Malware News The State of Ransomware 2023 | Sophos News


Level 35
Thread author
Top Poster
Feb 25, 2017
The latest edition of Sophos’ annual ransomware study reveals the reality facing organizations in 2023, including the frequency, cost and root cause of attacks.

Attack rates remain level, but data encryption has increased​

66% of organizations surveyed said they were hit by ransomware in the last year. This is the same attack rate as reported in our 2022 study, suggesting that the rate of ransomware attacks has remained steady despite any perceived reduction in attacks. The education sector reported the highest level of ransomware attacks, with 79% of higher education organizations surveyed and 80% of lower education organizations surveyed saying that they were victims of ransomware.
Data encryption from ransomware is at the highest level in four years with adversaries succeeding in encrypting data in 76% of attacks. Furthermore, in 30% of cases where data was encrypted, data was also stolen, suggesting this “double dip” method (data encryption and data exfiltration) is becoming commonplace.
The most common reported root cause of attack was an exploited vulnerability (involved in 36% of cases), followed by compromised credentials (involved in 29% of cases). This is in line with recent, in-the-field incident response findings from Sophos’ 2023 Active Adversary Report for Business Leaders report.

Paying the ransom doubles recovery costs​

Overall, 46% of organizations surveyed that had their data encrypted paid the ransom and got data back. Larger organizations were far more likely to pay with more than half of businesses with revenue of $500 million or more admitting that they paid the ransom.
However, the survey also shows that when organizations paid a ransom to get their data decrypted, they ended up doubling their non-ransom recovery costs ($750,000 in recovery costs versus $375,000 for organizations that used backups to get data back).
Moreover, paying the ransom usually meant longer recovery times, with 45% of those organizations that used backups recovering within a week, compared to 39% of those that paid the ransom.
“Incident costs rise significantly when ransoms are paid. Most victims will not be able to recover all their files by simply buying the encryption keys; they must rebuild and recover from backups as well. Paying ransoms not only enriches criminals, but it also slows incident response and adds cost to an already devastatingly expensive situation.”
Chester Wisniewski, field CTO, Sophos

Mitigating the ransomware risk​

Megan Stifel, executive director of the Ransomware Task Force and chief strategy officer, Institute for Security and Technology comments:
“Sophos’ latest report is a clarion reminder that ransomware remains a major threat, both in scope and scale. This is particularly true for ‘target-rich, resource-poor’ organizations that don’t necessarily have their own in-house resources for ransomware prevention, response and recovery.
One way to boost security, which is aligned with Sophos’ findings in the report, is to implement the Ransomware Task Force’s Blueprint for Ransomware Defense, a framework of 48 safeguards based on the CIS IG1 Controls. It’s past time for the private and public sector to band together and collectively fight ransomware, which is why we are excited to work with cybersecurity providers like Sophos.”

Additionally, Sophos recommends the following best practices to help defend against ransomware and other cyberattacks:
  1. Strengthen defensive shields, including:
    • Security tools that defend against the most common attack vectors, including endpoint protection with strong anti-exploit capabilities to prevent exploitation of vulnerabilities, and Zero Trust Network Access (ZTNA) to thwart the abuse of compromised credentials
    • Adaptive technologies that respond automatically to attacks, disrupting adversaries and buying defenders time to respond
    • 24/7 threat detection, investigation and response, whether delivered in-house or by a specialist Managed Detection and Response (MDR) provider
  2. Optimize attack preparation, including making regular backups, practicing recovering data from backups and maintaining an up-to-date incident response plan
  3. Maintain good security hygiene, including timely patching and regularly reviewing security tool configurations.

    About the survey

    Data for the State of Ransomware 2023 report comes from a vendor-agnostic survey of 3,000 cybersecurity/IT leaders conducted between January and March 2023. Respondents were based in 14 countries across the Americas, EMEA and Asia Pacific. Organizations surveyed had between 100 and 5,000 employees, and revenue ranged from less than $10 million to more than $5 billion.


Level 70
Top Poster
Content Creator
Oct 9, 2016
Other reports

Global ransomware attacks at an all-time high, shows latest 2023 State of Ransomware report​

Other highlights from the report include:​

  • Ransomware attacks resurged in early 2023, with new players such as Royal, BianLian, and Play ransomware gangs joining the field and major players like Lockbit and Clop executing mass-ransomware attacks.
  • The top targeted industries were manufacturing (19.5%), professional, scientific and technical services (15.3%) and educational services (6.1%).
  • The United States was the top targeted country, accounting for 43% of victim organizations, followed by the U.K. (5.7%) and Germany (4.4%).
  • Ransomware groups tend to target companies with annual revenues of approximately $50M to $60M, with third-party vendors often being targeted for client information extortion.
  • The top ransomware groups during the analysis period included Lockbit (29%), AlphaVM (BlackCat) (8.6%) and Black Basta (7.2%).
  • Common ransomware susceptibility indicators among victims included poor email configuration, recent credential leaks, public remote access ports, out-of-date systems and IP addresses with botnet activity.
  • Encryption-less ransomware is on the rise, underscoring the importance of data protection and regulatory compliance in addition to addressing business interruption risks posed by traditional encryption-based attacks.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.