Ransomware has become perhaps the fastest growing type of cyberattack organizations are facing today.
With the number of attacks and costs to organizations multiplying over recent years, ransomware attacks, such as Colonial Pipeline, Acer, JBS Foods and Kaseya (to name a few in 2021 alone), have become a more significant threat to organizations than ever. Let’s look at some key statistics that illustrate how the threat and impact of ransomware attacks is increasing and some important trends regarding ransomware.
Key Ransomware Statistics
The number and impact of ransomware attacks are growing exponentially! Here are a few key ransomware statistics regarding today’s ransomware challenges:
- Global ransomware damage costs are estimated to be $20 billion in 2021 – 57 times more than it was in 2015. (Source)
- Global ransomware damage costs are expected to rise to $265 billion by 2031, with a new attack every 2 seconds. That’s 816 times more than it was in 2015. (Source)
- In a survey of 5,400 IT decision makers across 30 countries, 37% of respondents’ organizations were hit by ransomware in 2020. (Source)
- Out of all ransomware victims surveyed, 32 percent paid the ransom, but an average of only 65% of the encrypted data was restored after the ransom was paid. (Source)
- 70% of recently surveyed organizations reported that healthcare ransomware attacks have resulted in longer lengths of stays in the hospital and delays in procedures and tests that have resulted in poor outcomes including an increase in patient mortality. (Source)
- The number of reported ransomware attacks in the US have more than quadrupled in two years, from 2018 to 2020. (Source)
Global Ransomware Damage Costs 2015-2031* (Source)
Key Ransomware Trends
There are several trends that are contributing to the exponential rise in ransomware attacks and their associated costs. They include:
Growth of Ransomware as a Service (RaaS): Yes, that’s a real thing! Creators of the malware lease the use of their software to operators for either a fee or a percentage of any successful extortion attempts. RaaS has multiplied the number of ransomware attackers out there, which has led to a huge increase in ransomware attacks in recent years.
Multiple Levels of Extortion: Ransomware has historically involved encryption of important data for an organization with a demand for a ransom to get access to that data once again. But nearly all attacks now include additional levels of extortion, including threatening to leak or publish the data seized (or sell sensitive data to competitors), threatening to disrupt the organization with distributed denial of service (DDoS) attacks, or even extending the ransom demands to customers of the affected organization.
Attacks on Supply Chains: The attacks to Colonial Pipeline and JBS Foods are two recent examples of supply chain attacks – in both cases, available supplies of their products were disrupted, and they paid a ransom to the cyber attackers (part of the ransom was recovered in the Colonial Pipeline case). Supply chains are not limited to just goods or commodities, but any service provider whose disruption may impact clients and their client’s clients.
Exploiting Zero-Day Vulnerabilities: Ransomware groups are finding and leveraging zero-day vulnerabilities, even before the Common Vulnerabilities and Exposures (CVEs) are added to the National Vulnerability Database (NVD) and patches are released. Examples of recent CVEs exploited before inclusion in the NVD are QNAP (CVE-2021-28799), Sonic Wall (CVE-2021-20016), Kaseya (CVE-2021-30116), and most recently Apache Log4j (CVE-2021-44228) which was the source of the ONUS ransomware attack. This illustrates how hackers are not only acting quickly on identified software vulnerabilities, but potentially finding and exploiting those vulnerabilities before the software companies are even aware of them.
Ransomware Prevention Tips
Email Security: In addition to regular phishing exercises and awareness training, organizations can set up solutions and configurations with the mindset that someone is inevitably going to click on a malicious link. These safeguards may include spam filtering, ensuring that extensions are displayed (.exe), blocking executables altogether, sandbox testing, blocking malicious JavaScript files, restricting use of elevated privileges, zero trust, updating email gateways to monitor for malicious activity, blocking ads, and managing bring your own device (Enterprise Mobility Management).
Disable Remote Desktop Protocol (RDP): RDP is still a vector for a great number of breaches. Disabling this functionality will reduce your organization’s vulnerability.
Multi-factor Authentication (MFA): For all remote access to resources, multi-factor authentication should be enabled. With many employees working from home, it is recommended that 100% of all workers have multi-factor authentication (something you know, something you have, and/or something you are).
Incident Response Readiness (IRR): Reducing dwell time with effective monitoring and alerting, as well as logs that can tell what the hackers were accessing, are all part of a readiness program. Making sure you have backups that work and a disaster recovery plan that can be successfully executed are also key. You can reduce your liability substantially if you can manage the incident well.
Consider reviewing these:
- Incident Response Plan (IRP)
- Tabletop Exercises
- First Responder Training
- Technology review of monitoring, alerting, and logging solutions; SIEM, EDR, MDR, XDR, IPS, Log aggregation, Threat monitoring
- Segregation of backups
- Up to date DR/BCP plan
Security Configuration for Cloud Services: Cloud configurations are a growing part of the risk picture for organizations. It is important that you review the following and implement appropriate safeguards.
- Network, User rights, Security solutions review
- Configuration review of O365, AWS, Azure, Google
- Monitoring and logging of events within the Cloud
3rd party assessments: Be sure you have appropriate accountability from your suppliers. They often will only implement controls to keep or gain business. Rarely do 3rd parties proactively implement effective controls that think about the risk to you. Activities that you should consider include:
- Establish a 3rd Party assessment program with tiers and process.
- Follow through on your assessments, including risk remediation by vendor/supplier.
- Involve the business leadership to prevent rogue vendor contracting.
Privileged Access Management (PAM): Service accounts should be given the minimum level access necessary to perform the job. Privileged accounts need to be carefully protected and include MFA for accessing sensitive assets. Hackers target privileged account users and service accounts.
Patch Management: Over 42% of breaches involved taking advantage of a vulnerability where a patch existed. Patch management is still difficult for organizations to conquer. The fear is disrupting the business with a patch that breaks the business functionality. Having good staging and a regular program kept up to date is a worthy cause.
HALOCK Security Briefing Archives: Updates on cybersecurity trends, threats, legislation, reasonable security, duty of care, key acts and laws, and more that impact your risk management program.