Whitepapers

Ransomware Report 2017

Ransomware is widely seen as the biggest cybersecurity threat to both business and government organizations

View PDF

INTRODUCTION

Ransomware attacks, in which hackers encrypt an organization’s vital data until a ransom is paid, have become a billion dollar cybercrime industry according to the FBI. Ransomware is now widely seen as the single biggest cybersecurity threat to both business and government organizations. In many respects, ransomware is a game changer: It is incredibly easy and inexpensive for criminals to execute global attacks. At the same time, ransomware is extremely profitable as many businesses will simply pay the ransom to get their mission-critical systems and data up and running again. And even if they don’t pay out, the cost of downtime, cleaning up IT systems, and restoring backup data can significantly impact an organization’s bottom line.

KEY SURVEY FINDINGS

  1. Ransomware is the fastest growing security threat, perceived as a moderate or extreme threat by 80% of cybersecurity professionals. 75% of organizations affected by ransomware experienced up to five attacks in the last 12 months alone, 25% experienced 6 or more attacks. 79% predict ransomware to become a larger threat over the next 12 months. Only a small fraction of respondents say they would pay the ransom or negotiate with the attackers. 59% of organizations are either not confident at all or only slightly to moderately confident in their ransomware defense.
  2. Email and web use represent the most common ransomware infection vectors with employees opening malicious email attachments (73%), responding to a phishing email (54%) or visiting a compromised website (28%). The information most at risk from ransomware attacks is financial data (62%) followed by customer information (61%). From a solution perspective, the majority of identified ransomware attacks were detected through endpoint security tools (83%), email and web gateways (64%), and intrusion detection systems (46%).
  3. Security professionals rank user awareness training the most effective tactic to prevent and block ransomware (77%) followed by endpoint security solutions (73%), and patching of operating systems (72%) as preventive approaches to ransomware threats. Data backup and recovery (74%) is by far as the most effective solution to respond to a successful ransomware attack. 96% of respondents confirm they have a data backup and recovery strategy in place.
  4. The majority of 54% say they could recover from a successful ransomware attack within a day, while 39% estimate it will take more than one day to a few weeks to recover. Speed of recovery is absolutely mission-critical as business cost escalates with every hour the business cannot fully operate, causing system downtime (41%) and productivity loss (39%).
  5. Today’s main obstacles to stronger ransomware defense are all about resources and staying current on the latest ransomware exploits: lack of budget (52%), dealing with evolving sophistication of attacks (42%), and lack of human resources (33%). The silver lining: 60% of organizations expect their budget for ransomware security to increase.

RANSOMWARE THREAT

Ransomware is one of the fastest growing security threats affecting organizations of all sizes, from SMBs to large enterprises and government agencies. IT and cybersecurity professionals are quickly recognizing ransomware attacks as a significant threat. Eighty percent of respondents perceive ransomware either as an extreme threat (38%) or moderate threat (42%). Very few respondents (5%) see ransomware as no threat at all.

ransomware threat

The number of ransomware-related news headlines continues to grow, increasing awareness for ransomware attacks. A significant majority (79%) of IT security professionals predict ransomware to become a larger threat. 78% expect an increase in attack frequency over the next 12 months.”

Looking ahead, we surveyed organizations regarding their outlook as a future target of ransomware. Nearly half of the respondents (44%) assess their probability as a target as very or extremely likely. Twenty-seven percent say an attack is moderately likely.

The survey reveals cybersecurity professionals perceive organized cybercriminals (69%), non-organized opportunistic hackers (58%) and state sponsored hackers (28%) as the top three culprits behind ransomware attacks.

Ransomware has quickly emerged as a lucrative venture for cybercriminals. New ransomware delivery platforms and authoring tools are spurring an increase in ransomware variants and their sophistication. Most notable ransomware strains recognized by security professionals are WannaCry, (83%), CryptoLocker (77%) and Petya (67%). However, it is important to note that lesser known ransomware strains should not be dismissed as less powerful as the results can be just as damaging to any organization.

Financial gain (86%) tops the list of motivators for ransomware attacks, followed by a desire to sabotage and disrupt business activities (58%). But while money extortion is the most common motivation for cybercriminals, in some cases attackers are motivated by personal revenge (8%), political beliefs (17%), hacking for fun (25%) and state-sponsored attacks (29%).

ransomware  what motivates attackers

RANSOMWARE ATTACKS AND IMPACT

A third of organizations surveyed (33%) said they experienced ransomware attacks. Sixty-seven percent of respondents have not been affected by ransomware yet or aren’t aware of a previous or ongoing attack.

There is a wide array of ransomware types and new variants are created every day within each category. The organizations affected by ransomware overwhelmingly confirm that they encountered encrypting ransomware (or cryptoware that encrypts files and makes them inaccessible) as the top offender at 88%.

Email and web use represent the most common infection methods used to gain organizational access. It’s only a matter of time until an employee opens an email attachment (73%), answers a phishing email (54%) or visits a compromised website (28%)

Data has become a strategic asset to every organization and equally a high value target for cybercriminals. Our research reveals that the information most at risk from ransomware attacks is financial data (62%), followed by customer information (61%). More than half of the respondents said both employee information (51%) and company IP (50%) were also at significant risk.

