When it comes to paying the ransom in a ransomware attack, demands are on the rise. Yet, many companies that paid the ransom failed to receive a decryption key, in a survey issued Monday.
In fact, pandemic-themed phishing scams, a sustained onslaught of ransomware attacks and the rise of a remote global workforce all colluded to make the last 12 months particularly brutal for information-security professionals, according to the report.
Proofpoint’s State of the Phish report for 2021 surveyed 600 informational security pros across seven countries: Australia, France, Germany, Japan, Spain, U.K and the U.S.; incorporated highlights from an additional third-party survey of 3,500 adult workers across the same countries; and analyzed more than 60 million simulated phishing attacks to reach its conclusions, the company said.
Additional Ransom Demands Spike
Of the 75 percent of companies which responded to the State of the Phish report saying they were infected by ransomware, more than half decided to pay the ransom to get their data back, Proofpoint said. Of that half who paid, only 60 percent were given back access to their data. The other 40 percent were hit with additional ransom demands, which is up 320 percent over last year.
Instead of reacting after they’ve lost control of their data, Gretel Egan, senior security awareness and training strategist for Proofpoint, told Threatpost that organizations need to make decisions about how to react well before the breach.
“Reaction to a ransomware infection is a very individual thing,” Egan said. “The scale of the infection, impact to operations, and amount of ransom are all likely to factor into the ultimate decision about how to handle an attack. But a good best practice is to have a thoroughly prepared and tested response in place before a ransomware attack takes hold, one that considers a number of different ransomware scenarios. It’s critical to evaluate the risk vs. reward of making a payment, and alternatives they can pursue.
Companies Net Record Phishing Attempts
The report shows a sharp uptick in phishing attempts, particularly in the U.S., where attacks are up 14 percent over last year and run 30 percent higher than the rest of the world.
And while wide-net bulk phishing attacks are being deployed, threat actors are getting even better at more targeted social engineering scams like spear phishing, whaling and business email compromise (BEC) attacks.
Email continues to be the channel of choice for phishers because undertrained employees make it easy, the report explained, but security professionals also need to consider other social-engineering schemes that organizations are facing, like those using social media, voicemail “vishing,” SMS/text phishing or “smishing,” and even malicious USB drops.
“Threat actors worldwide are continuing to target people with agile, relevant, and sophisticated communications—most notably through the email channel, which remains the top threat vector,” Alan LeFort, senior vice president and general manager of Security Awareness Training for Proofpoint said. “Ensuring users understand how to spot and report attempted cyberattacks is undeniably business-critical, especially as users continue to work remotely—often in a less secured environment. While many organizations say they are delivering security awareness training to their employees, our data shows most are not doing enough.”
Security-Awareness Training Works
While 90 percent of U.S. survey respondents indicated their workforce shifted to remote work in 2020, only 29 percent of those offered any training to employees about safe remote working habits, Proofpoint said, creating an entirely fresh hunting ground for phishing attackers practically overnight.
Across the 12-month period Proofpoint measured, there were more than 800,000 active credential phishing attacks and 35,000 phishing emails containing malware including remote access trojans (RATs), keyloggers and advanced persistent threats (APTs), the report said.
“The findings related to remote-working situations in the U.S. are eye-opening,” LeFort added. “Nearly all the American infosec professionals we surveyed said they supported a new, remote-working model for at least half of their organization’s workers last year. And yet fewer than a third of these respondents said workers were trained about security practices related to working from home.”
At the same time, three-quarters of U.S. workers said they allow their friends and family to access work-issued devices to do things like shop online and play games.
“These gaps represent a significant risk and reinforce the need for security awareness training initiatives that are tailored to the remote workforce,” LeFort said.
The report stressed that security-awareness training works. Proofpoint found that 80 percent of the organizations who contributed to their survey found that training “reduced phishing susceptibility.” When tested, it was purchasing teams who were the most security conscious, Proofpoint found, while maintenance and facilities employees scored the worst.
How to Prevent Ransomware, Phishing
Egan also suggested proactive safeguards like a dedicated advanced email security gateway, robust data back-ups and consistent patching to keep systems updated.
“As well, most attacks require human interaction to be successful — and they are overwhelmingly aimed at specific people,” Egan explained. “We recommend conducting continuous security-awareness training for every employee and contractor with access to corporate systems. Some ransomware variants will ask the individual for payment so it’s important that employees know to not make any payments on their own and to flag them to their supervisors.”
There is good news. The total number of reported ransomware infections remained about the same, and Proofpoint said the number of malware infections as a result of phishing was down 17 percent. Better yet, there was a 47 percent drop in the number of respondents reporting a direct financial loss, which the report added “could indicate that organizations have implemented stronger preventative measures against these types of attacks,” and better yet, that those measures are working.
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!