Are we winning the fight against ransomware?
Ransomware first rose to dominance as cybercriminals’ main weapon of choice way back in 2020. Since then, it has been top of the global security agenda, plaguing businesses, public services and individuals alike. Organisations have had to quickly pivot their cybersecurity, data protection and disaster recovery strategies to adjust to this new pandemic. But is it making a difference? Ransomware and cyber resilience remains the number one priority for most security teams three years on, and the endless headlines of high-profile ransomware victims keep on coming. Is the end in sight? What’s changed since 2020, and what still needs to happen to close the ransomware loop for good?
Answering that first big question is not simple. For example, data suggests that in 2022 the global number of ransomware attacks dropped significantly (having doubled in 2021) and analysis from blockchain company Chainalysis reports that the total value of ransomware payments paid in 2022 also dropped significantly - both positive signs that globally ransomware is slowing down.
However, the Veeam Data Protection Trends Report 2023 and Ransomware Trends Report 2023, both large-scale surveys of unbiased organisations across EMEA, the Americas and APJ, paint a different picture. The former found that 85% of organisations suffered at least one cyber-attack over the last year (an 9 % increase from the previous year) and the ransomware report, which exclusively surveyed businesses that had suffered an attack, found that a shocking 80% of companies had paid a ransom to recover data. Other industry surveys typically show similar findings, so why is there a disconnect between total global numbers and what the majority of individual companies are saying?
While targeted surveys can give us a valuable temperature check of a certain region or industry, total global numbers are tricky. Naturally, sheer scale is a factor but when it comes to ransomware, there can be reluctance to admit to having suffered a data breach and some insurance policies outright prevent companies from doing so. Tracking crypto payments is not an exact science either, as many addresses will not have been identified on the blockchain and thus will be absent from global data. In certain regions like EMEA, we are seeing more openness to share when it comes to ransomware, as leaders recognise that collaboration and information-sharing can help move the security industry forward and build jointly greater resiliency.
So, amongst all this grey, what has changed for definite? Naturally, threats are constantly evolving and becoming more sophisticated. But this is a fundamental of cybersecurity - protection and resilience efforts that improve alongside this and the cat-and-mouse game goes on and on. With ransomware specifically, we’ve seen attitudes to paying demands continue to swing back and forth. Two years ago, one of the largest ever ransomware payments was paid simply to “prevent any potential risk.” Since then, education on just how unreliable, unethical, and untimely this is as a strategy was improved across the industry but two further flies in the ointment have arrived which have made kicking ransomware payments for good far more difficult.
One is cyber insurance. This is a field that has changed drastically since the rise of ransomware, and it remains highly volatile to this day. Cyber insurance is not a bad thing, of course, it gives businesses financial resilience against a near-certain threat. However, it has also given organisations a means of paying ransomware demands. The Veeam Ransomware Trends Report 2023 found that 77% of respondents who paid demands did so with insurance money. Premiums continuing to rise may eventually halt this, as will a growing number of policies specifically excluding ransomware from their cover.
Perhaps the bigger factor, and the reason why companies feel they have no choice but to pay ransoms in the first place, is attacks increasingly targeting backup repositories. Recent reports revealed that cyber villains were able to affect the backup repositories in three out of four attacks. If businesses don’t have other offsite copies of this data or simply aren’t in a position to recover fast enough it can be tempting for the board to opt to give in to demands. While senior leadership of course want to do the right thing from a security perspective, ultimately their top priority is to keep the business running.
What still needs to be done?
What needs to change to tip the balance of the ransomware struggle and for us to start seeing attacks and payments go down for good? It still comes down to education and preparedness - particularly for those outside of the security and backup teams. This includes busting myths about what happens leading up to and after a ransomware attack. For example, encryption doesn’t happen as soon as an employee clicks a malicious phishing link - it can be months or even a year between breaching a system and locking data and declaring a ransom. Likewise, decryption doesn’t happen as soon as a ransom is paid either, ignoring the fact that roughly a quarter of businesses pay a ransom yet remain unable to recover their data, even the best-case scenario can be incredibly slow to decrypt and recover. This part of the business model as most offer the option to buy more decryption keys on top of the ransom cost to speed up the process!
Understanding the beast is the first step in being prepared to respond to it. A ransomware recovery plan should have three stages:
- Preparation - Planning recovery, ensuring you have reliable backups (following at least the 3-2-1 rule), having a disaster recovery location set up and ready to go, and ramping up training and exercise to ensure the business and organization are prepared.
- Response - Following a pre-defined and tested incident response process, locating and containing the breach, and scanning backups to ensure they are uncontaminated.
- Recover - Recovering the environment without reintroducing the malware or cyber infected data into the production environment during restoration and getting the business back up and running.
To conclude, while there might be a degree of uncertainty about the status of the global struggle against ransomware, what isn’t in doubt is that ransomware attacks remain an inevitability for most businesses. This doesn’t mean there’s no hope against these cyber criminals however, it's important to understand that if companies are prepared and design their recovery well, they can reach a point of 100% resilience against ransomware. That doesn’t mean there will be no business impact from such attacks, but it means you can recover quickly and say “no” to ransomware demands.