EMEA organisations paying ransoms dropped by a fifth or more (22 per cent) from the previous year, according to the vendor Veeam, which compared regional data for the two years. This doesn’t necessarily mean organisations are facing fewer attacks, the data resilience product firm suggests. Instead, better data resilience and shifting attitudes toward negotiating with attackers are emerging. The firm says that organisations are increasingly able to recover data without paying ransoms; in 2023, 14pc recovered data without paying a ransom, while in 2024, this rose to 30pc. At the same time, there is a growing sense of reality that paying ransoms does not guarantee that data will be recovered; in 2023, more than half (54pc) of EMEA organisations who paid ransoms were able to recover their data, but in 2024, this dropped to 32pc.
Tim Pfaelzer, Senior Vice President and General Manager EMEA, Veeam said: “As attackers remain an untrustworthy method of recovering data, and as organisations improve their data recovery capabilities, it’s no surprise we’re seeing a drop in the number of ransoms being paid. But this doesn’t mean the threat from ransomware is over. Attackers will always adapt. We are seeing some forgo ransomware encryption entirely, instead stealing data to extort money directly or sell it on black markets. For some, financial gain isn’t even the main driver; disruption is. Payments may drop, but it doesn’t mean attacks will. And our data has clearly shown that significant gaps remain in data resilience, leaving organisations vulnerable.”
Data resilience measures
In the wake of EU regulations aimed at more data resilience, such as NIS2 and DORA for financial services, organisations are taking steps to better prepare for ransomware attacks. But they can’t afford to stand still – there is still important work to be done, the vendor adds. In 2024, it found only 37pc of EMEA organisations had arrangements for alternative infrastructure, meaning 63pc still lack those plans. This means that, in the event of a site-wide attack, without alternative infrastructure, these will be unable to recover until the main site is declared clean, which in many cases, could take weeks.
Tim Pfaelzer added: “It’s clear that organisations have put recovery at the heart of their data resilience strategy, rather than relying on paying ransoms, which is certainly a step in the right direction. But there’s more to be done. Regulation may have brought data resilience levels up, but organisations need to take it one step further. They should focus on improving baseline data resilience with alternative infrastructure and robust backups to fully negate the need to ever pay ransoms. This way, they can drive lasting and effective improvements to their data resilience.”
Council report
Ransomware remains the most disruptive threat to local authorities, often targeting backup systems and critical infrastructure. Recent attacks on councils, education and NHS systems suggest that attackers are adopting a multi-phase approach utilising the threat of releasing exfiltrated data and/or contacting people whose data has been exposed to put pressure on the organisation threatened. The time taken to effectively respond and clear up after an attack can vary but in general the larger and more complex the organisation the longer recovery will take. So said Tony Booth, Liverpool City Council’s ICT Security and Cyber Risk Manager, in a report to the council’s audit committee in September.
Home Office consultation
As Home Office security minister Dan Jarvis mentioned in a speech to the International Security Expo at London Olympia on October 1, in January he ‘announced a new package of measures to tackle ransomware’, whereby the UK Government went out to consultation on proposals for a ‘targeted ban on ransomware payments for owners and operators of regulated ritical national infrastructure and the public sector’; a ransomware payment prevention regime; and a mandatory incident reporting regime. The Government described ransomware as’ the greatest of all serious and organised cyber crime threats’.
