5 Key Takeaways from New 2023 Ransomware Trends Report

There are a plethora of studies and reports on cyber security and ransomware out in the marketplace, but I always enjoy reading and respect the findings of Jason Buffington, VP of Market Strategy at Veeam and his team. Their recently released 2023 Global Report on Ransomware Trends details lessons learned from 1,200 ransomware victims in 2022. You will want to download the full report here, but in the meantime, below are 5 key takeaways that I found compelling and aligns with other market research we have engaged in.

1. Have Clean Backup Copies and Verify Recoverability – The most common element of an incident response playbook is a good backup. That means having “clean” backup copies with data that is survivable against attacks and does not include malicious code. Then test and verify that the backups are recoverable. Best practices these days are to follow a 3-2-1-1 rule, namely 3 copies of data, 2 different media types to store backups, 1 offsite location to store backups online, and 1 offsite location to store backups offline. As the Veeam study suggests, better make that 3-2-1-1-0, where the 0 represents the best practice of verifying zero errors or malware code before restoring the backups.
2. 80% of Victims Paid The Ransom – While an astounding 80% of victims in the Veeam study reported paying the ransom, 21% of victims still could not recover their data even after paying the ransom because the decryption code didn’t work or was not given at all. This is likely due to the fact that in 77% of the cases, insurance policies were used to pay the ransom, or backups were also affected as detailed in #3 below. Regarding insurance policies as a hedge against cybercrime, the Veeam report shows that 21% of respondents said that ransomware was now excluded from their policies while 74% saw increased premiums, 43% saw increased deductibles and 10% saw reduced coverage benefits.
3. Backup Repositories Affected in 75% of Victims – 93% of victims reported that the bad actors went after their backup repositories. 32% reported most or all backups were impacted while 43% said some backup repositories were affected for a total of 75%. Just 18% said the hackers tried, but were unsuccessful in impacting the backup repositories. Only 7% reported no attempt to attack their backup repositories.
4. It Takes at Least 3 Weeks to Recover from an Attack – As in any IT-related disaster, it takes time to recover. Recovery from a natural disaster like fire or flood can begin immediately. But recovery from a ransomware attack takes time first to identify which systems were impacted. Then determine if backups are not also infected only to reintroduce the malware. At this point, recovery can begin which typically takes 3+ weeks.
5. Tape Still Matters in 2023 – According to the Veeam report, only 16% of victims were able to recover from the attack without paying the ransom. To do that, they had to have recoverable data within their backup repositories which means that the data was immutable or air-gapped. In 2023, it is very achievable for backup data to be immutable across its entire data protection lifecycle, including short-term disk, within BC/DR capable clouds and long-term tape storage. According to the survey, 14% of respondents said they utilize offline air-gapped tape.

While 16% of respondents being able to avoid paying the ransom sounds low, that number will surely rise as the frequency and sophistication of ransomware attacks increase along with the price of ransom payments. A very simple and cost-effective way to do this will increasingly be via tape air gap. According to recent interviews I’ve had with independent cyber security experts (with no stake in the tape business) they say that they recommend tape air gap for this very reason.

We know that new Federal mandates and SEC rules will enforce best practices around cyber security and that the FBI and CISA recommend offsite, offline backups as a hedge against ransomware. We also know that cyber insurance companies want to see offsite, offline backups as part of a comprehensive cyber security plan.

We also demonstrated that putting one petabyte of data on LTO-9 tapes offsite and offline for 5 years only costs a surprisingly low $60,000 or $12,000 per year. That’s an inexpensive proposition considering the average bitcoin ransom demands are in the $3.0 – $5.0 M range.

We learned from our own research that customers with tape air gap said that it played a significant role in helping them to avoid paying ransoms. We heard this too from Tony Mendoza of Spectra Logic in this video when he recovered from a ransomware attack and decided not to pay the ransom.

It’s become clear that cybersecurity requires a multi-faceted approach, including regular software patches, frequent password resets, 2-factor authentication, secure networks, and user education to stay safe by avoiding suspicious links and attachments.

Finally, it’s also becoming clear that protecting data with an air gap on highly reliable and cost-effective tape can also contribute to an organization’s ability to effectively protect and recover their assets, avoid paying a hefty ransom, and safeguard their business continuity, reputation and stakeholder trust.