What you don’t know could hurt you: 3 key findings on ransomware attack disclosures

Nearly a quarter (22.3%) of organisations that have fallen victim to a ransomware attack never publicly disclose they had been targeted at all. Of the remainder, victims typically take a long time to disclose an incident following the initial attack, though they tend to disclose rather rapidly once an incident has received public reporting.

These are some of the findings of Silobreaker’s Ransomware? What Ransomware? report. The study examined the ways in which ransomware attacks in 2022 were reported on publicly and how victim organisations chose to disclose attacks. A large portion of victims (40%) took between one week and three months to disclose an incident following the initial attack, while 11% took longer than three months. What’s more, disclosures of data breaches because of a ransomware attack took an average of 90 days from the initial attack.

1. Disclosing an attack isn’t always straightforward

Long disclosure times can lead to an array of additional security issues beyond the mere downtime of operations that the encryption process of ransomware might cause. Ransomware attacks can have knock-on effects on additional companies that the victim organisation is partnered with or provides a service to, with the data of clients and consumers possibly falling into the hands of criminals. This data could then be used to engage in further malicious activity, such as phishing attacks or identity fraud.

Despite the damaging consequences that data exposure can have on the individuals and entities impacted by a ransomware attack, victim organisations may have legitimate reasons to delay issuing statements. For instance, it can take a long time to complete an investigation into what data and which individuals were impacted by the attack. And for some organisations, they may never gain visibility into what information was encrypted and stolen.

2. There’s a dark web blind spot

The report also analysed the data available on the dark web, where ransomware actors use leak sites to claim their attacks and, if negotiations fail, leak the data they purportedly stole from the victim organisation. On average, the report found that ransomware attackers took about 27 days before naming a victim, with 56.6% of disclosing victims appearing on leak sites. Of these, 9.5% disclosed an attack on the same day as being added to a leak site, whilst 41.8% disclosed the attack prior to being added and 27% within a week of being added.

The ransomware leak sites listed over 6,000 potential victims throughout 2022. This figure is significantly higher than the 430 incidents analysed in the report. As the research only focused on publicly reported attacks where ransomware is specifically mentioned as the likely cause, the considerable difference in named victims indicates a large blind spot when it comes to public reporting of such incidents. At the same time, reporters and researchers may face challenges when examining the information on ransomware leak sites, including determining the accuracy of claims. The report found multiple examples of false or misleading claims by threat actors, such as confusing the victim they targeted with another organisation and claiming attacks on certain victims seemingly out of spite. In addition, reporters and researchers may not want to aid in the naming and shaming of victims that threat actors use as part of their extortion strategy. Though the leak sites serve to advertise stolen data to other threat actors, they also enable the attackers to apply pressure on the victims and gain leverage to extort them. Therefore, reporters and researchers may feel they are potentially contributing to the naming and shaming game when choosing to publicly report on an alleged attack.

3. The ramifications of not disclosing an attack

In some cases, victims did disclose a data breach, but made no mention of it involving ransomware. This was evident in the language observed in victim disclosures. Just under half (43.1%) of disclosing victims mentioned the term ‘ransomware’, with a further 6.9% hinting at encryption or a ransom demand. The remaining disclosures typically used more generic terms to describe the ransomware attack, including phrases like ‘incident’ or ‘disruption.’ From April 2022 onwards, victim disclosures more frequently used vague language to describe the attack, with the term ‘ransomware’ only used in 38.4% of disclosures.

Victim organisations may choose to use vague language in an attempt to control the narrative of the incident and to avoid creating panic amongst their customers. However, a lack of clear messaging can have an equally, if not worse, effect, as an increasing number of ransomware victims face lawsuits in relation to data breaches stemming from ransomware attacks. Many of these lawsuits typically allege a lack of security, negligence, delayed information disclosure and breach of contract. With that in mind, victim organisations may be better off with being clear about what happened and releasing updates on the impact as the investigation unfolds to ensure that critical information is passed on as soon as possible.

Visibility into threats is key

What these findings have shown is that reporting on ransomware attacks is not always as straightforward as you might think. Taking into consideration that many victims do not disclose being targeted at all, impacted parties will need to rely on other forms of reporting, such as open-source reporting via traditional news outlets or social media. However, as the dark web data showed, even that might not be enough to gain a full picture.

Kristofer Mansson, CEO of Silobreaker, stated: “It’s vital that all organisations – not just the initial target – have complete and immediate visibility into all ransomware threats, as an attack on a partner could have a major impact across the entire supply chain.” Consequently, organisations need to rely on a combination of different sources to stay informed of any cyber incidents that could impact them.

Silobreaker enables organisations to pivot between millions of open and deep and dark web sources and finished intelligence data. Our Ransomware Intelligence helps identify ransomware and other malware targeting organisations or industries. By profiling threat actors, attack types and tactics, techniques, and procedures (TTPs), Silobreaker boosts visibility into threats and provides actionable intelligence to help mitigate risks.  Bridging the gaps in disclosure with the right intelligence is crucial for organisations to stay a step ahead of ransomware and other forms of cyberattacks.

Download a copy of the report Ransomware? What Ransomware? to learn more.