Site icon Sophos News

Ransomware Survey 2022 – like the Curate’s Egg, “good in parts”

Even if you’re not a native speaker of English, you’ve probably heard the curious saying, “It’s a bit of a Curate’s Egg”, referring to something about which you’re determined to keep a positive public attitude, even if your immediate private reaction was to be disappointed.

The saying has certainly stood the test of time, coming as it does from a British satiricial cartoon from the late 1800s, in which a young curate has been invited to breakfast with the bishop.

(A curate is an Anglican church minister in their first job, right at the bottom of the clerical hierarchy, while a bishop is in the uppermost levels of church staff.)

Loosely speaking, the cartoon depicts the modern business equivalent of an intern who finds themelves in the midst of a lunch meeting of senior VPs: a promising but vaguely intimidating situation, with the very real danger of not getting a second chance to make a good first impression.

The British, of course, are well-known for eating boiled eggs at breakfast time, and in the Victorian era, there were no food labelling regulations to tell you how long your eggs had been in the supply chain, so stale eggs were a much more common problem than they are today.

And a boiled egg, still being in its shell when it’s served, doesn’t reveal that it’s gone off until you open it up to eat it…

…whereupon it rapidly reports its rancidity to the rest of the room by releasing a rancorous reek. (It’s a sulfurous smell, but we’d already decided to alliterate with R, so there was no space for a stench soubriquet starting with S in that sentence.)

Cartoon originally published in Judy magazine, 22 May 1895.

Anyway, in the now-famous cartoon, the bishop is seen apologising to the junior cleric for serving him a bad egg, saying, “Dear me, I’m afraid your egg’s not good!”

The timid curate, for whom both the Ninth Commandment and the aforementioned rancourous reek preclude an outright lie, but for whom politeness and social discretion is the better sort of valour, gamely but absurdly replies, “Some parts of it are very good.”

Which is a long way of warning you how you might react to the news delivered by the Sophos Ransomware Survey 2022, which we published today:

No leading questions

As usual, we didn’t conduct the survey ourselves, to avoid the problem that a cybersecurity company asking respondents cybersecurity questions might be considered “leading the witnesses”.

Surveys overtly connected with vendors often result in answers, like the curate’s remark about the egg, that the respondents thought the experts might like to hear, rather than the bald facts of what really happened.

We also made an effort to keep our sample size high, and to talk to a broad and representative cross-section of the global business community.

We therefore used a survey company to conduct the process, and they asked numerous cybersecurity questions to more than 5500 randomly-chosen respondents from a wide range of businesses of varying sizes in more than 30 countries across the globe.

As with the Curate’s Egg, you’ll find that some parts of the report are indeed very good, but it’s hard to sugar-coat the headline statistic of this year’s survey, which is disappointing.

In our Ransomware 2020 survey, 1/2 of our respondents said that they’d actually had a ransomware infection in the past year (2019).

In our Survey 2021, we were pleased to report that figure was down to about 1/3, with a creditable 63% of respondents saying they’d avoided ransomware altogether during 2020.

But in the Ransomware 2022 survey, the figure has gone up again, with 2/3 of our respondents admitting to a ransomware infection during 2021.

In other words, the underlying prevalence of ransomware attacks has doubled since our previous report, which implies that the size, scale and skills (if we may use that word in this context) of the cybercriminal underworld have increased correspondingly, too.

Not everyone needed to pay up

The upside to that figure is that 1/3 of those who did get hit nevertheless managed to prevent the usual disastrous denoument by heading off the cybercriminals before they were able to unleash the final data-scrambling part of the attack.

In other words, even though all of those who suffered a ransomware intrusion faced an extensive malware cleanup exercise and a possible data breach disclosure to their local regulator, defence-in-depth meant that 33% of them were spared the total derailment of their business that typically happens after a file-encrypting ransomware attack.

Also, just over 1/2 (54%) of those who did get hit, and were faced with the choice of paying up, didn’t hand money to the crooks, but found other ways to recover instead.

Sadly, however, the proportion of victims who refused to pay up is one statistic that has deteriorated over the past three years.

In 2020, just 1/4 of victims said they paid up; in 2021, that was up to 1/3; but in 2022, as we just said, the figure was close to 1/2.

What to do?

Our Top Tips are:

Remember that although the Ransomware Survey 2022 reports that 2/3 of respondents were ransomware victims, more than 1/2 of them recovered without paying up, suggesting that they not only had backups handy, but were able to restore them in a timely way.

As we like to say on Sophos Naked Security:

The only backup you will ever regret is the one you didn’t make.

Time to act!


If you don’t have the experience or the time to maintain ongoing threat response by yourself, consider partnering with a service like Sophos Managed Threat Response. We help you take care of the activities you’re struggling to keep up with because of all all the other daily demands that IT dumps on your plate.

Not enough time or staff?
Learn more about Sophos Managed Detection and Response:
24/7 threat hunting, detection, and response  ▶


Exit mobile version