Ransomware Attack Severity Increased 68% in H1, 2024
The use of ransomware in cyberattacks decreased slightly in the first half of the year; however, the severity of ransomware attacks increased according to the 2024 Cyber Claims Report: Mid-Year Update from cyber insurance and security service provider Coalition.
For the report, Coalition examined claims against cyber insurance policies between January 1, 2024, and June 30, 2024. Claims by businesses with less than $25 million in revenue fell by 4% to an average of $73,000 per incident but claim amounts increased for all other businesses. Claims by businesses with revenues between $25 million and $100 million increased by 23%, with average losses of $129,000 per incident and there was a 140% increase in losses at businesses with $100 million or more in revenue, with average losses rising to a record high of $307,000 per incident. While there was an overall increase of 14% in claims severity in H1, 2024, largely driven by the increase in ransomware attack severity, Coalition saw the lowest frequency of claims since H2, 2022.
There was a slight reduction in ransomware-related claims in the first half of the year, but the severity of attacks increased by 68%. Ransomware attacks were amongst the most expensive cyberattacks, with average losses of $353,000 per incident, up from average losses of $239,000 in H2, 2023 but down from an average loss of $402,000 in H1, 2023. Around 40% of policyholders who suffered a ransomware attack chose to pay the ransom in H1. When Coalition negotiated with ransomware groups, there was an average reduction of 57% from the initial demand. The two ransomware groups that demanded the highest ransom payments were Play and Blacksuit, with average ransom demands of $4.3 million and $2.5 million. These groups were the most active in H1, taking over from LockBit, which was the subject of a law enforcement operation that seized the group’s infrastructure.
H1 saw major disruption caused by ransomware attacks at Change Healthcare and CDK Global, which had far-reaching consequences. The ransomware attack on Change Healthcare affected 11% of healthcare organizations with between $25 million and $100 million in revenue, and 24% of businesses with more than $100 million in revenue. The ransomware attack on CDK Global, a provider of data and technology to the automotive industry, affected 75% of auto dealers with more than $100 million in revenue.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Coalition said ransomware activity in the first half of the year followed a consistent pattern as in previous years, with ransomware groups typically conducting more attacks in winter than summer, especially during holiday periods such as Thanksgiving and Christmas when staffing levels are lower and there is less chance of their attacks being identified before they have achieved their aims. While there was a 32% fall in ransomware attacks on healthcare organizations with $100 million or more in revenues in H1, attacks are up 134% from the first half of 2023.
Ransomware attacks were the third most common reason for claims against cyber insurance policies, accounting for 18% of claims. 27% of claims were due to fund transfer fraud (FTF), and the most common reason for claims was business email compromise (BEC) attacks, which accounted for almost one-third of claims (32%). The frequency of BEC-related claims increased by 4%, which Coalition attributes, in part, to the use of AI tools. While the number of BEC-related claims increased, the severity of those incidents decreased by 30%, with an average loss of $26,000. Other incidents accounted for 23% of claims, down 10% from H2, 2023. The most common cause (62%) was non-encryption system compromises such as data breaches.
Coalition identified several factors that increased the likelihood of a claim. The biggest risk was exposed login panels for websites or applications, which made claims three times more likely. Businesses that used Cisco Adaptive Security Appliances (ASA) were 5.1 times more likely to submit a claim than other businesses, indicating malicious actors are actively targeting vulnerabilities in ASA devices. Users of FortioOS SSL VPNs were 2.8 times more likely to submit a claim, and businesses with SonicWall firewalls were 1.8 times as likely to submit a claim. These figures clearly show why it is important to keep firmware up to date and to ensure multifactor authentication is implemented for VPNs. Other risky technologies that increased the likelihood of a claim were Remote Desktop Web Access (2.7x), EOL Microsoft Internet Information Services (2.4x), Microsoft Remote Procedure Call (2.3x), and Remote Desktop Protocol (1.7x).
