Are Ransomware Attacks Getting Worse? Yes They Are. And the Reason May Surprise You.

Just like every business and sector, cybercrime is transforming.

Gone are the days whereby a single, lone hacker posed a significant threat to your organisation. Cybercrime is evolving, shifting from that lone hacker to a coordinated crime syndicate that operates much like a startup. Unlike law abiding startups, these cybercriminal organisations are funded for the sole purpose to extort from you. Several have produced returns in the hundreds of millions of dollars.

The toolset to extort is constantly evolving too, moving away from individually built software to one that can be purchased as a ‘Ransomware-as-a-Service’ offering obtained off the darkweb for a percentage of the bounty. Sadly for society, it has never been easier to get into the cybercrime game, and never more rewarding. There is still a high volume of easy ‘prey’ targets that will pay. Organisations keep paying the ransoms, so the criminals keep continuing to attack, all the while improving their skills of extraction. It’s just supply and demand, sadly basic economics that pays into their favour.

Recently, how the criminals secure paying customers may have been their greatest insight.

Hackers typically extract data from an organisation and then hoped for a big pay day by selling that customer data on the open market to the highest bidder. Hackers learned that this approach was fraught with limitations. Organisations became better at shutting down extraction attempts, so hackers could not get much data to sell. Negotiating with buyers was challenging, risky, and lengthy, leading to outcomes that didn’t produce the expected payoff.

With ransomware, the security game changed.

Rather than spend too much time extracting data from an organisation and then hope for a big pay day by selling that customer data on the open market to the highest bidder, cyber criminals found that they could limit both their “no data extracted” risk along with removing the challenges of a no or small payoff with one small tweak: Ransomware.

Now, cyber criminals had an instant ‘highest bidder’ willing to pay now – the compromised organisation. Criminals figured out that ransomware creates a built-in buyer with deep pockets – You and your cyber insurance policy. 96.88% of all ransomware infections take four hours to successfully infiltrate their target – with the fastest infections being completed in under 45 minutes. The urgency of recovering the data quickly so that the organisation can continue their ongoing operations makes them the most willing buyer.

According to Wired Magazine (Jan 2021), the business of ransomware has set its sights on those wealthy organisations willing to pay to save their reputations. If this is you, then you should be aware of the scope of the costs during the pandemic. Also be aware only 8% of Organisations that pay a ransom get back all of their data and that 80% who paid a ransom experienced another attack.

The 2021 State of Security found that for a UK-based organisation, the average cost of a breach in 2021 is $4.67M, up 19.7% from 2020. The costs include detection and escalation (29%), lost business (38%), post breach response (27%), and notification (6%).

With the plethora of headlines, why are organisations (still) falling victim to cybercrime (and be forced to pay)? Do you ever wonder how they get it so wrong?

Perhaps a better question might be ‘Why does ransomware succeed when the outcomes are known to be so bad’?

Unfortunately, when it comes to a ransomware attack, organisations often are forced to pay the high ransom demanded by the crime syndicate because organisations learn after the attack that they were in fact highly exposed, not protected and now don’t control their data or destiny.

Some organisations think they can take the easy route by being all too willing to pay the ransom and then make a claim against their cyber insurance policy. In some cases, leaders are simply too trusting of the criminals and believe these criminals will cooperate by releasing and unlocking the data. And this too trusting approach has cost many their jobs, as 32% have been removed either by dismissal or resignation after a breach. Ouch!

Unfortunately, negotiating with cyber criminals is often a lost cause. It is believed only 8% of businesses that pay a ransom get back all of their data. These are not good outcomes!

Worse, criminals don’t release your data immediately. The average length of time to get the control of the data is 21 days. That’s a long time to wait, all the while the organisation is disrupted and compromised in its ability to function properly. 21 days is too long to wait without access to the data after the fee has been paid. It’s certainly not the instant response many executives expect — all the while dealing with a downtime that’s potentially could damage the organisation even more through lost revenues and reputation risk.

What are the Warning Signs that You Could Be Next?

Based on our own informal discussions and research, we’ve seen some definite patterns that, if spotted in your organisation, could serve as an indicator that you will be more prone to a successful cyber-attack:

False belief: Won’t happen here. Think again. Ask the Scottish Environmental Protection Agency. Or Serco. Or Northern Rail. Or Accenture if it won’t happen here. All were ransomware attack victims in 2021. The new best practise is to assume you are already compromised. Doing so will drive new thinking, new priorities and prevent you from being the next victim of ransomware.

“My data is already backed up”: Many organisations are under the false assumption they have ‘copy’ of their data and can quickly restore after a disruption. And many of those same organisations find out the hard way that their ‘backed up’ data cannot or will not restore (and get forced into paying a high ransom). Only 57 percent of businesses are successful in recovering their data using a backup. Not all back up data is the same. At TES, we know the difference.

Security near the bottom of the action list. The pandemic changed views on cyber security. Unfortunately, the impact created opportunities for cyber criminals, as more than 75% of IT teams said cybersecurity took a “backseat to business continuity during the pandemic”

Relying too much on cyber insurance. Cyber insurance should be the last line of defence, not the first. Have strong security practises and compliance should mean that you will never need to activate your policy. And, just like other forms of insurance, sometimes not all your costs are covered. 42% of cyber insurance claims did not cover all the losses, meaning organisations had to pay in the end.

Ignoring the human factor. The same study that found cyber security took a backseat enabling to support WFH also found that more than 30% of workers under the age of 24 admitted to outright bypassing certain corporate security policies to get work done.

There is Time. You Can Avoid a Successful Attack

Security is a multi-layer approach like medieval castles. High, hard-to-scale walls, surrounded by moats, and with roaming guards to spot and kill an intruder. Multiple systems working together for one goal.

As with all security issues, there is rarely a “silver bullet” or singular step that will fully mitigate the problem. Multiple steps are needed to be able to reasonably defend again ransomware. Some steps are designed to prevent ransomware to taking hold, with other steps reduce the impact of a breach.

Given the ubiquitous and sophistication of cyber-attacks, the best position to take is to assume you are compromised. This will change the mindset inside the organisation and change the priorities to ensure the damage and risk will be minimised. If compromised, this mindset could ensure you can avoid the high cost of a successful attack by deploying the right protections, training, detection systems and response plans within the organisation.

Next Masterclass: Just Say “No” to Hackers > How to Minimize the Risk of High Cost and High Operational Impact of Ransomware

Cybersecurity is complex but does not have to be with the right strategy. This #TEStalk masterclass outlines a framework that can be implemented to deploy the right mindsets, protections, detections and other tech infrastructures to minimise the risk and impact of ransomware. Register for free