Ransomware remains a substantial challenge for organizations, with recently published cyber insurance industry reports showing increased activity by cybercriminals and others.

Companies should institute or continue with diligent efforts to combat such attacks, experts say.

The attacks, which often involve a “threat actor” gaining access to an organization’s system, taking control of sensitive data and then demanding payment with the threat of making the data public, have been an ongoing concern for organizations, particularly over the past five years.

According to a Travelers Cos. Inc. study, there was a 67% increase in the formation of new ransomware groups last year, and the fourth quarter showed the most leak site activity in more than a year, said Lauren Winchester, Philadelphia-based head of cyber risk services at the insurer.

“We analyzed ransomware leak site activity, and it shows a continued increase each quarter, with fourth quarter 2024 up 32% over the prior quarter and, notably, the highest quarter of leak site activity in the past 15 months, with nearly 1,700 victim companies that were posted,” Ms. Winchester said.

“The number of ransomware groups that we’ve seen active on the leak sites has also increased over the past year,” she said.

Cyber insurer Coalition Inc. said in a March report that it forecasts more than 45,000 software vulnerabilities will be published this year and that the most common initial access vectors across all ransomware claims in 2024 were stolen credentials, at 47%, followed by software exploitation at 29%.

“It’s not going away as a problem,” said Daniel Woods, Edinburgh, Scotland-based senior security researcher for Coalition, who is also a lecturer on cybersecurity at the University of Edinburgh.

In some cases, a data security incident can spread beyond the initial target to ancillary victims, he said.

“The impact ripples through society. … You see the spill-on effects. It’s not just that one company suffers in some cases,” Mr. Woods said.

“From a claims perspective, it’s the largest issue we face in terms of types of claims we’re seeing and in terms of dollars going out the door, in terms of claims payments,” said Jeremy Gittler, New York-based global head of claims for Resilience Cyber Insurance Solutions Inc.

Vendor exposures are growing as a source of losses as businesses become more reliant on other businesses, Mr. Gittler added.

“You’re into a situation where you’re worried about claims that are against another company that’s having a downstream effect on you,” he said.

In 2024, 44% of material losses at Resilience were from ransomware directly, and 16% were from ransomware via a vendor (see graphic). Data recovery and business interruption can often be large components of total ransomware costs, Mr. Gittler said.

“Ransomware remains a persistent threat. We believe that the sophistication and the variety of the attacks are becoming more severe,” said Rachel Lavender, Washington-based managing director of Marsh LLC’s cyber practice.

She also noted the effect of vendor and third-party incidents.

Clients are seeking information on augmenting incident response plans to protect against attacks via third parties, Ms. Lavender said.

Organizations can employ various defenses against the attacks.

“Brute force” attacks, in which a threat actor attempts to compromise a data system by randomly generating password guesses until one works, can be defeated with the adoption of multifactor authentication, which requires an extra confirmation step after a password. Mr. Woods cautioned, however, that the multifactor authentication must be implemented properly in the appropriate places within a system for it to be effective.

Deploying controls like multifactor authentication can require a five- or six-figure investment, which can be a recurring cost if a business is licensing a software product, said Gwenn E. Cujdik, Exton, Pennsylvania-based manager-North America cyber incident response and cyber services for Axa XL, a unit of Axa SA. Such expenses can often be beyond the reach of small and medium-sized enterprises, she said.

Some effective controls can take several years to fully implement, which adds costs that are challenging for some small businesses to meet, Ms. Lavender said.

Endpoint detection and response is another technology tool that can help businesses combat ransomware, Ms. Winchester said.

By monitoring each user or endpoint on a network for irregular activity, the technology can trigger an alert and help limit the progress of any breach incident or “minimize the blast radius,” she said.

Should an incident occur, it’s imperative to work with a data forensic incident response firm, Mr. Gittler said.

---

Employee awareness training can help firms build cyber resilience

Building resilience against an increasingly hostile ransomware environment should include employee awareness training, experts say.

Such training can often be deployed quickly and inexpensively compared with modern defensive technology tools being used to combat ransomware.

Training programs can be effective, said Gwenn E. Cujdik, Exton, Pennsylvania-based manager-North America cyber incident response and cyber services for Axa XL, a unit of Axa SA.

Steps such as developing policies and procedures about software use for employees, helping insurers better spot phishing incidents, and using proper authentication protocols can go a long way toward mitigating cyber exposures, Ms. Cujdik said. Such policies and procedures are relatively inexpensive, she added.

“There are definitely some tools that companies can deploy immediately that can provide great benefit, even something as simple as employee awareness training,” said Rachel Lavender, Washington-based managing director of Marsh LLC’s cyber practice.

Training has reduced the incidence of employees clicking on malicious emails and links, she said.

“You need thorough education within the company to make sure that everyone is well equipped to make sure you’re not clicking anything that you shouldn’t or being tricked,” said Jeremy Gittler, New York-based global head of claims for Resilience Cyber Insurance Solutions Inc.

Human error remains one of the main causes of breaches, he said.