Skip to content

New SANS 2023 CTI report – Keeping up with a changing threat landscape Download Report +

  • How it works
  • Solutions
        • Cyber Threat Intelligence
          • APT Monitoring
          • Asset Monitoring
          • Cyber Threat Landscape Intelligence
          • Data Breach Intelligence
          • Fraud Intelligence
          • Phishing Intelligence
          • Ransomware Intelligence
          • Supply Chain Threat Intelligence
          • Vulnerability Intelligence
        • Strategic and Geopolitical Intelligence
          • Competitor Benchmarking Intelligence
          • Corporate Risk Intelligence
          • Geopolitical Intelligence
        • Physical Risk Intelligence
          • Areas of Operation Intelligence
          • Events and Activism Intelligence
        • Brand Threat Protection
        • Industries
          • Education
          • Energy and Utilities
          • Financial Services
          • Government and Defence
          • Healthcare and Pharma
          • Media and Entertainment
          • Retail and Commerce
          • Service Providers
          • Technology and Telecoms
  • Alerts
        • Silobreaker Demo

          See a demo of Silobreaker in action

          Request a demo +

        • Free Intelligence Email Alerts
          • Weekly Vulnerability Monitoring Alert
          • Daily Cyber Alert
          • Weekly Cyber Digest
          • Financial Services Threat Alert
          • Ransomware Rewind
          • Russia-Ukraine Insights Alert​
          • US Politics Media Watch​
  • Resources
        • Silobreaker ROI

          Answer more intelligence use cases with a single tool

          Read our ROI Report +

        • Data SheetsDownload our product information
        • EventsMeet our team of experts
        • Customer StoriesLearn how customers reduce risk
        • BlogExpert insights, trends and tips
        • ReportsIn-depth analysis and insights
        • WebinarsOnline events you don’t want to miss
  • Partners
  • Company
        • Customer Support

          Get product support from our experts

          Contact support +
        • AboutLearn about our people and awards
        • CareersIt’s a great time to join Silobreaker
        • PressAll the latest buzz on the company
        • Contact usGet in touch with sales and support
  • Login
  • Request demo
  • Request demo
Menu
  • Request demo
  • Blog
  • 9 June, 2023

What you don’t know could hurt you: 3 key findings on ransomware attack disclosures

Nearly a quarter (22.3%) of organisations that have fallen victim to a ransomware attack never publicly disclose they had been targeted at all. Of the remainder, victims typically take a long time to disclose an incident following the initial attack, though they tend to disclose rather rapidly once an incident has received public reporting.

These are some of the findings of Silobreaker’s Ransomware? What Ransomware? report. The study examined the ways in which ransomware attacks in 2022 were reported on publicly and how victim organisations chose to disclose attacks. A large portion of victims (40%) took between one week and three months to disclose an incident following the initial attack, while 11% took longer than three months. What’s more, disclosures of data breaches because of a ransomware attack took an average of 90 days from the initial attack.

1. Disclosing an attack isn’t always straightforward

Long disclosure times can lead to an array of additional security issues beyond the mere downtime of operations that the encryption process of ransomware might cause. Ransomware attacks can have knock-on effects on additional companies that the victim organisation is partnered with or provides a service to, with the data of clients and consumers possibly falling into the hands of criminals. This data could then be used to engage in further malicious activity, such as phishing attacks or identity fraud.

Despite the damaging consequences that data exposure can have on the individuals and entities impacted by a ransomware attack, victim organisations may have legitimate reasons to delay issuing statements. For instance, it can take a long time to complete an investigation into what data and which individuals were impacted by the attack. And for some organisations, they may never gain visibility into what information was encrypted and stolen.

2. There’s a dark web blind spot

The report also analysed the data available on the dark web, where ransomware actors use leak sites to claim their attacks and, if negotiations fail, leak the data they purportedly stole from the victim organisation. On average, the report found that ransomware attackers took about 27 days before naming a victim, with 56.6% of disclosing victims appearing on leak sites. Of these, 9.5% disclosed an attack on the same day as being added to a leak site, whilst 41.8% disclosed the attack prior to being added and 27% within a week of being added.

