Ransomware is just a cyber twist on the age-old crime of taking someone/something hostage and demanding a payout for safe return. Cyber criminals have quickly learned that getting at organizations’ data then deploying malware to encrypt it carries a low technical barrier to entry (as opposed to kidnapping a human).
Sittin’ on the dock of the bay
Ransomware is just a cyber twist on the age-old crime of taking someone/something hostage and demanding a payout for safe return. Cyber criminals have quickly learned that getting at organizations’ data then deploying malware to encrypt it carries a low technical barrier to entry (as opposed to kidnapping a human). With enough broad-based distribution, doing so yields a favorable return on investment (ROI). Unlike physical crimes of this ilk, ransomware distribution often takes a “spray and pray” approach, targeting a vast number of individuals and/or companies until an attack is successful. The cost for a ransomware distributor to send 1,000 infected phishing emails vs. 100,000, for instance, is nominal.
Every company is a potential target for a ransomware attack (contrasted with human hostage situations, in which only the right target could lead to a payout). From large to small, private to public, for-profit to non-profit, any company that maintains data is at risk. Local animal shelters all the way up through national healthcare organizations have been in the news as of late for experiencing ransomware attacks. There’s little question that ransomware as a cyber crime tactic is on the rise, and companies are on a mission to understand the extent of the problem.
Look like nothing’s gonna change
SentinelOne is the latest in a string of security vendor organizations to publish the results a study, conducted on the firm’s behalf by market research firm, Vanson Borne, on the magnitude of the problem. Of more than 500 IT and security practitioners across the US, UK, Germany, and France who responded to the survey, 48% said that their organization suffered a ransomware attack in the last 12 months. Survey results indicate that construction and property firms have been hit the hardest (57%), while media, leisure, and entertainment companies have largely stayed out of the limelight (24%). Curiously, healthcare and education are not listed in the SentinelOne report, despite the fact that healthcare and academic institutions seem, by all other measures, to be ripe targets for ransomware.
With nearly half of all organizations, cross industry and geography (at least the ones surveyed for this report), reporting haven fallen victim to ransomware in the last year, 67% said the consequence is a planned increase in security spending, and 52% intend to change security strategy to focus on mitigation. The most interesting part of a decision to “change IT security strategy to focus on mitigation” is that all of the tactics and techniques a company would employ to ward off or reduce the damage from a ransomware attack are the same ones that should, theoretically, already be in place as foundational security elements: Ongoing maintenance and monitoring of firewalls, malware detection, encryption, security awareness training, regularly maintained backups, etc. Basic system administration – all things all companies should be doing regardless of imminent threat or far-off risk.
Everything still remains the same
As one security industry expert recently said, “Despite the fact that security teams know they should be tending to the basics, they won’t do it until forced to. A ransomware incident could be the shove they need.” Indeed, respondents from companies in the US were most likely to say a change in strategy will occur (65%), whereas respondents from Germany companies were least likely to anticipate a strategy change (39%). German companies, however, also reported the highest loss in confidence in existing cybersecurity solutions (57%), indicating, perhaps, an acknowledgement of overreliance on tools as a mitigation strategy. On the contrary, US-based respondents were least likely to acknowledge a loss of confidence in existing cybersecurity solutions (35%), maybe signaling an understanding that the change required must come from people and processes, not just an implemented tool.
I can’t do what ten people tell me to do
How far did cyber criminals advance in their ransomware campaigns? Not very far. Keep in mind, though, that ransomware is a bit like mining for gold; the miner needs to pan far and wide for just one nugget. Once found, however, even a small piece of legitimate gold returns a profitable payout. Ransomware operates under exactly the same premise.
Only 3% of survey respondents said that the ransomware attacker “was able to encrypt some files/data, which we were unable to decrypt.” Presumably this also means the company didn’t maintain backups and therefore had to pay ransom or go without its files/data, given the other choices in the survey. But the information provided/reported is not that explicit.
So I guess I’ll remain the same
Given the data set, a lot of assumptions can be made about the state of organizations’ ransomware readiness: organizations are not tending to security basics and are therefore falling victim to criminals’ methods too frequently; even though a good number of companies reported the ability to decrypt stolen and encrypted data, a breach of systems still took place and private data is now in the hands of adversaries; organizations are failing to put proper controls in place ward off attackers before they find ways into companies’ networks; attackers accomplishing a breach are provided too many opportunities to move around companies’ networks and access sensitive data without any major obstacles; and finally, despite the fact that backups are good business practice for more than ransomware attacks alone, only a quarter of companies are maintaining backups. All of the above should be “givens” for enterprises, and even small companies can—at very least—buy inexpensive, off-site, cloud-based backup, reducing their helplessness when ransomware comes ‘a knockin’.
It’s all about the security basics. And while we hear it all around the industry, in every forum, at every conference, and on social media threads, security teams must hold themselves accountable and take the necessary steps to ensure they’re not losing their data—be it to ransomware attackers or any other cyber criminal. Security is hard and criminals have time on their hands that enterprise practitioners do not, but if enterprises keep the barriers to entry low, we can be certain that ransomware victim numbers (and other cyber crime numbers, in general) will keep climbing higher.