Ransomware is a type of malware that encrypts a computer’s files, locking users out of the system until a ransom is paid to a cybercriminal, usually in bitcoin. According to the latest white paper from Keeper Security, "Understanding & Preventing Ransomware Attacks," ransomware attacks have become increasingly common for three reasons:
  1. They require little technical expertise to launch. Less technically sophisticated attackers can even purchase “ransomware-as-a-service” packages on dark web forums.
  2. Unlike data breaches, where cybercriminals must first steal data, then find willing buyers, ransomware paydays are almost immediate.
  3. More victims than ever are paying up. In 2018, only 39% of victims gave into ransom demands; by 2020, that figure was estimated to be as high as 58%.

Ransomware attacks are rapidly increasing in frequency, with a surge after the COVID-19 pandemic began. Between Q4 2019 and Q1 2020, ransomware attacks rose by 25%, and ransomware finally surpassed payment card theft to become the most common type of cyber threat, says Keeper, and a new attack happens about every 14 seconds, according to Cybersecurity Ventures.

Below is Keeper Security's white paper, "Understanding & Preventing Ransomware Attacks."


The high cost of ransomware attacks 

The financial toll from ransomware attacks is also rising. Global damages from ransomware attacks more than doubled between 2017 and 2019, and according to Cybersecurity Ventures, they are expected to reach $20 billion by 2021. In addition to direct costs, such as ransom payments and repairs to damaged systems, organizations face significant indirect costs from having to scale back operations or temporarily close while repairs are made. The average downtime from a ransomware attack is 9.6 days.

While cyber insurance covers some of these costs, organizations cannot depend on cyber policies to make them whole after a ransomware attack. The typical cyber insurance policy does not cover regulatory fines for violating compliance mandates such as PCI DSS and HIPAA; attacks involving malicious insiders, including disgruntled employees, ex-employees, and third-party vendors; or all of an organization’s losses from downtime. If an organization must shut down for an extended period of time, or if digital, intellectual property (IP) is breached during the attack, it could suffer irrevocable damage.


The emerging threat of double extortion

Double extortion, also known as “name and shame,” effectively transforms ransomware attacks into data breaches. After first appearing in late 2019, it now accounts for over one-tenth of ransomware attacks. In a double extortion attack, cybercriminals don’t just encrypt a victim’s data; they also steal it, then threaten

to publicly release or sell it if the ransom is not paid.


High risk sectors

When ransomware first emerged, victims were usually very large enterprises; the reasoning was that these victims had deep enough pockets to pay ransom demands. However, large companies could also afford to harden their security defenses to prevent future attacks. Stymied by comprehensive cybersecurity defenses at large enterprises, cybercriminals turned their attention to small and medium-sized businesses (SMBs) and state and municipal governments. These organizations tend to be resource-poor. Nearly half of private-sector SMBs budget less than $5,000 per year on cybersecurity, and most U.S. states devote less than 3% of their budgets to IT security.

In 2019, SMBs represented about 60% of ransomware victims, with healthcare, professional services, and financial institutions the top three targets. Ransomware attacks on healthcare organizations surged by 350% between 2018 and 2019,11 and most successful attacks target facilities with fewer than 500 employees.

Ransomware incidents targeting municipal governments rose by 60% in 2019,13 when over 163 ransomware attacks hit municipal governments around the U.S. Victims paid at least $1.8 million in ransom, in addition to tens of millions more in recovery and mitigation costs.



Cybercriminals attack large enterprises’ supply chains

This is not to say that large enterprises are immune from ransomware attacks. The first half of 2020 saw a spate of attacks on major corporations, including Honda, Chubb, Cognizant, Garmin, and U.S. Department of Defense contractor, CPI. Garmin is rumored to have paid $10 million to regain access to its systems.

Today’s sprawling supply chains are another routethrough which cybercriminals attack large enterprises and multinationals. If a cybercriminal cannot get past a large enterprise’s security defenses, they target a small, resource-poor vendor. In March 2020, an organized cybercrime group used DopplePaymer ransomware to attack a supplier for Tesla, Boeing, and Lockheed Martin.16 Three months later, the same group targeted an IT contractor whose customer roster included NASA and a number of Fortune 100 firms. In May 2020, another organized ransomware group targeted two food distributors to national supermarket chains, including Kroger, Sprouts, and Albertsons.


Ransom: to pay or not to pay?

Whether to pay a ransom is a matter of great debate, even among cybersecurity professionals. Cyber insurers often encourage victims to pay; most policies cover ransom payments. Some security professionals argue that ransom costs may be far lower than data recovery costs, especially for SMBs that cannot afford extended downtime. At healthcare facilities and government agencies, downtime could put human health and lives at risk.

Other security professionals, as well as most law enforcement agencies, argue that paying ransoms only

encourages future attacks, and paying does not guarantee restoration. While most organizations that pay up do get their data back, approximately 20% do not.19 Additionally, in double extortion cases, cybercriminals still have possession of stolen data. Regardless of their promises to destroy the data after receiving the ransom, they may still sell it, publicize it, or use it as fodder for future attacks, such as business email compromise (BEC).

With so much at risk, the optimal solution is to prevent ransomware attacks from happening in the first place.


How to prevent ransomware attacks

Antivirus software and most identity and access management (IAM)systems do little to protect organizations from ransomware. Ransomware defense requires a multi-pronged, proactive approach.

1. Perform Regular System Backups

Regular system backups are essential, not only to recover data after a ransomware incident or another cyberattack but also after catastrophic system outages and damage to hardware after natural disasters. However, system backups are not a silver bullet, as new-gen ransomware variants seek out and encrypt backup files before attacking the rest of the network.

2. Train Employees to Avoid Phishing & Other Social Engineering Scams

Since many ransomware payloads are delivered in phishing emails, training employees to avoid phishing scams is another critical step to preventing infection. However, like system backups, it is not a silver bullet, as brute-force attacks have surpassed phishing to become the most common method of delivering ransomware.

3. Secure your Employees’ Passwords

Weak and compromised passwords are the biggest threat to organizational cybersecurity. In addition to fueling the brute-force attacks that are the most common ransomware delivery method, poor employee password habits are behind the overwhelming majority of data breaches.

In a brute-force attack, cybercriminals obtain a list of passwords stolen during a data breach, then attempt to use them to compromise servers and endpoints, usually with the aid of bots. Because so many users use weak, common, and easily guessed passwords, and reuse passwords across accounts, these attacks are very successful. Brute-force attacks can be prevented by mandating that employees use strong, unique passwords for all accounts; use multi-factor authentication (2FA) on all accounts that support it, and use a password manager.

4. Subscribe to a Dark Web Monitoring Solution

Even if a user is diligent about using strong, unique passwords, their password can still be compromised. Data breach victims are typically the last ones to know that their passwords have been stolen. The average “dwell time,” which is the period between the initial breach and the time a company discovers it, is 101 days. Dwell times that greatly exceed this average are not unheard of. It took Marriott Starwood four years to discover that its systems had been breached. Once cybercriminals steal login credentials, they put them to use very quickly. For this reason, Dark Web monitoring services are essential to preventing ransomware infections. These services scan Dark Web forums and notify organizations in real-time if any of their employee passwords have been put up for sale, allowing IT administrators to force password resets right away.


For the full white paper and a list of citations for all facts and statistics cited in this article, please visit https://www.keepersecurity.com/ransomware2020.html