The ransomware leak sites listed over 6,000 potential victims throughout 2022. This figure is significantly higher than the 430 incidents analysed in the report. As the research only focused on publicly reported attacks where ransomware is specifically mentioned as the likely cause, the considerable difference in named victims indicates a large blind spot when it comes to public reporting of such incidents. At the same time, reporters and researchers may face challenges when examining the information on ransomware leak sites, including determining the accuracy of claims. The report found multiple examples of false or misleading claims by threat actors, such as confusing the victim they targeted with another organisation and claiming attacks on certain victims seemingly out of spite. In addition, reporters and researchers may not want to aid in the naming and shaming of victims that threat actors use as part of their extortion strategy. Though the leak sites serve to advertise stolen data to other threat actors, they also enable the attackers to apply pressure on the victims and gain leverage to extort them. Therefore, reporters and researchers may feel they are potentially contributing to the naming and shaming game when choosing to publicly report on an alleged attack.

3. The ramifications of not disclosing an attack

In some cases, victims did disclose a data breach, but made no mention of it involving ransomware. This was evident in the language observed in victim disclosures. Just under half (43.1%) of disclosing victims mentioned the term ‘ransomware’, with a further 6.9% hinting at encryption or a ransom demand. The remaining disclosures typically used more generic terms to describe the ransomware attack, including phrases like ‘incident’ or ‘disruption.’ From April 2022 onwards, victim disclosures more frequently used vague language to describe the attack, with the term ‘ransomware’ only used in 38.4% of disclosures.

Victim organisations may choose to use vague language in an attempt to control the narrative of the incident and to avoid creating panic amongst their customers. However, a lack of clear messaging can have an equally, if not worse, effect, as an increasing number of ransomware victims face lawsuits in relation to data breaches stemming from ransomware attacks. Many of these lawsuits typically allege a lack of security, negligence, delayed information disclosure and breach of contract. With that in mind, victim organisations may be better off with being clear about what happened and releasing updates on the impact as the investigation unfolds to ensure that critical information is passed on as soon as possible.

Visibility into threats is key

What these findings have shown is that reporting on ransomware attacks is not always as straightforward as you might think. Taking into consideration that many victims do not disclose being targeted at all, impacted parties will need to rely on other forms of reporting, such as open-source reporting via traditional news outlets or social media. However, as the dark web data showed, even that might not be enough to gain a full picture.

Kristofer Mansson, CEO of Silobreaker, stated: “It’s vital that all organisations – not just the initial target – have complete and immediate visibility into all ransomware threats, as an attack on a partner could have a major impact across the entire supply chain.” Consequently, organisations need to rely on a combination of different sources to stay informed of any cyber incidents that could impact them.

Silobreaker enables organisations to pivot between millions of open and deep and dark web sources and finished intelligence data. Our Ransomware Intelligence helps identify ransomware and other malware targeting organisations or industries. By profiling threat actors, attack types and tactics, techniques, and procedures (TTPs), Silobreaker boosts visibility into threats and provides actionable intelligence to help mitigate risks.  Bridging the gaps in disclosure with the right intelligence is crucial for organisations to stay a step ahead of ransomware and other forms of cyber attacks.

Download a copy of the report Ransomware? What Ransomware? to learn more.

Contributors

Hannah Baumgaertner, Analyst Team Lead, Silobreaker
Peter Kroyer Bramson, Analyst, Silobreaker

Share

Related Posts

New Features to Help Prioritise, Investigate and Report on Threats

Learn More+

Nation-state actors and sophisticated campaigns: Examining potential biases in reporting

Learn More+

How to change from risk averse to risk aware with threat intelligence

Learn More+

Treemaps to visualise and prioritise threat intelligence

Learn More+

Prioritise Cyber Threats Faster With New IOC Risk Scoring Capabilities

Learn More+

Understanding – and overcoming – the pitfalls of assumption and bias in intelligence

Learn More+

Get started today

Ready to try it for yourself? Request a demo of Silobreaker today.

Request demo
Silobreaker
Linkedin-in Facebook-f

Product

  • How it Works
  • Solutions
  • Industries
  • How it Works
  • Solutions
  • Industries

Log in

Resources

  • Alerts
  • Blog
  • Data Sheets
  • Webinars
  • Reports
  • Glossary
  • Alerts
  • Blog
  • Data Sheets
  • Webinars
  • Reports
  • Glossary

Partners

  • Integration Partners
  • Channel Partners
  • Integration Partners
  • Channel Partners

Company

  • About Silobreaker
  • Press
  • Careers
  • Services
  • Legal
  • Privacy Policy
  • About Silobreaker
  • Press
  • Careers
  • Services
  • Legal
  • Privacy Policy

Contact

  • Sales
  • Support
  • Offices
  • Sales
  • Support
  • Offices
Copyright © 2023 by Silobreaker Limited. All rights reserved.