Ransomware Risks & Resiliency

Ransomware Risks & Resiliency

Taylor Grenawalt

Director,  Research & Insights

April 9, 2024

10 min

In a digital age where data is the new gold, ransomware has become the modern-day bandit. As small and medium-sized enterprises (SMEs) grapple with the onslaught of sophisticated cyber threats and resource constraints, it’s clear that ransomware resilience is not just a buzzword but a business lifeline and cybersecurity imperative.


Rising Ransomware Tides

The rising tide of ransomware is undeniably reshaping the cyber threat landscape. According to data reported by Sophos, 94% of organizations confirm that their backups, a crucial fallback in cyber defense, have been targeted by ransomware attacks1. Highlighting the growing value of and reliance on data and digital identities, more than 90% of attacks reported by Sophos clients involved data or credential theft2. This isn’t a random skirmish but a calculated assault, with public sectors and certain industries like healthcare, finance, and education seeing attacks on backups skyrocket by as much as 99%. Moreover, sectors pivotal to society, such as energy, oil, gas, and utilities, have found themselves increasingly in the crosshairs of ransomware criminals; organizations in the energy, oil, gas, and utilities market were 79% likely to lose their backups to ransomware, followed by education at 71%.

Remote ransomware incidents, 2022-2023

Case Study #1: Ardent Health Services Ransomware Incident:  

Amid a series of nationwide ransomware attacks, Ardent Health Services, which operates 30 hospitals in six states, took a defensive stance by shutting down networks during a Thanksgiving cyber assault. Affected hospitals in Texas, New Jersey, New Mexico, and Oklahoma were forced to divert emergency patients and reschedule non-urgent procedures. With at least 128 hospitals hit by ransomware this year, such attacks underscore the critical need for robust cybersecurity in healthcare to protect sensitive patient data and maintain essential services. Federal agencies are responding with heightened guidance, reflecting the urgency of defending against these pervasive digital threats.

Financial repercussions from these ransomware attacks are not just substantial but potentially catastrophic. Compromised backups result in heightened ransom demands and correlate with a higher payment likelihood, reflecting the acute pressure these companies face to restore operations swiftly. Firms with compromised backups were almost twice as likely to pay the ransom, doing so 67% of the time, compared to 36% for those with intact backups3. The median payment for those with compromised backups was a staggering $2 million, double the amount paid by organizations that managed to keep their backups safe. This financial burden can be especially overwhelming for small companies, which may lack the financial resilience of larger firms.

loss of business/revenue by industry from ransomware attacks

Case Study #2: Change Healthcare’s ALPHV Ransomware Disruption  

A ransomware attack by the ALPHV group against Change Healthcare, part of UnitedHealth, caused widespread disruption to medical billing services across the US. The event is a stark illustration of the escalating sophistication of cyber threats facing the healthcare sector and the consequent vulnerabilities. It highlights the critical dependency of healthcare services on digital platforms, the effectiveness of ransomware, and the complex decisions organizations face regarding ransom payments, underscoring the dire need for enhanced cyber defenses in healthcare.

Growing Sophistication & Success

Beyond the immediate financial toll, the strategic ramifications of ransomware are profound. The assault on backups is a calculated move to undermine an organization’s resilience and ability to recover. This strategic targeting reveals a sophisticated threat landscape where traditional reactive measures are no longer sufficient. Threat actors are constantly evolving, employing increasingly sophisticated methods to exploit vulnerabilities and maximize their impact, methods that are accelerating as a result of AI integrations and capabilities. The data reflects a harsh reality: more than half (57%) of these meticulous attacks have been successful, which suggests that traditional cybersecurity measures are struggling to keep pace4.

total value received by ransomware attackers, 2019-2023

Case Study #3: North Texas Municipal Water District Cybersecurity Breach  

The North Texas Municipal Water District, a crucial water service provider for over 2 million customers, fell victim to a ransomware attack by the Daixin Team, who claimed to have stolen sensitive personal data. The breach highlights the increasing cyber risks facing public utilities, with the group alleging the theft of over 33,000 files, raising concerns about identity theft and the security of critical infrastructure. This attack is part of a troubling rise in cyberattacks on essential service providers, prompting a concerted effort to reinforce cybersecurity measures and protect public services against such threats.

