Ransomware is on the rise, but what toll does it take on the real world?
Threatpost set out to answer that question in an exclusive poll aimed at taking the pulse of organizations wrestling with attacks, including looking at mitigations and the defenses organizations have in place. When viewed against the backdrop of complementary reports from Cybereason and Group Salus, a nice picture emerges of how ransomware-related attitudes and security practices are evolving.
As ransomware attacks continue to grow in volume and sophistication – and not to mention profile, thanks to attacks like the one on Colonial Pipeline – organizations are becoming more aware of the risk. However, strategies for addressing ransomware turn out to be quite varied.
Among all 120 respondents to Threatpost’s survey, a little less than a third said they have been a victim of ransomware. In terms of victims, the leading sectors hit the hardest were tech and manufacturing (17 percent and 15 percent of respondents). The next-most-common profiles were evenly distributed among finance, healthcare and critical infrastructure.
A full 80 percent said that they didn’t pay the ransom. The top reason cited, accounting for 42 percent of responses, is that that paying the ransom doesn’t guarantee a decryption key.
This article is based on a much more in-depth piece, available in the free Threatpost Insider eBook, entitled “2021: The Evolution of Ransomware.” Download it today for much more on ransomware trends and the underground economy!
That acknowledgement that cybercriminals aren’t trustworthy (go figure) dovetails with new stats out from Cybereason on Wednesday noting that paying up may actually flag victims as easy pickings. A full 80 percent of organizations that paid the ransom said they were hit by a second attack –– almost half were hit by the same threat group and one-third hit by a different one.
Meanwhile, over in the “yes, let’s pay” camp, about 5 percent of Threatpost respondents felt that paying is easier than dealing with business disruption, lost data and remediation, while another 2 percent said that cybersecurity insurance will cover any ransom and related costs.
In Cybereason’s study, about 65 percent of entities hit by a ransomware attack reported revenue loss; and about a quarter had to shut their business down altogether. About half (53 percent) indicated that their brand and reputation were damaged; and a third (32 percent) reported losing C-level talent.
Cybereason found that 35 percent of businesses that paid a ransom shelled out between $350,000 and $1.4 million, while 7 percent paid ransoms exceeding $1.4 million.
In contrast, Threatpost found that more than half of victims (57 percent) suffered less than $50,000 in remediation costs if they did not pay the ransom. Comparatively, about half of victims who did pay the ransom after an attack also paid less than $50,000 in remediation – not counting the ransom payment.
Favored Mitigations for Ransomware
When asked which vital defenses organizations should have in place to protect against ransomware attacks, organization cited backups of critical data (24 percent), user-awareness training (18 percent) and endpoint/device protection (15 percent) as the top “must-haves.”
But implementing those defenses is easier said than done. Poll respondents cited a range of challenges when it comes to fending off ransomware attacks. These included insider threats, cited as the top challenge, with 29 percent saying a lack of employee awareness (regarding email and social-engineering threats) was a problem. Meanwhile, 19 percent said budget constraints (having no money for deploying or upgrading defensive platforms) were an issue; while 18 percent said a lack of patching and legacy equipment was a top challenge.
Meanwhile though, a national survey of 200 respondents from Group Salus found that just 15 percent of small- and medium-sized business (SMB) executives (defined as leading companies with revenues up to $100 million per year) see ransomware as a top threat that will result in financial outlay.
This is despite close to 40 percent of the companies experiencing a cyberattack of any kind, with nearly half, 45 percent, reporting they lost customer data and 27 percent saying they lost a significant amount of money because of the attack. The average cost of an attack was $200,000.
The Group Salus survey also found that 30 percent of the SMB executives most feared losing irreplaceable data in a cyber-incident and 25 percent are most concerned about losing customers permanently because of a loss of trust in their organizations. Yet, ransomware was not top of mind.
“Couple this with research that shows ransomware attacks have increased more than 50 percent since 2019 and small business executives who believe they won’t have to pay, one way or another, for a cyber-breach are not being realistic,” said Group Salus CEO Larry Lafferty, in a media statement.
To read the whole article and get more insights, download our exclusive FREE Threatpost Insider eBook, “2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!