BitSight research demonstrated some organizations are more than eight times as likely to become ransomware victims.
Ransomware: the financially-motivated cyber attack du jour
May 2021 is proving that the ransomware trend is running ahead nearly unabated. In the US, the Darkside APT group crippled the largest fuel supplier in the northeast, causing a system wide shutdown affecting nearly the entire US east coast’s fuel supply for several days. In Europe, a double whammy hit the Irish health system when the Health Service Executive, Ireland’s health care operator and its Department of Health suffered a ransomware attack forcing a shutdown within its IT infrastructure.
- The health sector is regarded as a vulnerable sector to cyber incidents and crises. In the ENISA Threat Landscape report, it was found that more than 66% of healthcare organizations experienced a ransomware attack in 2019. “In 2019, 45% of attacked organizations paid the ransom. The 45% of organizations that were attacked and paid the ransom, half still lost their data.” (source)
- In Oct 2020, the first case of triple extortion was seen in the real-world. When a Finnish psychotherapy clinic was breached, attackers not only extorted the clinic to regain access to its files, but also to avoid the records being published - double extortion. The attackers went one step further by extorting individual patients regarding publishing their records. (source)
The collateral consequences of ransomware also include cost to insurance companies who underwrite cybersecurity policies. While they conduct diligence in the form of cyber risk assessment questionnaires and assessment of cybersecurity performance data—BitSight cyber insurance clients underwrite more than half of the global cyber premium—no security ratings provider has conducted a correlation to ransomware study with definitive results. Until now.
Key takeaways from BitSight research
While no organization is immune from determined cyber criminals, there are best practices for minimizing the likelihood of being victimized. Chief among them is a relentless focus on core security hygiene - that common practice of ensuring cybersecurity controls, practice, and people are performing effectively every day. While best practices are widely acknowledged, it’s clear performance excellence is only being achieved by a few leaders.
BitSight’s research team analyzed hundreds of ransomware events since Nov 2018 to estimate the relative probability that an organization will experience a ransomware event. The analysis looked back over five six-month periods benchmarked against companies with high BitSight rating (750+) for security effectiveness.
Overall, the data shows that organizations with a rating lower than 600 are 6.4x, and organizations with a rating between 600-650 are 4.6x more likely to be a ransomware victim compared to the benchmark of organizations with a 750+ rating. BitSight continuously and non-intrusively assesses organizational cybersecurity performance by evaluating security performance observations across 23 different categories, including compromised and exposed systems, critical vulnerabilities, patching rates, software security, and other key issues. BitSight processes more than 250 billion security measurements on a daily basis to provide an objective security rating (using a 250-900 scale) based on its observations that is independently verified to be correlated with breach risk.
Risk Based on BitSight Rating

Digging deeper into what BitSight calls individual risk vectors, patching cadence (the elapsed time between software patches becoming available compared to when patches are implemented) is a strong security program performance indicator. The more time that passes between patch available and patch implemented indicates lower performance. Unsurprisingly, poor patching performance correlates to a nearly sevenfold increase in ransomware risk for companies with a C grade or lower. TLS/SSL certificate and configuration management offer comparably strong security program performance indicators. Companies with a C grade or lower in TLS/SSL Configurations are nearly four times more likely to be a ransomware victim and companies with a C grade or lower in TLS/SSL Certificates are roughly 3 times more at risk of a ransomware incident,
Risk Based on Patching Cadence Grade
In the above chart and the two that follow, letter grades provide a quick way to understand how a company is performing in each risk type, and also provides a meaningful way to compare risk type performance of one company to another.
Letter grades are directly correlated to how well a company is performing, relative to all companies in the BitSight inventory. Below is a table that outlines how each grade correlates to their performance, relative to their company size:

Risk Based on TLS/SSL Certificate Grade
Risk Based on TLS/SSL Configurations Grade