It is not beneficial to pay. This ransomware payment tip is frequently provided, but seldom enumerated. Now it is. According to a new research, 80 percent of organizations who paid a ransom were targeted again, with 40 percent paying again. Seventy percent of those paid more the second time.
These findings are based on a Cybereason survey of 1,456 cybersecurity experts from companies with 700 or more workers conducted in April 2022. The facts in Ransomware: The True Cost to Business (PDF) are frightening.
It is not an issue that can be dismissed with the hazy idea that ‘it will never happen to me.’ In the last 24 months, 73% of firms have experienced at least one ransomware assault, up 33% from last year.
Sixty percent of businesses revealed that ransomware gangs had been in their network for one to six months before being identified — a major signal of a double extortion operation. Paying the twofold extortion charge, however, does not help; over 200,000 businesses never received their data back after paying. And the criminals still have access to the information. Because of a ransomware assault, 35% of organizations had C-level “resignations.”
Other major results of the study include the prominence of the supply chain as a role in the assault. Sixty-four percent of businesses believe the ransomware group infiltrated their network through one of their suppliers or business partners.
Business disruption is almost unavoidable. Following an assault, 31% of enterprises were compelled to temporarily or permanently cease operations, and over 40% of companies lay off employees as a result. Only 42% indicated the payment resulted in the restoration of all systems and data (down from 51% last year). Furthermore, 54 percent said that system faults remained or that some data was damaged following decryption.
The most striking sign of the futility of paying comes from the frequency with which extortion attacks occur. Eighty percent of victims were struck again. The second ransom was paid for by 40% of the participants. 10% paid the third ransom, and 1% paid the fourth. Additional attacks generally occur quickly and necessitate a bigger figure. Sixty-eight percent of businesses reported that the second assault occurred less than a month following the first, with increasing demand.
Cybereason argues that issues with complete recovery after a successful attack and subsequent decryption are a major factor in repeated attacks. Because the attackers understand that full and effective restoration, forensic investigation, and the deployment of new protections takes time, they hit again while the firm is still vulnerable and reeling from the initial attack.
“The key to comprehending this is to understand the economics of ransomware-as-a-service,” Cybereason CSO Sam Curry told SecurityWeek.
“It’s tempting to think of these groupings as traveling gangs because of the names we give them. But that is deceptive. Ransomware cartels, rather than ransomware gangs, might be a better moniker for them. There is a network of affiliates that gather victims in an automated manner and essentially sell them to ransomware firms that do the nasty job of network infiltration, detonation, and extortion.”
Curry believes that in many situations, the affiliates maintain control and can sell it to another gang or cartel. “In fact,” he said, “the cartel may keep coming back for more.” Why not, if the victim’s security policies remain unchanged? As in the real world, organized crime does not shy away from money, and the score may frequently organically morph into a continuing-to-pay protection racket.”
However, he believes that the growth of ransomware will not end at double extortion. Extortion only works if victims pay the demand — ransomware developed into double extortion to make the threat more appealing. However, Cybereason’s own data shows that it does not always function. “Paradoxically,” the survey states, “78 percent of firms that claimed they did not pay a ransom reported they were able to fully recover systems and data without getting the decryption key at all.” If this technique spreads, as the research suggests should be the goal of every victim, the attackers will need to innovate once again.
Will this entail more direct OT targeting? “Certainly!” he said. “The data in this study may not be adequate to prove it, but OT is increasing at an exponential rate and is dreadfully vulnerable.” Too many OT devices arrive with bad encryption, non-functional hardware trust roots, inadequate update methods, weak default identity credentials, and other flaws.
“Not only may these devices be exploited and denied usage, like an MRI machine being bricked or a lathe in a manufacturing plant, but they can also serve as a point of entrance for other networks and expose businesses to totally new attack vectors.” The next evolutionary phase not only might, but will, take the path of least investment and least risk for most profit — and OT must be considered in the R&D departments of ransomware cartels and their ilk throughout the world.”
As a result, businesses and organizations must take proactive measures to do data protection. Data may be backed up for disaster recovery to avoid all threats. Data protection technologies are now widely available and simple to use. Consider the well-known virtual machine backup. Virtual machines may run many operating systems concurrently, conserving both physical and virtual resources. VMware Backup, Xenserver Backup, Hyper-V Backup, and other virtual machine backup programs are now commonly used.
For more valuable information visit the website