Buried Story of the 2023 Verizon DBIR: Ransomware Stopped Growing

June 26, 2023  Benjamin Gowan and Justin Theriot

Ransomware ConceptAs we do every year, we’re reading the Verizon Data Breach Investigations Report for 2023 with respect for the service they provide to the cybersecurity and cyber risk community with this massive effort in data gathering and interpretation, and admiration for the clarity (and humor!) of their presentation.  The DBIR was one inspiration for us to create our own annual Cybersecurity Risk Report analyzing FAIR™ top-risk scenarios populated with data gathered from the DBIR and other trusted industry sources.

We were glad to see the DBIR finding that “74% of all breaches include the human element” – that aligns with our report’s finding that Insider Error and Insider Misuse the top two risk themes for average annual probability.

Benjamin Gowan - RiskLens Data ScienceBen Gowan - Justin Theriot - RiskLens Data ScienceBenjamin Gowan is Senior Data Scientist and Justin Theriot Data Science Manager for RiskLens

But when it comes to ransomware, we think that the DBIR “buried the lede” based on its own data. “Ransomware continues its reign as one of the top Action types present in breaches, and while it did not actually grow, it did hold statistically steady at 24%,” the 2023 report said (p. 9, fig. 8). 

Ransomware did not grow – News alert!

Contrast that writeup with last year’s DBIR:

“This year, Ransomware has continued its upward trend with an almost 13% increase–a rise as big as the last five years combined (for a total of 25% this year).” – 2022 DBIR (p.7, fig 6.) 

The 2022 report went on to note that “Ransomware by itself is really just a model of monetizing an organization’s access.” 

Indeed, ransomware is ultimately an end-of-attack-chain monetization strategy, so concrete defenses against ransomware come back to the classics of defending against simple attacks like credential stuffing and phishing. 

A couple simple questions, and a little flipping of the script, can help put ransomware back in context. 

>>Is ransomware a characteristic of most DBIR events?

No. 76% of DBIR breaches do not involve ransomware! And this year, for the first time in years, it stalled and did not grow YoY. 

>>Do other sources corroborate a slowdown or decline in ransomware? 

Yes. Some excellent research by Chainalysis notes that “Ransomware payments are significantly down” as more and more firms refuse to pay. This is especially encouraging because it directly undermines that whole ‘monetizing’ motivation.  

RiskLens Cybersecurity Risk Annual Report 2023 CoverOne key reason for less payments is more engagement by insurers who must cover ransoms. One ‘active insurance’ group, Coalition Inc., noted some sharp declines in their policy holder claims in 2022: “Ransomware claims frequency dropped 54% year-over-year (YoY). Ransomware demands also decreased YoY from $1.2 million in 2021 to $1 million in 2022 — a 17.5% drop.” 

Finally, our own 2023 Cybersecurity Risk Report ranked ransomware scenarios at the bottom among seven risk themes for average loss exposure (based on probable likelihood and probable financial impact – see p. 3 of the report for more on our methodology).

Why the low ranking on loss exposure? For starts, our study looks out across the entire risk landscape, including the many garden-variety ransomware attacks that infect a few workstations, cost a limited amount of effort by a response team, and never make the headlines. There’s always the standard disclaimer that ransomware may be under-reported by some organizations fearing reputation loss. 

But the trend on ransomware, reinforced by the findings in the respected DBIR, looks steady for now, and against all the bad news we get in cybersecurity, that’s worth celebrating.