Security Experts:

When Ransomware Hits Business - Paying Up Unlikely to Guarantee Resolution

A new survey into the prevalence and effect of ransomware confirms many other surveys -- around half of all companies have now been affected within the last 12 months. Now, however, there is increasing evidence that paying the ransom is not the end of the matter: 86% of companies that paid up reported that the extortionist attempted to extract a second ransom; and 81% said they had been attacked at least three times.

Vanson Bourne surveyed 500 companies for next-gen endpoint security firm SentinelOne: 200 in the US, and 100 in each of France, Germany and the UK.

SentinelOne chief security consultant Tony Rowan is unsurprised at the repeat visits. When an extortionist succeeds, he learns that the company is willing to pay up and the network is open to attack. "If you can beat existing defenses once," he told SecurityWeek, "then it's easy enough to beat them again just by modifying the malware packaging." He believes that it is the same attacker that returns rather than a different extortionist.

This may be the motivation for a migration from perimeter detection to mitigation as a means of defense. While 67% of attacked companies have increased their security spending, 52% have changed strategy to focus on mitigation. Fifteen percent have adopted cyber insurance as a means of financial risk transference.

SentinelOne also looked at the effect of being hit by ransomware. The first action by most companies is to notify the CEO and/or board (67%). The sequence then seems to be to contact law enforcement, notify lawyers, notify data protection regulators, attempt decryption, notify customers, demand answers from the security vendor, contact insurance provider, and (at 18%) change security vendor. While this sequence is broadly similar across all four polled countries, there are nevertheless some marked differences between them. For example, where 40% of companies rapidly contact their lawyers in France, 60% do so in the US. While 22% of US companies change their security vendor, only 10% do so in the UK.

What stands out from this list is the speed and frequency with which companies notify their relevant data protection regulator and their customers. The reality is that it is hard to deny or hide a ransomware attack -- but nevertheless common perception would be that encrypted files are an internal worry only. This survey suggests otherwise.

When asked about the attacker's motivation, the most popular and unsurprising response at 54% was 'financial gain'. The next three, however, were more surprising: simple disruption to a successful business (47%), cyber espionage (42%), and political motivation (30%). "These results," suggests Rowan, "point to a significant shift for ransomware -- it's no longer just a tool for cybercrime, but now also a tool for cyber terrorism and espionage."

For espionage, if the criminal can drop encrypting malware, he can -- and might as well -- simultaneously drop exfiltration malware. As soon as any personal data is stolen, the matter becomes notifiable and perhaps explains the frequency with which data protection regulators are notified. 

Simple disruption and cyber terrorism are worrying trends. With the emerging 'ransomware as a service' it is becoming easier for competing companies to disrupt each other for competitive advantage. There is little public evidence to suggest that this is happening on any scale, but existing extortion victims are aware of the possibility. 

'Cyber terrorism' as a motivation is also worrying. Ransomware is effectively a reversible wiper -- but if it isn't reversed it is a practical wiper. It becomes a tool that can be used for political ends while appearing to be nothing more than criminal. 

The expansion of ransomware beyond a simple tool for financial extortion is supported by the identity of the attacker. When asked if organizations had been able to identify their attacker the most frequent responses were opportunistic hackers (48%) and organized cyber criminals (45%). However, not automatically financially-motivated attackers also figured highly: anti-capitalist protesters (31%), political hacktivists (24%), disgruntled employees (24%), dissatisfied customers (18%), and even state sponsored hackers (8%). 

In such cases the primary motivation might not be the ransom but the disruption. It is noticeable from the survey that in 57% of cases, the extortionist did not decrypt files despite being paid. In 43% of cases confidential data was released after the ransom was paid; and in 43% of cases the attacker decrypted the files and left.

The overriding conclusion from this survey is that ransomware is no longer just about extorting money; and paying any ransomware is unlikely to guarantee resolution.

SentinelOne has prepared an infographic providing its own commentary on the survey -- but it has also published the raw data, and this is likely to be of greater value to the security professional.

Related Reading: Ransoc Ransomware Blackmails Victims

Related Survey: 40 Percent of Companies Will Pay the Ransom

Related Reading: Paying Not an Option When Ransomware Hits

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.