The State of Ransomware in Critical Infrastructure 2024 – Sophos News

Sophos’ latest annual study of real-world ransomware experiences in the energy, oil and gas and utilities sector – a key part of the critical infrastructure supporting businesses – examines the full victim journey, from attack rate and root cause to operational impact and business outcomes.

This year’s report sheds light on new areas of research for the sector, including an analysis of ransom demands versus ransom payments and how often energy, oil and gas and utilities organizations receive support from law enforcement to remediate the effects of an attack.

Download the report to see the full findings.

Attack rates and recovery rates remained stable

67% of energy, oil and gas, and utilities organizations were hit by ransomware in 2024, the same number as in 2023.

98% of energy, oil/gas, and utilities organizations that were hit by ransomware in the past year said cybercriminals attempted to compromise their backups during the attack. Four out of five (79%) of these backup breach attempts were successful, the highest rate of successful backup breaches across all sectors.

80% of ransomware attacks on energy, oil and gas, and utilities organizations in 2024 resulted in data encryption, which is in line with the encryption rate reported by the sector in 2023 (79%) but higher than the 2024 cross-sector average of 70%.

The average cost of recovering from a ransomware attack for energy, oil and gas, and utilities companies was $3.12 million in 2024, comparable to $3.17 million in 2023.

Devices affected by ransomware attack

On average, 62% of computers in the energy, oil and gas, and utilities sector are affected by ransomware attacks, significantly higher than the cross-sector average of 49%. In contrast to other sectors, where only a small percentage of organizations have fully encrypted environments, about one in five organizations in the energy, oil and gas, and utilities sector (17%) reported that 91% or more of their devices were affected.

The willingness to use backups for data recovery has decreased

61% of energy, oil/gas, and utilities organizations paid ransom to recover encrypted data, while only 51% recovered encrypted data using backups – the lowest backup usage rate reported across all sectors. For the first time, energy, oil/gas, and utilities organizations reported a higher willingness to pay ransom than to use backups. In comparison, globally, 56% paid ransom and 68% used backups.

This year’s survey results represent a marked change from the previous two years, when the sector enjoyed impressive backup adoption rates (70% in 2023 and 77% in 2022).

A significant change over the past year is the increased willingness of victims to use multiple approaches to recover encrypted data (e.g., paying a ransom and using backups). This time, 35% of organizations in the energy, oil/gas, and utilities industries whose data was encrypted reported using more than one method, up from 26% reported in 2023.

Victims of critical infrastructure often do not pay the original ransom amount demanded

86 respondents from the energy, oil and gas, and utilities industries whose organizations paid ransoms provided the actual ransom amount, revealing that the average (median) ransom amount was $2.5 million in 2024.

Just under half (48%) of respondents said the payment they received was in line with the original request. 26% paid less than the original request, while 27% paid more.

Looking at the data by industry, the Energy, Oil/Gas, and Utilities sector has the highest willingness to pay the initial ransom amount demanded by attackers. It is also the sector with the second lowest willingness to pay less than the initial demand.

Download the full report to learn more about ransom payments and many other areas.

---

About the study

The report is based on the results of an independent, vendor-neutral study commissioned by Sophos, which surveyed 5,000 IT/cybersecurity leaders across 14 countries in the Americas, EMEA and Asia Pacific, including 275 from the energy, oil/gas and utilities sectors, a key part of the critical infrastructure supporting businesses worldwide. All respondents represent organizations with between 100 and 5,000 employees. The study was conducted by research specialist Vanson Bourne between January and February 2024, and participants were asked to respond based on their experiences from the previous year.