As the digital ecosystem grows more interconnected, the avenues for attackers multiply. With an expanding attack surface, delayed patches and misconfigurations become significant liabilities. Authentication-required vulnerabilities suggest a trend toward more intricate, targeted attacks, employing phishing, social engineering, and exploiting compromised credentials—techniques whose effectiveness is amplified by AI technology. According to the Sophos report, the most common root causes of ransomware attacks were exploited vulnerabilities and compromised credentials, pointing to the growing importance of securing network infrastructures and managing user access effectively.

Annual revenue

The stark difference in outcomes between organizations with secure versus compromised backups is a clarion call to prioritize robust cybersecurity protocols, including comprehensive threat detection systems, multi-factor authentication, regular backup recoveries, and secure, diversified storage solutions. The battle against ransomware is not only about safeguarding data but also about ensuring the very continuity and survival of organizations in a digital-first world.

Regulatory Perspective

The Cybersecurity and Infrastructure Security Agency (CISA) released a draft outlining the enforcement of a new cyber incident reporting program, mandated by Congress. This program requires covered organizations to report significant cyber incidents to CISA within 72 hours and ransomware payments within 24 hours. The draft, which spans 447 pages, marks the first detailed look into the scope of the program, defining "significant incidents" and identifying the organizations bound by these rules. Targeting a wide array of organizations within critical infrastructure sectors, the program is poised to enhance the collective security posture through improved incident awareness and collaboration between the public and private sectors.

Disproportionate Ransomware Risks

The state of ransomware presents a grim reality, especially for SMEs, startups, and low-revenue companies, which are disproportionately affected by the surge in cyber-attacks and ransomware risks.  

According to a 2021 study, the Institute for Security and Technology’s Ransomware Task Force found that 70% of ransomware attacks targeted small businesses5. As SMEs find themselves increasingly targeted by sophisticated ransomware attacks, they’re also experiencing a deterioration in cybersecurity resiliency. From 2022 to 2024, larger and higher revenue enterprises reporting cyber resilience exceeding their requirements rose from 18% to 51%6. Over that same period, the proportion of SMEs reporting insufficient cyber resilience rose from 5% to 37%. This growing disparity, compounded by a critical shortage of cyber skills and resources within smaller entities, signals an urgent need for targeted strategies to bolster the defenses of SMEs against the rampant threat of ransomware, ensuring their survival and continued contribution to the global business landscape.

This illustrates a disturbing trend where smaller organizations find themselves behind in the cyber arms race at a time when attacks are becoming more frequent and sophisticated.

Case Study #4: Fidelity National Financial Cyberattack Aftermath

Fidelity National Financial (FNF), North America’s largest title insurance and escrow services provider, suffered a significant cyberattack that disrupted operations and left customers uncertain about their transactions and investments. The incident, claimed by the ALPHV ransomware group, brought FNF’s systems to a standstill, illustrating the cascading effects of cyberattacks on the real estate industry and the challenges companies face in managing crisis communications and maintaining operational continuity amidst such threats.

These statistics paint a concerning picture for smaller businesses, where ransomware’s strategic and competitive implications are existential. With limited resources and often less sophisticated cybersecurity measures, small enterprises are prime targets for cybercriminals. This threat is exacerbated by the tendency of these businesses to pay higher ransoms due to the crippling impact of data loss. The need for robust, scalable cybersecurity solutions that cater to SMEs’ unique needs and constraints has never been more critical. As ransomware continues to evolve, these companies must prioritize proactive defenses, regular risk assessments, and secure backup strategies to mitigate the burgeoning risks in the cyber arena.

Ransomware Technology Trends & Solutions  

The following key trends in ransomware protection technology highlight a strategic shift towards leveraging advanced AI/ML for enhanced threat detection and response, adopting cloud-native platforms for agile deployment, and implementing sophisticated backup and data recovery solutions.

