Recently I saw two seemingly opposing headlines regarding ransoms paid and the money being made from ransomware attacks. Ransoms payments hit all-time high but the share of businesses paying ransoms hit a low.
That ransomware pays handsomely doesn’t surprise me. The ask has been going up steadily since 2013 when I first started tracking ransomware, looking for ways to prevent it, and keep my clients safe. Back then, the ransom ask was usually around $300 and even then, the criminals were making millions. Flash forward to 2023 and now they’ve made $1.1 billion! Aren’t we all envious of a business trajectory like that?
2023 marked a major comeback for cyber gangs deploying ransomware, who received a record-breaking sum of at least $1.1 billion in ransom payments. The billion-dollar mark was surpassed for the first time, according to blockchain analysis firm Chainalysis.
Record $1.1 billion paid in ransoms in 2023 | Cybernews
This is a crazy rapid increase. No wonder the frequency of attacks has gone up. When there’s money be to made, it becomes a business people want in on, even if it is criminal in civilized countries.
Ransomware Attack Vectors shift as New Software Vulnerability Exploits Abound (coveware.com)
Did Cyber insurance help increase ransoms?
In recent years another new trend hit. Cyber insurance changed the game. Insurance companies saw an opportunity to assuage business fears by selling insurance that would pay out if their business was attacked and a ransom was requested to return the business to operation. This had the effect of raising the ransoms.
The value of stand-alone cyber insurance premiums exceeded five billion U.S. dollars in 2022. This segment experienced rapid growth in 2021 when premiums amounted to 3.1 billion U.S. dollars, up from 1.6 billion U.S. dollars in the previous year.
Cyber insurance premiums written in U.S. 2022 | Statista
From $1.6 billion, to $3.1 to $5 billion in as many years. Wow! Another business trajectory that we can all be envious of. But during this time, we did also see that insurance companies lost money on cyber insurance policies by giving businesses a way out without careful regard for risk. They misjudged. It got worse during 2020 -2023 and we all noticed the dramatic rise in insurance premiums and security requirements as a result. Rumors that IT Service Provider rate increases were in the 2x-4x range and other types of businesses suffered the same fate.
Report on the Cybersecurity Insurance Market (insurancejournal.com)
The end of the easy cyber insurance claim quickly ended. Today if you need to make a claim there’s a lot of security enhancement work to be done within the business in advance. IT service providers have a great opportunity here, but they can also be held responsible so be careful when filling those insurance information request forms.
Fewer companies pay ransom
As a result of educational efforts by the IT industry, who advocate for taking the money out of the ransomware business as the only real solution to this cyber security problem, the number of businesses paying ransoms following a cyber-attack has fallen significantly.
Fewer companies are paying ransomware hackers: report (axios.com)
This could also be the result of insurance companies not being so quick to pay ransoms for their policy holders too. We may never know, but the end result is a very good trend.
What happens when a business sees a downward trend? They can react in one of two ways. They can become a bespoke company and raise prices (ransom demands) or they can broaden their market (go after more small businesses). Which is happening? Both? I don’t have that answer but what we do know is that even though fewer than 30% of businesses pay the ransom that still the ransomware industry is in a growth pattern of ever higher revenues.
This shouldn’t surprise anyone in the IT industry. The number of people that click on a phishing email is small and the number responding to spam email is small, but still phishers and spammers make a good living. Unless we can drive the cybercrime payouts to zero, it will always be with us.
Why should IT professionals care about these trends?
- There’s opportunity to bring higher levels of security to smaller businesses
- Big businesses and insurance companies don’t want to keep losing those record sums, which means they are also going to invest in security
- Business owners are putting more trust in IT, than insurance payout potentials
I recently wrote a blog post, on my own blog at thirdtier.net about the Canalys 2024 predictions which listed one the key challenges facing MSPs as the need to change their business model. That need is a lot about how ransomware has changed the appetite for cyber security. It’s also about AI, but that’s a whole other opportunity set ahead.
If you’re not thinking about how cyber security trends are going to affect your business, I think you should start.
Not a member of NSITSP yet? Join yourself or join your company!