If I could have one wish for 2024, it would be that we stop calling ransomware by the same name.
What started as the simplest of notions, encrypting data and extorting money to return access back, has evolved numerous times to a threat that is far more akin to Nimda (2001) which was recognized as one of the first in an era of blended attacks - like the ‘Swiss army knife’ attacks back in the early 2000s.
Today, ransomware uses numerous techniques to gain access. Our latest Ransomware: True Cost to Business report shows 41% bad actors got in via the supply chain, 24% got in directly and 22% with the help of an insider. What were they after? Not just information encryption but now rich data and credential analysis as well as theft. It’s no longer the smash and grab crime, today it's a crimewave, which is why it's become such a key part of the cybercrime ecosystem and in my humble experience is why it's the only attack that most executives and board members know by name.
In November 2023 the cyberworld took another huge evolutionary leap, CHATGPT erupted onto the scene which we fully expect to drive the next evolution of ransomware. In our 2022 report we had started to see ransomware have more success and business impact on non-English language businesses, as these attacks came in the English language.
Not only do generative AI tools such as ChatGPT provide dynamic translation at an extremely high level so attacks can be localized, it also allows the automation of gathering public information on people and business, to dynamically create very personalized social engineering attacks. As such, I have to expect this trend of localized attacks to accelerate. It’s to no surprise that this trend of localized attacks has accelerated with 76% of German and 71% of French organizations reporting a second attack - even after paying a ransom the first time.
At the same time, generative AI also offers the ability to reduce some of the skills required to codify attacks, lowering the barrier of entry and increasing automation in writing attacks, especially with specifically crafted tools such as wormGPT.
So what does all this mean?
Businesses can not afford to make the assumption that historical ransomware controls will be good enough in the future. What this year's research showed was that whilst the majority of businesses have a ransomware strategy in place, many are incomplete, either missing the documented plan or the people to execute it; despite 87% increasing budgets to better deal with ransomware.
Whilst the number of people moving into the cybersecurity industry continues to grow, so does the demands for skilled experts. Indeed 67% still in the annual ISC2 workforce study flagged a shortage of staff to prevent or respond to an incident. With adversaries also often targeting business outside of working hours, these businesses must have tried and tested capabilities to deal with current ransomware 24x7x365. This is why we see more and more organizations moving to a managed incident detection and response service.
It's not surprising that now most (95%) are bolstering their business’ resilience to ransomware attacks through cyber insurance. Yet this is not by any means a panacea, as we found out this year. Many don’t have a clear understanding to what degree their policy covered against ransomware, and whilst most were able to make some level of claim the majority didn’t get the payout they were expecting.
Whilst we see more focus on targeting non-English language countries, we should also expect the ransoms to increase in these countries as the adversaries get a better understanding of the value businesses are willing to pay to avoid disruption. In fact, the amount of ransom paid by the organizations taking part in the study was highest in the US ($1.4M).
This is problematic on several levels. It’s no guarantee that your data and systems will be returned uncorrupted, that attackers won’t sell your data on the black market, or that you won’t be attacked again. And if there’s any evidence that your payment was used to fund terrorism or organized crime, you could find yourself facing criminal charges. Of course, going back to our very first report in 2021, if you do decide to pay, don't expect to get all your data back, typically only 46% was recovered and those statistics haven’t changed in our latest report. Our latest report also reveals that a staggering 78% were attacked again after paying the ransom - 82% of them within a year. Payment doesn’t equal any future protection!
So what should you take away?
The threat continues to evolve, but it's clear from the research that business’ ransomware resilience plans are not keeping pace. So, test your capabilities and resources, involve the rest of the business, and consider if you have the adequacy and scale or whether you need third party services to ensure you have a plan fit for both today’s and tomorrow's attacks.
Download the full report below to gain access to data on loss of revenue, executive turnover, evolution of ransomware attacks, and how Cybereason can help you not only detect, but prevent bad actors.