Case Study #5: LockBit 3.0 and Citrix Bleed Vulnerability  

The notorious LockBit 3.0 ransomware gang has aggressively exploited the “Citrix Bleed” security flaw, prompting CISA and Citrix to advise affected entities to take immediate corrective action. The vulnerability, which allows for authentication bypass and potential data breaches, has had a significant impact, with attackers targeting major corporations worldwide. This development has led to a critical reevaluation of cybersecurity strategies, emphasizing the necessity of proactive patching and the limitations of reactive measures in today’s sophisticated threat landscape.

Innovators in this space are differentiating themselves through AI/ML-driven threat intelligence, immutable and encrypted backup systems, and identity and access management to ensure secure and controlled data access. The emphasis on reducing the skill and resource gaps, especially among SMEs, through managed detection and response (MDR) services, alongside strategies like zero trust and data-first security, underscores a comprehensive approach to mitigating ransomware risks. Furthermore, behavior-based detection mechanisms are emerging as a crucial feature in identifying and protecting against zero-day attacks, indicating a move towards more proactive and predictive ransomware defense strategies.

ransomware security market map
To discover more on key technologies in the ransomware security space, head to the Platform.

Key Technical Features in Ransomware Protection

  • AI/ML-Driven Threat Intelligence: Utilizes AI/ML to analyze patterns and behaviors indicative of ransomware, enhancing early detection and enabling rapid response to threats. This technology is critical in adapting to evolving ransomware tactics and ensuring continuous protection.
  • Immutable Backup Systems: Offers a secure method for storing backups in an unchangeable state, preventing ransomware from corrupting or encrypting backup data. This feature is fundamental in ensuring data integrity and availability for recovery in the aftermath of an attack.
  • Advanced Encryption for Data Protection: Encrypts data at rest and in transit, providing a strong defense layer against unauthorized access. Advanced encryption techniques ensure that even if data is breached, it remains indecipherable to attackers, significantly mitigating the impact of ransomware.
  • Behavior-Based Detection for Zero-Day Attacks: Identifies ransomware attacks not just by known signatures but by analyzing malicious behavior, offering protection against previously unseen (zero-day) threats. This feature represents a shift towards more dynamic and adaptive ransomware defense mechanisms.
  • Cloud-Native and Serverless Platforms: Facilitates the rapid and flexible deployment of ransomware protection solutions, allowing seamless integration into existing IT infrastructures. Cloud-native architectures enable scalability and resilience, which are essential for defending against sophisticated cyber threats in a distributed digital environment.

Notable Ransomware Investment Activity  

The following represent some notable and significant recent events across the ransomware cybersecurity landscape. These strategic investments and acquisitions reflect a broader industry trend towards adopting more integrated, AI-enabled, and comprehensive cloud security solutions, indicating a concerted effort to address the evolving and complex landscape of cyber threats.

Ransomware Cybersecurity Funding:

Halcyon Raises $40 million in Series B Funding (Dec-23)  

Halcyon’s recent $40 million Series B funding round, led by Bain Capital Ventures, emphasizes the tech industry’s intensifying focus on ransomware defense, following a successful $50M Series A earlier in 2023. This investment will bolster Halcyon’s engineering, R&D, and sales capabilities, targeting key sectors such as education, financial services, and healthcare — particularly vulnerable to ransomware attacks.

Alcion Raises $21 million in Series A Funding (Sep-23)

Alcion announced a $21 million Series A funding round, led by Veeam, in September 2023. Alcion’s platform, aimed at businesses with cloud-based operations in Microsoft 365, employs AI-driven architecture to offer disaster recovery, anti-ransomware, anti-malware, and compliance tools, addressing the critical need for enhanced data management and security in the cloud. The company’s focus on leveraging AI for ransomware detection and offering proactive data protection strategies provides favorable positioning in the ransomware defense arena, reflecting a broader industry trend towards AI-enabled, comprehensive cloud security solutions.

Ransomware Cybersecurity M&A:

Hornetsecurity Acquires Vade Secure (Mar-24)

The merger between Hornetsecurity and Vade represents a strategic enhancement in the fight against ransomware, particularly through advanced email security for Microsoft 365. Vade’s expertise in AI-based email filtering technology directly addresses a critical vector for ransomware attacks, complementing Hornetsecurity’s broader cloud security and compliance solutions. This integration strengthens the collective capability to protect organizations from sophisticated email-borne ransomware threats.

