Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Paying Not an Option When Ransomware Hits

The rapid rise of ransomware has made it the latest marquee threat in cybersecurity. The growth in victims and damages has been widely reported, with successful attacks being waged against organizations of all sizes and stripes. However, this trend has had a disproportionate impact on small and medium-sized businesses.

The rapid rise of ransomware has made it the latest marquee threat in cybersecurity. The growth in victims and damages has been widely reported, with successful attacks being waged against organizations of all sizes and stripes. However, this trend has had a disproportionate impact on small and medium-sized businesses.

To get a fresh, direct line on the effect ransomware is having on these organizations we surveyed members of Spiceworks, a IT community site numbering well over a million account holders geared to IT administrators and managers in the SMB. We asked respondents whether they had been victims of ransomware, how they responded (or how they thought they would respond), and how the threat of ransomware has affected their organization. Their answers were consistent and described a common frustration, resignation, and uncomfortable urgency with the issue.

When they get hit, they disconnect

Most ransomware does not hide the fact it has just locked down your system or encrypted your critical files. It alerts you. As a result, a majority of survey respondents said they were aware they had been compromised within an hour of the event. 90% were aware of the attack within 24 hours.

This is very different from traditional data breaches, where the average time of discovery is measured in months, not hours, according (PDF) to research from Ponemon Institute.

Unfortunately, the mission of the ransomware attack is accomplished in a much shorter period. Typical lockdown or encryption of a system happens within a minute or two of the ransomware’s execution. At that point, there are only two choices left: pay or start cleaning up. Regardless, the very first task most survey respondents focus on is isolating the infection. 75% of the victims pull the machines as soon as possible and begin some form of restoration process.

Common Ground: Don’t Pay

The most surprising response was the near unanimous resistance of these IT professionals to pay the ransom. Reporting on attacks at places like Hollywood Presbyterian Hospital in California and others have shown the willingness of organizations to pay. Back in 2014, Kent University reported that 40% of CryptoLocker victims had chosen to pay, and more recently the US DoJ reported on millions spent on ransomware and recovery efforts since 2005.

Advertisement. Scroll to continue reading.

Both of the respondent groups (prospective and actual victims) agreed that paying was not a viable option, as 95% of ransomware victims refused to pay the ransom. Over 80% of the not-yet victims also indicated they wouldn’t pay if they were attacked. Their reasons were mixed, but most were unconvinced paying would result in them actually getting their data back. Others felt that they would do well enough by restoring from their own backups.

Lessons Learned: Backups Can Come Up Short

The most common mitigation for these organizations was to restore their affected systems from backup. The unaffected groups indicated that they were backing up almost 100% of their data, and 81% felt that these backups would allow them to completely recover. Unfortunately, among the victims, only 42% were able to recover all of their data during the restoration process. They were able to make substantial progress in recovery, but their comments highlighted gaps that included unmonitored and failed backups, accessible backup drives which were also encrypted, and the loss of between 1-24 hours of data from their last incremental snapshot.

An effective backup strategy is the most common recommendation for organizations looking to blunt the effect of ransomware. Surprisingly, when these administrators were asked what changes they made to their security in the wake of the attack, only 8% of the victims reported improving their backup strategies. Instead, the majority focused on increased restrictions of access and content through technology (63%) and providing additional awareness training in hopes of changing user behavior (47%).

Looking Ahead

The market forces driving ransomware are still in their infancy. The business models, tools, and actors are evolving, and defensive strategies need to do so as well.

Even now, existing ransomware tools like Teslacrypt and Locky are emerging with new techniques and improved abilities to hide themselves and spread. This survey helps highlight three key areas where the actual victims and targets of ransomware see the need to improve:

● They want new tools that will help to prevent them from becoming victims.

● They want to help their users understand the threats that they are under to make them a defensive asset and not a vulnerability.

● They want to be able to broadly recover without paying the criminals.

If they can accomplish these three things, the profit motive driving the growth in ransomware will begin to erode. Then organizations can turn their focus to addressing whatever new criminal trend will be waiting around the corner.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

Adam Zoller has joined CrowdStrike as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.