The State of Ransomware 2020 global study conducted earlier this year on behalf of Sophos and reported this week in its blog found that organizations that decide to pay the ransom to get their data back, do so in 94% of cases.
The research questioned 5,000 IT managers from 26 countries (500 from the US and 200 from the UK) in a range of sectors and company sizes from 100 to 5,000 employees.
These results underline that ransomware now affects everyone, everywhere. It doesn’t seem to matter how big an organization is. Ransomware is ubiquitous, with half of organisations in the research having experienced an attack during 2019, three quarters of which had their data encrypted.
Ironically, this is despite organisations tightening security to reduce trivial attacks.
Ransomware attackers almost always send back encryption keys when paid – any doubt in the mind of victims would quickly destroy the whole extortion racket.
So how did ransomware respond? By spending more time targeting companies by researching less obvious weaknesses, looking to exploit several at the same time.
Overall, the research found that while a malicious file download or link was still the biggest danger (29% of successful attacks), other methods such as remote attacks on servers (21%), unsecured Remote Desktop Protocol (9%), external suppliers (9%), and infected USB drives (7%) were also popular.
Cloud repositories and applications are another big target, with 59% of those successfully attacked mentioning that cloud data was targeted in some form.
Only one in four (25% of) victims decide to pay the ransom, which is most often done by a cyber-insurance company rather than the victim. However, only around two thirds (66%) of U.S. victims find they can claim on insurance, with 20% of organisations paying for coverage they end up being unable to activate.
Don’t pay ransoms?
Importantly, research found that paying ransoms costs more than reinstating data using backups.
Some might doubt that – downtime is often said to be the most expensive part of a ransomware attack – but the reason is simply that the cost of recovery is always high. Paying the ransom on top of that adds to the bill.
Ransomware attackers have recently started threatening to incrementally leak sensitive data stolen during attack as an extra inventive to pay up.
What to do
Organisations can limit the effect of ransomware attacks by assuming an attack is inevitable and plan for it.
- Make and test a backup plan, including storing data offsite.
- If you’re buying cyber-insurance, make sure it covers ransomware.
- Don’t forget to protect data in the cloud as well as central data.
- Use anti-ransomware protection. Twenty-four percent (24%) of survey respondents that were hit by ransomware were able to stop the attack before the data could be encrypted.
- Lock down Remote Desktop Protocol (RDP). Criminal gangs exploit weak RDP credentials to launch targeted ransomware attacks. Turn off RDP if you don’t need it, and use rate limiting, IP whitelists, two-factor authentication (2FA) and/or a virtual private network (VPN) if you do.
- Pick strong passwords and use multi-factor authentication as often as possible. And don’t re-use passwords. Consider a password manager.
- Patch early, patch often. Ransomware like WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.
If you or your business have legal questions or concerns regarding communications law, computer law, privacy, or cybersecurity law matters, including review of cyber-insurance, contact attorney Jeffrey A. Franklin at Prince Law Offices.