Coro Acquires Privatise (Jul-23)

Coro’s strategic acquisition of Privatise for a multimillion-dollar deal significantly strengthens its position in the fight against ransomware, leveraging Privatise’s expertise in Secure Access Service Edge (SASE) technology. This merger enhances Coro’s cybersecurity offerings, particularly for mid-market companies, by providing an integrated platform that addresses key digital threats, including ransomware. The investment underscores the critical role of SASE in bolstering defenses against ransomware, marking a pivotal advancement in cybersecurity methodologies for ensuring secure, seamless access to resources across any location or device.

Supportive Ransomware Technologies

The following technologies can significantly enhance and bolster the effectiveness of ransomware protections and defenses, resulting in a more unified, proactive, and robust cybersecurity posture:

Data Security Posture Management (DSPM)

  • DSPM is becoming a cornerstone technology in the battle against ransomware, offering a proactive stance in identifying and mitigating data exposure risks before attackers can exploit them. By continuously scanning and analyzing data across cloud environments, DSPM tools provide visibility into where sensitive data resides, how it’s protected, and who has access to it. This level of insight enables organizations to tighten their data security policies, rectify misconfigurations, and enforce data protection measures effectively.  

Identity & Access Management (IAM)

  • IAM plays a pivotal role in ransomware protection by ensuring that only authenticated and authorized users can access critical systems and information. Implementing strong authentication methods, such as multi-factor authentication (MFA) and strict access controls, IAM systems minimize the risk of unauthorized access, often the first step in a ransomware attack. Furthermore, IAM solutions enable organizations to enforce least privilege principles, significantly reducing the attack surface by ensuring users only have access to the resources necessary for their roles. This limits the potential damage from ransomware and aids in quicker recovery by isolating affected areas without disrupting the entire network.

DLP (Data Loss Prevention)  

  • DLP technologies are instrumental in thwarting ransomware attacks by preventing the unauthorized transfer and deletion of sensitive information. DLP solutions monitor and control data flows within a network, identifying and blocking potentially malicious activities that could lead to data breaches or loss. By setting strict policies on data handling and transfer, DLP ensures that critical data does not unintentionally leave the secure perimeter without proper authorization. In a ransomware attack, DLP can mitigate the impact by ensuring that encrypted or stolen data cannot be exfiltrated, maintaining data confidentiality and integrity.

SASE (Secure Access Service Edge)

  • SASE is revolutionizing ransomware protection by merging network security services with wide-area networking capabilities to deliver secure access to organizational resources, regardless of location. SASE’s framework facilitates the dynamic scaling of security measures to protect data across cloud environments, remote workstations, and mobile devices, inherently reducing the risk of ransomware infiltration through decentralized points of access. By integrating technologies such as zero-trust network access, firewall-as-a-service (FWaaS), and secure web gateways within a unified, cloud-native platform, SASE ensures consistent enforcement of security policies. This simplifies the security management landscape and significantly diminishes the potential attack vectors for ransomware, safeguarding both data and users in a fluid, increasingly remote digital workspace.

Case Study #6: Tarrant Appraisal District Ransomware Dilemma  

The Tarrant Appraisal District, responsible for property value assessments, faced operational paralysis and a $700,000 ransom demand after a ransomware attack. This incident is indicative of the growing trend of cybercriminals targeting government infrastructure, reinforcing the urgent need for government entities to invest in cybersecurity defenses. The attack’s ramifications extend beyond the financial demand, putting the security of sensitive data at risk and testing the resolve of public institutions against succumbing to ransom demands.


The evolving ransomware landscape calls for a strategic realignment in how businesses, particularly SMEs, view and approach cybersecurity. With ransomware attacks like those faced by Ardent Health Services and the North Texas Municipal Water District becoming alarmingly routine, the narrative is clear: ransomware isn’t a matter of if but when. As the data from Sophos highlights, the targeting of backups and critical data systems is both strategic and calculated, leaving affected organizations facing steep ransom demands and dire financial consequences.  

