyber attacks within their Business Continuity or Disaster Recovery (BC/DR) planning, the actual interaction between the teams leaves much to be desired.
One of the consistent findings of this research over the past two years has been that those roles closest to the challenges of cyber events are often the least satisfied with the partnering between the teams.
The most common element of an incident response playbook is a good backup
87% of organizations have a risk management program that drives their security roadmap or strategy. That said, only 35% believe their program is working well, while 52% are seeking to improve their situation and the remaining 13% do not yet even have an established program.
Regardless of what you call your program or team that is chartered with planning against cyber events and preparing for how the organization will deal with them, the most common elements of the ‘playbook
'in preparation against a cyber attack are:
Clean backup copies, which one might presume includes data that is ‘survivable’ against attacks and does not include malicious code
Recurring verification that the backups are recoverable
77% of ransoms were paid by insurance, but that is becoming harder and more expensive
In 2022, paying the ransom via insurance was an option for 96% of cyber victims, with half of all respondents using cyber-specific insurance.
Interestingly, 28% used insurance that was not cyber-specific, while 18% chose not to use insurance that was available to them. These options might increasingly become the norm, as insurance becomes more expensive or less available, like homes that cannot acquire flood insurance due to increasing storm frequency.
In fact, 21% of organizations stated that ransomware was now specifically excluded from their policies. While those with cyber insurance saw changes in their last policy renewals:
74% saw increased premiums
43% saw increased deductibles
10% saw coverage benefits reduced
80% of victims paid the ransom, but many still could not recover
The right answer ought to be “We did not pay, since we were able to recover our
data, but only 16% of organizations responded that way, which is slightly down from 19% in last year’s survey.
It is worth noting that 41% of organizations have a “do not
pay policy, while 43% of organizations do not have a policy to pay or not. That said, 80% paid.
Unfortunately, while 80% of respondents acknowledged paying, one fourth of them still could not recover
their data even after paying the ransom. Can you imagine sending the bitcoin, but the decryption tool didn’t work (or wasn’t given at all)?
There are two probable reasons why the ransom was paid:
The ransom was paid with insurance money, instead of by organization.
The backup repositories were also affected by the cyber attack, so
no recovery option was possible.
45% of production data was affected by a cyber attack
This is unfortunately consistent with last year’s 47% affected statistic, with no reason to assume future attacks won’t result in a similar catastrophic amount of data loss or impact.
On average, organizations stated that 45% of their production data was affected by the cyber attack. In looking at the extremes, 25% had a small portion (<20%) of their data affected, while 14% had nearly all (>80%) of their data affected by the attack.
Unfortunately, only 66% of the affected data was recoverable. This calculates that 15% of the
organizations production data was unrecoverable lost.
As an aside, cyber victims were also asked of their confidence before and after the attack. In hindsight, only 59% considered themselves ‘prepared’—and even then, the results did not vary greatly on how impactful the attack was.
Cyber villains were able to affect the backup repositories in 75% of attacks
Said another way, one in four organizations had backups to restore from, which is down from last year when one in three organizations had survivable backups.
In fact, bad actors targeted the backup repositories in at least 93% of attacks in 2022, nearly identical to the 94%of repositories that were targeted in 2021.
The respondents who stated that “some,”“most "or “all "
of their repositories were affected reveal that on average, 39% of backup repositories were affected.
Combining those statistics means:
75% likelihood that backup repositories affected
When affected, 39% of repositories unusable
This will result in roughly one third (29%) of restores not being viable.
It takes at least 3 weeks to recover (per attack) —after triage
Like any disaster, recovering a wide range and number of IT systems takes
time. Respondents to the survey estimated that it took them 3.3 weeks from when they earnestly began until they considered their recovery efforts essentially “complete.” BUT there was a recognized caveat:
If you are recovering from fire, you immediately start recovering the burnt servers.
If you are recovering from flood, you immediately start recovering the wet servers.
In both cases, the last known backups or replicas are trusted to begin recovery immediately.
But when you recover from ransomware, there is an unpredictable amount of time to:
Identify which servers are infected
Determine that the backup/replica versions are not also affected or might reintroduce malware
Only after you know those criteria can you start to recover, after which the process will take an average of 3+ weeks.
82% use immutable clouds,64% use immutable disks,
and tape still matters in 2023
Only 16% were able to recover instead of paying the ransom. To do that, they had to have recoverable data within the repositories.
Less than 25% of victims stated that their backup repositories were not affected by the attacker. The way to do that is immutability or air gapping, so that the backup repositories are not malign-able by the cyber villain.
For 2023, only 2% of organizations do not have immutability in at least one tier of their backup solution, with many reporting that they have immutability or air gaps across multiple tiers. In 2023, it is very achievable for backup data to be immutable across its entire data protection lifecycle, including short-term disk, within BC/DR capable clouds and long-term tape storage.
56% of organizations run the risk of re-infection during restoration
When respondents were asked how they ensure that data is ‘clean
'during restoration, 31% stated that they rely on immutable repositories —which while this is a best practice, it does not guarantee ‘clean
'data.
This is analogous to ensuring a leak-and tamper-proof bottle; which is not the same as ensuring that the contents within the bottle are safe or non-poisonous.
71% would recover to a cloud, 81% would use a datacenter
Like any BC/DR strategy, one of the key IT decision questions is “Where will the servers recover to?”including cloud-based and datacenter infrastructure.
For fire or flood, one presumes the original datacenter is unavailable. Cyber attacks may have the option to use the existing datacenter (with new servers) or even the original servers (wiped); but not always, depending on whether the original servers or facility are seized by law enforcement or other forensics is required.
In 2023, the most anticipated alternate site for ransomware recovery at scale was cloud-hosted infrastructure, closely followed by managed disaster recovery as-a-service (DRaaS) platforms; which makes sense considering the high percentage of organizations intending to use cloud-repositories as their immutable recovery source.
Most organizations are flexible:
19% only plan to recover to a cloud
29% only plan to recover to on-prem servers
52% have plans that include both cloud and on-prem recovery options
Summary of Lessons Learned
This analysis covers the opinions of 1,200 unbiased organizations who suffered at least one cyber attack in 2022:
Unlike potential natural disasters like fire or flood, being the victim of a cyber attack is much more probable than just possible. And when considering that on average, for each attack, an organization might expect to lose 15% of their production data, it is not surprising to see increased investments and prioritization of both cyber attack prevention and greatly increased remediation processes and technologies.
Said another way, a secure backup is the only alternative to simply paying the ransom.
Based on lessons learned from the 1,200 attack experiences within this survey, most organizations today employ a few key technologies in preparation for the next assault:
Immutable storage within disks and clouds, as well as air-gapped media, to ensure recoverable data.
Staged restorations, to prevent re-infection during recovery
Hybrid IT architectures for recovering the servers to alternative platforms like any other BC/DR strategy
14