Activity across the ransomware landscape is at an all-time high. Colonial Pipeline is just one recent case in point. The pipeline system, which accounts for 45% of the East Coast's fuel, had to shut down its operations due to a DarkSide ransomware attack.
The spotlight on the threat led President Biden to indicate that the U.S. would act against ransomware gangs moving forward. In response, DarkSide appears to be shutting down, and we saw three hacking forums -XSS, Xploit Forum and Raid Forum –announce they would ban ransomware ads, and two other ransomware groups – REvil and Avaddon –announce plans to stop operating in public and go private.
This wave of retraction by ransomware gangs, however, doesn’t mean that they won’t continue pursuing attacks – it just means that they’ll sink deeper into the shadows. The rewards are too big to walk away from.
Rewards Have Doubled
According to Sophos’s The State of Ransomware 2021 report, based on findings from an independent survey of 5,400 IT managers in mid-sized organizations in 30 countries across the globe, while the number of organizations being hit by ransomware has dropped in the past 12 months down 14% since 2020 - the financial impact of an attack has more than doubled, increasing from $761,106 in 2020 to $1.85 million in 2021.
During a time of uncertainty as it is, organizations are desperate to keep their businesses up and running, and as a result, are increasingly paying the ransom to get their data back, 32% up from 26% in 2020. But, what adversaries fail to mention in their ransom notes is that your likelihood of organizations getting all of its data back after paying up is very slim – only 8% got back all their encrypted files. Further, on average, organizations that paid the ransom, only got back 65% of their data, with 29% getting back no more than half their data, confirming that when it comes to ransomware, it doesn’t pay to pay.
The report also provides insight into how different countries and sectors have been affected by ransomware over the last year. Some highlights include:
- India reported the most ransomware attacks with 68% of respondents saying that they were hit last year. Conversely Poland (13%) and Japan (15%) reported the lowest levels of attack.
- Geographical neighbors Austria and the Czech Republic are poles apart when it comes to ransomware recovery costs: Austrian respondents reported the highest recovery cost of all countries surveyed while Czech respondents reported the lowest.
- Retail and education (both 44%) were the sectors that reported the highest levels of attack.
- Energy, oil/gas, and utilities is most likely to pay the ransom (43%).
Defending Against Ransomware
Considering these findings, Sophos experts recommend the following best practices for channel partners to protect themselves and their customers against ransomware:
- Assume you and/or your customers will be hit: Ransomware remains highly prevalent. It’s better to be prepared but not hit, than the other way round.
- Make backups: Backups are the number one method organizations used to get their data back after an attack. And as we’ve seen, even if you pay the ransom, you rarely get all your data back, so you and your customers will need to rely on backups either way.
- Deploy layered protection: In the face of the considerable increase in extortion-based attacks, it is more important than ever to keep the adversaries out of you and your customers’ environments in the first place. Use layered protection to block attackers at as many points as possible across your environment.
- Combine human experts and anti-ransomware technology: The key to stopping ransomware is defense in depth that combines dedicated anti-ransomware technology and human-led threat hunting. Technology gives you and your customers the scale and automation needed, while human experts are best able to detect the tell-tale tactics, techniques, and procedures that indicate that a skilled attacker is attempting to get into the environment.
- Don’t pay the ransom: Independent of any ethical considerations, we know that paying the ransom is an ineffective way to get data back.
- Have a malware recovery plan: The best way to stop a cyberattack from turning into a full breach is to prepare in advance. Partners and their customers that fall victim to an attack often realize they could have avoided a lot of cost, pain, and disruption if they had an incident response plan in place.
To learn more about today’s ransomware landscape, click here.