EMEA organisations paying ransoms dropped by a fifth or more (22 per cent) from the previous year, according to the vendor Veeam, which compared regional data for the two years. This doesn’t necessarily mean organisations are facing fewer attacks, the data resilience product firm suggests. Instead, better data resilience and shifting attitudes toward negotiating with attackers are emerging. The firm says that organisations are increasingly able to recover data without paying ransoms; in 2023, 14pc recovered data without paying a ransom, while in 2024, this rose to 30pc. At the same time, there is a growing sense of reality that paying ransoms does not guarantee that data will be recovered; in 2023, more than half (54pc) of EMEA organisations who paid ransoms were able to recover their data, but in 2024, this dropped to 32pc.
Tim Pfaelzer, Senior Vice President and General Manager EMEA, Veeam said: “As attackers remain an untrustworthy method of recovering data, and as organisations improve their data recovery capabilities, it’s no surprise we’re seeing a drop in the number of ransoms being paid. But this doesn’t mean the threat from ransomware is over. Attackers will always adapt. We are seeing some forgo ransomware encryption entirely, instead stealing data to extort money directly or sell it on black markets. For some, financial gain isn’t even the main driver; disruption is. Payments may drop, but it doesn’t mean attacks will. And our data has clearly shown that significant gaps remain in data resilience, leaving organisations vulnerable.”
Data resilience measures
In the wake of EU regulations aimed at more data resilience, such as NIS2 and DORA for financial services, organisations are taking steps to better prepare for ransomware attacks. But they can’t afford to stand still – there is still important work to be done, the vendor adds. In 2024, it found only 37pc of EMEA organisations had arrangements for alternative infrastructure, meaning 63pc still lack those plans. This means that, in the event of a site-wide attack, without alternative infrastructure, these will be unable to recover until the main site is declared clean, which in many cases, could take weeks.
Tim Pfaelzer added: “It’s clear that organisations have put recovery at the heart of their data resilience strategy, rather than relying on paying ransoms, which is certainly a step in the right direction. But there’s more to be done. Regulation may have brought data resilience levels up, but organisations need to take it one step further. They should focus on improving baseline data resilience with alternative infrastructure and robust backups to fully negate the need to ever pay ransoms. This way, they can drive lasting and effective improvements to their data resilience.”
Council report
Ransomware remains the most disruptive threat to local authorities, often targeting backup systems and critical infrastructure. Recent attacks on councils, education and NHS systems suggest that attackers are adopting a multi-phase approach utilising the threat of releasing exfiltrated data and/or contacting people whose data has been exposed to put pressure on the organisation threatened. The time taken to effectively respond and clear up after an attack can vary but in general the larger and more complex the organisation the longer recovery will take. So said Tony Booth, Liverpool City Council’s ICT Security and Cyber Risk Manager, in a report to the council’s audit committee in September.
Home Office consultation
As Home Office security minister Dan Jarvis mentioned in a speech to the International Security Expo at London Olympia on October 1, in January he ‘announced a new package of measures to tackle ransomware’, whereby the UK Government went out to consultation on proposals for a ‘targeted ban on ransomware payments for owners and operators of regulated ritical national infrastructure and the public sector’; a ransomware payment prevention regime; and a mandatory incident reporting regime. The Government described ransomware as’ the greatest of all serious and organised cyber crime threats’.
Readiness report
In the latest, ninth annual Hiscox Cyber Readiness Report by the insurer, 27 per cent of SME (small and medium) businesses surveyed reporting an attack in the past year. Of those affected, 80pc – which includes both insured and uninsured businesses – paid a ransom in an attempt to recover or protect critical data. However, only 60pc successfully recovered all or part of their data as a result, and for almost a third (31pc) of those who paid a ransom, the attackers demanded more money.
Eddie Lamb, Global Head of Cyber at Hiscox, said: “There’s no doubt that ransomware tactics are shifting and for uninsured businesses without the expertise of a cyber insurer this leaves them significantly exposed. Cyber criminals are now much more focused on stealing sensitive business data – things like contracts, executive emails, financials, and intellectual property – because it’s easier to monetise than personal information. Once stolen, they demand payment to avoid public exposure, pricing threats based on reputational damage. This change has exposed gaps in some companies’ data loss prevention controls, which attackers are readily exploiting.”
