Rates of ransomware attacks and encryption have returned to very high levels after a temporary dip during the pandemic. What is causing this surge?
While there was a temporary dip in ransomware attacks during the pandemic, rates of ransomware have been steadily increasing for years. What we are now seeing is a levelling off to a background rate of two-thirds to three-quarters of all attacks being ransomware in any given year. Ransomware attacks can be expected to continue at a similar rate so long as they remain profitable for cybercriminals.
Which sectors have reported the highest level of ransomware attacks?
In a recent Sophos survey, the organisations that reported the highest rates of attack were education, construction, and central/federal government. Most sectors trended closely to the global average of 66 per cent, and no sectors were below 50 per cent. This further supports the notion that ransomware attacks are a prominent threat that every sector must defend against.
Is there any particular reason why education organisations were the most targeted?
Education is a chronically under resourced sector. Not only are they often missing up-to-date prevention and detection technologies, but they are also lacking the people that are needed to investigate alerts. Most ransomware victims aren’t directly targeted but opportunistically chosen by mass scanning. Education’s relatively weak security posture enhances the likelihood that they will be caught up in these dragnet searches for vulnerable organisations.
What percentage of organisations that had their data encrypted ended up paying the ransom, and how does this rate differ based on the size of the organisations?
Unfortunately, there has been a steady year-on-year rise in data encryption rates. This year’s survey respondents said that 76 per cent of all ransomware attacks succeeded in encrypting data. Both small and large organisations struggled with preventing data encryption. This suggests that earlier detection of active adversaries and ransomware attack prevention tools are lacking in many organisations.
In terms of recovery time, what is the difference between organisations that paid the ransom and those that used backups?
Recovery time differences between those organisations that paid the ransom and those that didn’t weren’t massive. However, those organisations that used backups had an edge over the ones who paid, with 45 per cent being able to recover within a week. Importantly, recovery costs for those that paid the ransom doubled over those that chose to use backups. Paying the ransom is not only costlier, and potentially slows down recovery times, but crucially doesn’t ensure that all data will be recovered.
What key steps do organisations take to defend against ransomware and other cyberattacks?
Defending against ransomware and other threats starts by deploying security tools that defend against the most common attack vectors, including endpoint protection with strong anti-exploit capabilities to prevent exploitation of vulnerabilities, and zero trust network access (ZTNA) to thwart the abuse of compromised credentials. Adaptive technologies that respond automatically to attacks can disrupt adversaries and buy defenders time to respond. 24/7 threat detection, investigation, and response, whether delivered in-house or in partnership with a specialist Managed Detection and Response (MDR) service provider is required to safeguard the organisation against human-led attacks. Optimising recovery preparation can lessen the severity of an attack, as well as the cost and time of recovery. This includes making regular backups, practicing recovery from backups, and maintaining an up-to-date incident response plan. Finally, maintaining good security hygiene, including timely patching, and regularly reviewing security tool configuration will lower the likelihood of being caught up in the opportunistic dragnet of potential victims.
