I recently came across a report from the security firm Sophos, describing the state of ransomware in 2021. Here is a link to the document if you would like to read it yourself. 2021 has been the second year (at least) where Sophos had commissioned a study to delve into the state of ransomware. The results are interesting (at least to security folks). Allow me to provide a few thoughts.
Key Findings in the State of Ransomware 2021
What would a report be without some key findings? Here are the findings I found most interesting.
- 37% of respondents said their organization had been a victim of a ransomware attack.
- Of the organizations who had been attacked, 54% said that the attackers we able to encrypt their data.
- 96% of organizations reported retrieving their data.
- However, organizations that paid the ransom demand only recovered 65% of their data.
- Extortion-style attacks (“pay us or we’ll release your data”) doubled from 2020 to 2021, albeit from a small base (3% in 2020 to 7% in 2021).
Remember That It’s Just Business
I find it fascinating to see how the state of ransomware has evolved, in keeping with what I will call market conditions.
- The rise in extortion-related attacks is interesting. The report stated that the attackers sometimes cite the high fines imposed by regulators in the event of a data breach as a way of defending the size of their ransom demand. Someone has done their homework here! If you are looking at a $100M fine for experiencing a data breach, an offer to keep things quiet for, say, $50M sounds like a bargain.
- On a related note, Education (44% attacked) is one of the two most attacked sectors. It is possible that hackers view educational institutions as having deep pockets when it comes to paying out ransoms.
- Local governments have become a bigger target (34% reported a ransomware attack). Hackers seem to have learned that local governments often lack the IT budgets to construct good cybersecurity defenses. (69% of local government respondents said that their data was encrypted in a ransomware attack.) It is also possible that hackers go after local governments because the governments can tap into the tax base to pay a ransom.
- One positive sign about the state of ransomware: the success rate of data encryption during an attack declined from 73% in 2020 to 54% in 2021. Organizations are getting better at detecting ransomware attacks and stopping them before data gets encrypted.
- This may be why ransomware attacks have dropped from 51% of respondents in 2020 to 34% in 2021. It may be that attackers are reacting to better cybersecurity defenses. It is also possible that attackers are simply shifting from “spray and pray” attacks to more targeted attacks with bigger potential payouts.
What can we learn from the state of ransomware in 2021?
First, remember that ransomware attacks are a business. Like any business, the participants adjust their strategies considering changed circumstances. Which sectors have the greatest ability to pay? Which have the weakest cybersecurity defenses? Where will the pain of data publication be felt most acutely? Who is most likely to pay a ransom?
In this light, you will want to define the circumstances where the organization would be (economically) indifferent to a ransomware attack. That is, the estimated cost to recover data from safe backup files is less than the likely ransom demand. Or the data that would be lost is not critical to the organization’s continuing operations.
Second, be reminded (again) that there is no honor among thieves. This aspect of the state of ransomware has not changed. When I receive a message (despite my enrollment in a government do-not-call list) offering me the option to “press 9 to be removed from our list,” do I believe them? This group already broke the law to put me on their list. Why would I think that they are suddenly going to revert to ethical business practices? And so it is with ransomware groups. Why should I believe that you will destroy the data you stole if I pay you a ransom? Why would I believe that your decryption key will unlock all my data?
Extortion Attacks are a Big Part of the State of Ransomware in 2021
Extortion attacks present a different problem to be solved. It is not enough to be able to restore data from a backup. Attackers are threatening to release your information into the wild (or even to targeted adversaries) unless you pay up. Here, the challenge is to ensure that there is nothing of value that could be revealed. Organizations working in controversial subject areas (such as abortion rights or climate change) must be especially vigilant about what data they have. Board members do not want their home addresses to be published, as an example. If you must maintain personally identifiable information, be sure to implement some level of Information Rights Management to control the unauthorized release of such information.
Here Are Some Best Practices
The Sophos report ends with a nice set of recommended practices.
- Presume that you will be a target. This is akin to the “assume breach” concept I wrote about in my series on Zero Trust security strategies.
- Don’t pay the ransom. Easier said than done. Look at it this way: paying a ransom is the best option only if all your other options stink. So, work on those other options! And you might want to check your cyber insurance policy to see if there are any stipulations about that.
- Make sure your cyber defenses include real people. I take this to mean that the state of cyber defense automation is not robust enough to institute some “set and forget” policies.
- Make sure you have layered defenses. Duh. See Zero Trust again.
- Have a malware recovery plan. Maybe you can extend your incident response plan to include ransomware attacks. The key point is this: you do not want to be in the middle of a crisis when you begin to create your plan.
The state of ransomware in 2021? Still there, still scary. Have a plan, stick to the plan.