Two out of every three organisations surveyed have suffered significant revenue losses as a direct result of a ransomware incident. Unsurprisingly, 81% of cyber professionals report they are highly or very concerned about the risk of ransomware. The findings come from a study by cybersecurity technology company Cybereason that aimed to quantify the blight of digital extortion.
“This research underscores that prevention is the best strategy for managing ransomware risk and ensuring your organisation does not fall victim to a ransomware attack in the first place,” writes Lior Div, the CEO of Cybereason.
The study, Ransomware: The True Cost to Business, surveyed 1263 respondents working across the cybersecurity industry. With the price of ransoms skyrocketing in the past three years, concern is high. In 2018, a ransom would reportedly cost an average of $6,000. By 2019, the figure had risen to $84,000. It more than doubled again in 2020 to $178,000 — a 2800% increase over 3 years.
Beyond the price tag
Just over half of respondents who suffered an attack reported that their brand was damaged as a consequence. And one out of every four organisations suffered a forced closure.
The financial strain also led to staff cuts for 29% of organisations. C-level roles were no better off: 32% of organisations lost top leadership by dismissal or resignation after a ransomware incident, underlining the toll the problem takes on leaders.
The findings present ransomware, and cybersecurity more generally, as a powerful force in the world — one not only harming business productivity but reshaping the structures of organisations.
The problem even impacts international relations and continues to make headlines every few weeks.
United States president Joe Biden recently called on Russia to crack down on threat actors within its borders, or else he would take “any necessary action” in response. His comments came days after another major attack that hit roughly 1500 companies worldwide.
The ransomware group responsible, REvil — known to operate out of Russia — is best known for the major incident that compromised meat processor JBS at the start of June.
A pernicious problem
To make matters worse, in the business of ransomware it does not pay to pay out.
Some 80% of organisations who pay their ransoms experience another attack at a later date. Of those that suffered a subsequent attack, nearly half believed it was perpetrated by the same threat actor. After paying a ransom, 46% of organisations regained access to their data only to find that some or all of it was corrupted.
According to Cybereason, once compromised, there is no good option.
“Paying a ransom demand does not guarantee a successful recovery, does not prevent the attackers from hitting the victim organisation again, and in the end only exacerbates the problem by encouraging more attacks,” explains Cybereason’s Lior Div. He adds that getting in front of the threat by adopting a prevention-first strategy allows organisations to stop disruptive ransomware before it hurts the business.
Organisations often suffer from a double extortion threat that limits the effectiveness of options like data back-ups. Hackers wield the added threat of leaking sensitive data to the public or to the highest bidder, meaning that organisations have more than punishing data loss to think about. This can be enough to force compliance with their demands.
At present, 73% of organisation have a specific plan or policy in place to effectively manage a ransomware attack. Likely due to the industry skills shortage, only 42% of organisations believe they have the right people in place to do the job.
Prevention
Cybereason suggests a number of steps that organisations can take to protect themselves.
Timely patch management, offsite data back-ups, and employee security awareness training are clearly essential. Prevention capabilities need to be multi-layered and present across the network at all enterprise endpoints. Organisations should also implement extended detection and response solutions for visibility, to stop ransomware attacks before adversaries have established themselves on the network.
The industry must also move towards a model of prevention that analyses behaviour, not just indicators of a compromise, according to the report. Behaviour provides clues about what is happening now or even what may occur soon, whereas compromise indicators allow only a response to malicious actions that have already happened.