Navigating the turbulent waters of the ransomware threat landscape demands a robust and forward-thinking approach to cybersecurity. In an era where data is both a critical asset and a prime target for cyber threats, adopting advanced data storage and protection technologies is no longer optional—it’s imperative. Companies must prioritize the deployment of sophisticated mechanisms such as immutable backups, end-to-end encryption, and blockchain for enhanced data integrity. This strategic investment fortifies their defense against ransomware and ensures compliance with evolving data protection regulations. By adopting a proactive and technology-forward approach to data security, businesses can safeguard their most valuable assets, maintain operational continuity, and foster consumer trust in an increasingly volatile digital landscape.

Strategic Recommendations & Considerations

  • Implement Immutable Storage Solutions: Utilize storage systems with immutability features to prevent data alteration or deletion during ransomware attacks.
  • Adopt End-to-End Encryption: Ensure all data, both at rest and in transit, is encrypted using strong encryption standards to protect against unauthorized access.
  • Leverage Blockchain for Data Integrity: Explore the use of blockchain technology to create tamper-evident and verifiable records of data transactions, enhancing transparency and security.
  • Utilize AI and Machine Learning: Deploy AI-driven solutions for predictive threat modeling and anomaly detection to identify and mitigate potential security breaches before they escalate.
  • Integrate Identity and Access Management with SASE Architectures: Enhance ransomware defenses by integrating advanced IAM and SASE solutions. This approach combines IAM’s rigorous user authentication and access controls with SASE’s dynamic, policy-driven network security, ensuring secure and seamless access to resources across any location.
  • Regularly Audit and Update Security Protocols: Conduct routine security audits and update protocols to address new threats, ensuring your data protection strategies remain robust and effective.
  • Educate and Train Employees: Foster a culture of cybersecurity awareness among employees to prevent data breaches resulting from human error or insider threats.
  • Engage in Continuous Data Recovery Planning: Develop and regularly test data recovery plans to ensure quick restoration of critical data, minimizing downtime in the aftermath of a cyber incident.

Whether it’s integrating advanced IAM and SASE architectures, conducting regular security audits, fostering a culture of cybersecurity awareness among your workforce, or developing a foolproof data recovery plan, our research experts stand ready to assist you in navigating the complexities of today’s cybersecurity landscape. Partnering with us means gaining access to cutting-edge research, strategic insights, and the innovative solutions needed to protect your critical assets against the ever-present threat of ransomware.  

Contact us today to learn more about how our research capabilities can support your cybersecurity initiatives and ensure your organization remains resilient in the face of ransomware threats. Together, we can turn challenges into opportunities for growth and security.


1. Fadilpašić, S. (2024, April 1). Ransomware attackers are increasingly targeting backups - so make sure yours are protected. TechRadar. https://www.techradar.com/pro/security/ransomware-attackers-are-increasingly-targeting-backups-so-make-sure-yours-are-protected

2. Written by Sean Gallagher, A. S. (2024, March 13). The 2024 sophos threat report: Cybercrime on main street. Sophos . https://news.sophos.com/en-us/2024/03/12/2024-sophos-threat-report/?cmp=7014w000001t59hAAA

3. 2023 ransomware report: Sophos State of ransomware. SOPHOS. (2023). https://www.sophos.com/en-us/content/state-of-ransomware

4. Fadilpašić, S. (2024, April 1). Ransomware attackers are increasingly targeting backups - so make sure yours are protected. TechRadar. https://www.techradar.com/pro/security/ransomware-attackers-are-increasingly-targeting-backups-so-make-sure-yours-are-protected

5. Written by Sean Gallagher, A. S. (2024, March 13). The 2024 sophos threat report: Cybercrime on main street. Sophos . https://news.sophos.com/en-us/2024/03/12/2024-sophos-threat-report/?cmp=7014w000001t59hAAA

6. World Economic Forum. (2024, January). Global cybersecurity outlook 2024 | world economic forum. World Economic Forum. https://www3.weforum.org/docs/WEF_Global_Cybersecurity_Outlook_2024.pdf