Ransomware recovery costs soar in energy & water sectors

The median recovery costs for the Energy and Water sectors have increased fourfold to USD $3 million over the past year, according to Sophos' new report, The State of Ransomware in Critical Infrastructure 2024. This figure is substantially higher than the global cross-sector median.

The report, based on responses from 275 individuals at organisations within the energy, oil and gas, and utilities sectors, highlights that almost half (49%) of the ransomware attacks against these sectors began with an exploited vulnerability. This survey is part of a broader study involving 5,000 cybersecurity and IT leaders from 14 countries and 15 industry sectors.

"Criminals focus where they can cause the most pain and disruption so the public will demand quick resolutions, and they hope, ransom payments to restore services more quickly. This makes utilities prime targets for ransomware attacks. Because of the essential functions they provide, modern society demands they recover quickly and with minimal disruption," said Chester Wisniewski, Sophos' global Field CTO.

Wisniewski also noted the specific vulnerabilities of public utilities. "Unfortunately, public utilities are not only attractive targets but vulnerable to attacks on many fronts, including the requirement for high availability and safety, as well as an engineering mindset focused on physical security. There's a preponderance of older technologies configured to enable remote management without modern security controls like encryption and multifactor authentication. Like hospitals and schools, these utilities are frequently operating with minimal staffing and without the IT staffing required to stay on top of patching, the latest security vulnerabilities, and the monitoring required for early detection and response."

The report further reveals that the median ransom payment for organisations in these sectors has risen to over USD $2.5 million, which is USD $500,000 higher than the global cross-sector median. Sixty-seven percent of organisations in the Energy and Water sectors reported being hit by ransomware in 2024, compared to the global average of 59%.

The recovery times for organisations affected by ransomware in these sectors are also lengthening. Only 20% of those hit by ransomware recovered within a week or less in 2024, a significant decline from 41% in 2023 and 50% in 2022. Moreover, 55% took more than a month to recover, an increase from 36% in 2023. This contrasts with the global statistic, where 35% of companies took more than a month to recover.

The data also shows that the Energy and Water sectors reported the highest rate of backup compromise at 79%, and the third highest rate of successful encryption at 80% compared to other industries surveyed.

Wisniewski commented on these findings, stating, "This once again shows that paying ransom payments almost always works against our best interests. An increasing number (61%) paid the ransom as part of their recovery, yet the amount of time it took to recover was extended. Not only do these high rates and amounts of ransoms encourage more attacks on the sector, but they are not achieving the claimed goal of shorter recovery times."

He emphasised the need for proactive measures, advising, "These utilities must recognise they are being targeted and take proactive action to monitor their exposure of remote access and network devices for vulnerabilities and ensure they have 24/7 monitoring and response capabilities to minimise outages and shorten recovery times. Incident response plans should be planned in advance, the same as for fires, floods, hurricanes, and earthquakes, and be rehearsed on a regular schedule."

The State of Ransomware in Critical Infrastructure 2024 report provides an extensive analysis of the current cybersecurity landscape, highlighting the growing challenges faced by critical infrastructure sectors and the urgent need for robust security measures.