An analysis of how delayed, incomplete disclosures can place customers and third parties at heightened risk of disruption
Silobreaker, a leading security and threat intelligence technology company, today released the findings of its study into how quickly and thoroughly organisations disclose that they have been hit by ransomware. The research looked at 430 known ransomware incidents identified on the Silobreaker platform in the 2022 calendar year, assessing the time lag between the initial attack, the date when the attack was first reported on news sites, blogs, social media and other open-source data platforms, and the date when the organisation confirmed the attack – as well as the date the attack was claimed by a specific ransomware actor.
The research revealed that nearly a quarter of organisations (22.3 percent) never admitted they had suffered any type of incident, even though information about their attacks was available on the public internet and/or the dark web.
Of the 334 organisations that did admit a breach, only 14.7 percent made their disclosure within one day of the initial attack. In comparison, 40 percent of victims took between one week and three months to make their announcement, while 11 percent took three months or more.
Approaching half (42.6 percent) of the 430 organisations identified by Silobreaker waited until news outlets and other open-source data platforms had reported on their ransomware incidents before admitting they were impacted. Once the news became public, companies did act quickly, with 36 percent disclosing the incident on the day that public reports first emerged.
Organisations were slower to notify customers that their personal data could be at risk. On average, there was a 90-day lag between the initial attack and individual customers being informed of a data breach.
The research also revealed that organisations have moved away from using the word ‘ransomware’ in their official disclosures, opting for more generic terms such as ‘data breach,’ ‘compromised/stolen data,’ ‘cyberattack,’ ‘incident’ or ‘disruption.’ Indeed, the word ‘ransomware’ was used only used in 47.6 percent of disclosures between April and December 2022.
Kristofer Mansson, CEO of Silobreaker, commented:
“Although the majority of companies do disclose ransomware attacks, they are often slow to come clean or only do so when it can no longer be kept secret. In addition, some organisations are prone to using vague language, perhaps in an attempt to downplay the severity of the situation.
“While it’s understandable that organisations want these types of incidents to remain hidden – and it’s important that they have time to investigate the attack before disclosure – this lack of transparency can place customers, suppliers and other third parties at heightened risk of disruption. It’s vital that all organisations – not just the initial target – have complete and immediate visibility into all ransomware threats, as an attack on a partner could have a major impact across the entire supply chain.”
Silobreaker’s ‘Ransomware? What Ransomware?’ Report can be downloaded for free from the Silobreaker website.
Methodology
The research focused on available data of 430 ransomware incidents that took place in 2022, which were all identified on the Silobreaker platform. Only incidents that were publicly reported on were included in the study, with analysed datasets including news articles, blogs, press releases and tweets, all in the English language.
Only incidents where (1) the victim organisation’s name was added to a leak site or a threat actor claimed responsibility, (2) the victim organisation confirmed a ransomware attack, or (3) the attack showed clear indicators of ransomware, were included in the research.
