Emboldened by past successes, cybercriminals are launching more targeted attacks and seeking more lucrative payments.
When it comes to ransomware, we may be our own worst enemies. Victimized organizations increasingly choose to pay the ransom in order to regain access to encrypted data — a strategy that appears to be backfiring. Multiple studies indicate that more payments are simply incentivizing the ransomware industry.
A CyberEdge Group study finds that 58 percent of victimized organizations have paid ransoms, up from just 39 percent two years ago. The increased likelihood of payment seems to be inspiring more attacks — CyberEdge reports that a record 62 percent of U.S. companies have been hit with ransomware in the past year.
Meanwhile, research from Coveware and CrowdStrike suggests that increased payments have emboldened cybercriminals to increase their ransom demands dramatically. Coveware reports the average ransom demanded in attacks during Q1 2020 was $111,605 — triple what it had been in the previous quarter. CrowdStrike predicts global ransomware damages will reach $20 billion by 2021 — a 5,697 percent increase since 2015!
A global study from Sophos finds that paying the ransom doubles recovery costs without substantially improving an organization’s chances of regaining access to its data. According to Sophos, average recovery costs, including downtime, lost orders, operational costs and other expenses, were about $730,000 for organizations that chose not to pay a ransom — about half the average $1.4 million recovery costs when organizations paid the ransom.
Paying the ransom doesn’t appear to improve data recovery rates significantly. According to Sophos, 94 percent of organizations eventually get their data back whether or not they paid. More than half (56 percent) restored their data from backups, 26 percent paid the ransom and 12 percent got their data back by other means.
“Organizations may feel intense pressure to pay the ransom to avoid damaging downtime. On the face of it, paying the ransom appears to be an effective way of getting data restored, but this is illusory. Sophos’ findings show that paying the ransom makes little difference to the recovery burden in terms of time and cost,” said Chester Wisniewski, principal research scientist, Sophos.
The FBI warns that ransomware attacks are becoming more sophisticated and dangerous. Earlier attacks tended to employ “spray and pray” tactics in which criminals sent large numbers of spam messages or fake ads in an attempt to infect large numbers of victims indiscriminately and generate quick payouts. Rather than launching large numbers of ransomware attacks against random targets, many of today’s attacks target specific organizations in an attempt to generate larger payoffs.
Targeted ransomware variants such as Maze and Ryuk typically combine data theft with the usual encryption techniques to boost payouts. Once a target is infected, these threats quietly move laterally throughout the network, accessing many systems and encrypting data. However, they don’t stop there. They will also exfiltrate some data, creating a threat of exposure that increases pressure on victims to pay larger ransoms.
“Advanced adversaries like the operators behind the Maze ransomware don’t just encrypt files, they steal data for possible exposure or extortion purposes,” said Wisniewski. “Some attackers also attempt to delete or otherwise sabotage backups to make it harder for victims to recover data and increase pressure on them to pay.”
A well-designed backup environment remains an essential element of ransomware defense by ensuring that resources can be reliably accessed in the event of an attack. However, it is important to remember that variants such as Maze and Ryuk that spread across the IT environment can impact backup systems. Backups must be isolated to ensure malware can’t get to them. This can be done with an “air-gapped” environment, cloud backups or by physically storing backup data offline.
The FBI offers these additional suggestions for minimizing exposure to ransomware attacks:
- Focus on awareness and training. Since end-users are targeted with infected links and emails, employees should understand how ransomware is delivered and trained on information security principles and techniques.
- Patch the operating system, software, and firmware on devices. All endpoints should be patched as vulnerabilities are discovered. This can be made easier through a centralized patch management system.
- Ensure antivirus and antimalware solutions are set to update automatically and that regular scans are conducted.
- Implement least-privilege file, directory and network share permissions. If a user only needs to read specific files, they should not have write access to those files, directories or shares. Configure access controls with least privilege in mind.
- Disable macro scripts from Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Office Suite applications.
- Implement software restriction policies or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular Internet browsers.
- Implement application whitelisting. Only allow systems to execute programs known and permitted by security policies.