In June 2021, The Washington Post identified five ransomware myths that could cloud organizations’ security strategies. It’s been a few months since the list was released, so Let’s see how those myths are looking as we launch into Q1 of 2022:
This isn’t even close to being true. Ransom demands were at an all-time high in 2021. According to Bloomberg, ransomware attackers were asking between $50 million and $70 million on average in May 2021.
Victims might rely on cyber insurance to pay some of those ransoms, and they might succeed in negotiating them down, but they still usually end up paying between $10 million and $15 million on average.
That’s the cost of a single ransomware incident, mind you, and it doesn’t include the risk of victims incurring sanctions from the U.S. Department of the Treasury for paying designated malicious cyber actors.
Organizations can rely on data backups as an alternative, but this course of action comes with its own costs in terms of downtime. Indeed, ZDNet reported in early 2020 that companies suffered 16.2 days of downtime on average following a ransomware incident. The cost of this disruption could far surpass the cost of fulfilling a ransom demand.
Or could it? In our recent ransomware report, we learned that 80% of victims who met a ransomware attacker’s demands experienced another attack from either the same group or a different threat actor. What’s more, nearly half (46%) of victims found that part if not all their data was corrupted once they regained access to it after paying a ransom.
Not so clear-cut, is it?
What is apparent is that victims can restore their data using cost-effective alternatives to traditional data backups. Forbes noted that security teams can create an image of their data with an undetectable overlay, as an example. If the organization suffers a ransomware infection, the attackers access the overlay only.
The original copy of the data remains safe, allowing security teams to roll back their information to its pre-attack state with a single click. This simple mechanism doesn’t cause any significant downtime, and it pales in cost to what organizations could suffer by paying ransomware attackers.
Then again, even this technique for recovery is time consuming and fraught with potential issues, so preventing a ransomware attack from being successful in the first place is still the ideal solution.
Nope. ThreatPost covered a report that documented a 151% increase in the global ransomware attack volume for H1 2021 to 304.7 million attack attempts. That’s 0.1 million more attack attempts than what security researchers logged for all of 2020.
These levels of ransomware attacks persisted into Q3 2021. Help Net Security reported a 148% increase in global ransomware attacks during that period. That put the total volume of attack attempts at 470 million for the first nine months of the year.
Furthermore, attackers are increasingly targeting organizations on weekends and holidays, when they know their victims likely have only a skeleton crew on hand to respond. In a recent study, titled Organizations at Risk: Ransomware Attackers Don’t Take Holidays, revealed attacks on weekends and holidays have a significant impact on victim organizations.
The findings showed that 60% of respondents said a weekend or holiday attack resulted in longer periods to assess the scope of an attack, with 50% saying they required more time to mount an effective response, and 33% indicating they required a longer period to fully recover from the attack.
One factor in the inability to mount a timely response was revealed by 35% who said it took longer to assemble the right team to mount a response.
Not true. Ransomware operates by pressuring victims into paying for a decryption key that they can use to recover their data. But organizations don’t need to pay anyone to obtain a decryption utility. Many ransomware decryptors are freely available through the No More Ransom project, with new tools coming out for emerging families all the time.
That said, the decryption process–whether using a decryption key supplied by the attackers or if using a decryption tool offered by a third-party–is a time consuming process where each endpoint that has been infected needs to be decrypted individually.
For medium and large organizations, this is a huge undertaking and likely to impact business operations for an extended period. So, again, preventing a ransomware attack from being successful in the first place is still the ideal solution.
There’s the argument that digital attackers can use cash, iTunes gift cards, and other payment methods to facilitate their attacks. But that’s not the case in the age of RansomOps™ where ransomware actors prey on large organizations with highly targeted attacks that leverage unique TTPs, making them harder to detect and stop.
Per the Wall Street Journal, cryptocurrencies like bitcoin provide a level of pseudo-anonymity that attackers can use to facilitate their attacks. It’s also easier for them to move large amounts of money into and out of shell companies than they otherwise could with a traditional bank account (or iTunes account, for that matter):
Ransomware can’t succeed without cryptocurrency. The pseudonymity that crypto provides has made it the exclusive method of payment for [malicious] hackers. It makes their job relatively safe and easy…. Before cryptocurrency, attackers had to set up shell companies to receive credit-card payments or request ransom payment in prepaid cash cards, leaving a trail in either case. It is no coincidence that ransomware attacks exploded with the emergence of cryptocurrency.
Not everyone agrees with that assessment. Marcus Hutchins, the British hacker who stopped the WannaCry ransomware attack outbreak in 2017, clarified to CoinDesk that cryptocurrency has helped to make ransomware more available to wannabe attackers without technical skills and has thus contributed to the threat’s proliferation.
Hutchins said that “these kinds of attacks would have persisted” without cryptocurrency, noting how ransomware attackers can use money laundering networks that rely on USD for their operations.
Multi-Factor Authentication (MFA) can help to prevent attackers from compromising an individual account or user identity which they can then abuse to move laterally across the network and deploy their ransomware payload along the way. But MFA concerns authentication and access only, it does not directly prevent someone from deploying ransomware on a target’s network.
RansomOps attacks are sophisticated and are more akin to stealthy APT-like operations than the old “spray-and-pray” attacks of yesterday, often with multiple players at work, each with their own specializations. These are complex, multi-staged attacks–MFA is always a good idea, but it is by no means a silver bullet against ransomware attacks.
It’s nearly impossible to control the impact of a ransomware attack once it’s successful. The best way to minimize the potential impact from ransomware attacks is to detect and block them earlier in the attack sequence.
Remember, the actual ransomware payload is the very tail end of a RansomOps attack, so there are weeks or even months of detectable activity prior to the payload delivery where an attack can be intercepted before there is any serious impact to the targeted organization.
Cybereason is the only security provider that remains undefeated in the fight against ransomware, protecting every customer from threats like the DarkSide Ransomware that shut down Colonial Pipeline, the REvil Ransomware that disrupted meatpacking giant JBS and IT services provider Kaseya, the LockBit Ransomware that struck Accenture and every other ransomware family.
Cybereason is dedicated to teaming with defenders to end ransomware attacks on the endpoint, across the enterprise, to everywhere the battle is taking place. Learn more about the Cybereason Predictive Ransomware Protection solution, browse our ransomware defense resources, or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.