Ransomware is changing the threat landscape and how organizations are impacted at the business level as well as from an IT security policy and control perspective. On the business side, ransomware attacks mostly caused system downtime (41%) and productivity loss (39%), i.e. the exact effect intended by cybercriminals to cause maximum pain and extort money. At the IT governance level, ransomware attacks caused cybersecurity professionals to update IT security strategy to focus on mitigation (49%) and increase spending on IT security (41%).

In the past 12 months, the variety and frequency of ransomware incidents directed at organizations have increased dramatically. Of those who experienced ransomware attacks, 75% experienced up to five attacks, while the remaining quarter of organizations experienced 6 or more attacks.

ransomware  how it enters organizations

RANSOMWARE READINESS

We asked cybersecurity professionals to assess their organization’s capacity to detect and block ransomware attacks before they spread to critical IT systems across the organization. Only 12% are extremely confident in their organization’s abilities – perhaps overly so given the success rate of innovative ransomware variants. Twenty-eight percent are very confident. Compared to their highly confident peers, a majority of 51% are only slightly to moderately confident of their organization’s ransomware defense. An alarming 8% is not confident at all.

Four out of ten organizations do not have an Incident Response team in place to respond to a ransomware attack. The good news is organizations realize that prevention and awareness are critical pieces of effective, multi-layer defense against ransomware, and the majority (72%) have already implemented employee awareness and security training program.

There are numerous security tools available to help cybersecurity professionals identify and monitor cyber threats. The vast majority of identified ransomware attacks were detected through anti-malware/antivirus/endpoint security tools (83%), email and web gateways (64%), and intrusion detection systems (46%). Unfortunately, many ransomware attacks succeed in evading detection.

While the time it takes organizations to detect ransomware varies, for ransomware attacks identified in their early stages, most attacks are typically detected within hours (61%). Nearly one quarter of organizations claimed detection is near real time (24%), while 21% say they detect ransomware within minutes of an attack. The rate and speed of ransomware detection is critical in combating fast moving attacks before they succeed in spreading across networks and encrypting vital data.

RANSOMWARE ATTACK RESPONSE & COST

We asked cybersecurity professionals to assess their organization’s capacity to remediate a ransomware attack in progress that has already encrypted files and spread to critical IT systems across the organization. Only 16% are extremely confident in their organization’s abilities to unlock or restore affected files and systems. Twenty-eight percent are very confident. Confidence appears to correlate with the presence and maturity of incident response teams in the organization. Compared to their highly confident peers, 42% are only slightly to moderately confident of their organization’s ransomware cleanup ability. An alarming 14% is not confident at all.

A majority of 54% say they could recover from a ransomware attack within a day, while 39% estimate it will take more than one day to a few weeks to recover. Only 7% of the organizations believe they will never fully recover. Speed of recovery is absolutely mission-critical as business cost escalates with every hour the business cannot fully operate.

Following a ransomware attack, cybersecurity professionals can deploy a number of defensive responses. The single most common response (81%) is identifying the ransomware strain attacking the organization, containing the damage by isolating and shutting down all infected systems and accounts, eradication of malware, followed by recovery from backup files.

More than three-quarters of respondents say their organization is not at all likely to pay the ransom in order to recover their data (77%). The position of refusal to pay is admittedly somewhat theoretical as it is much harder to take a principled stand when the survival of a business and jobs are on the line (or when no viable backup is available). Only a small minority confirm they are willing to pay some ransom (3% of companies have already set up a Bitcoin account in preparation)

RANSOMWARE DEFENSE & BUDGET

There are a myriad of cybersecurity tools and policy controls available to combat ransomware early on. Security professionals rank user awareness and training as the most effective means to prevent and block ransomware (77%). The survey indicates both Anti- Malware/ Antivirus/ Endpoint security solutions (73%) and updating / patching operating systems and software (72%) were highly effective as preventive approaches to ransomware threats. Successful ransomware prevention relies on a blend of security controls and effective user training.

ransomware budget

Cybersecurity professionals view data backup and recovery (74%) by far as the most effective solution to respond to a successful ransomware attack. A whopping 96% confirm they have a data backup and recovery strategy in place. This way, organizations can recover their backups and restore data without having to pay cybercriminals.

To stay ahead of evolving security threats, organizations employ a multi-layered security approach, including strong endpoint security. When asked about the most effective endpoint security capabilities to protect against ransomware, most respondents agree that blocking ransomware attacks at pre-execution (60%), and detecting and blocking traffic at the first sign of malicious behavior (59%) rank as the most valuable endpoint security capabilities. This is followed by technologies that do not rely on signatures but can detect ransomware based on behavior (49%).

The three biggest obstacles standing in the way of stronger ransomware defense are all about resources and staying current on the latest ransomware exploits: lack of budget (52%), dealing with evolving sophistication of attacks (42%), and lack of human resources (33%).

Choosing the right security provider is an investment decision that will significantly affect the security posture of your organization. The primary factor that respondents consider when choosing a solution is strength of protection (71%), followed by support (61%) and cost (55%). Availability of next-gen security features (51%) and integration with other apps (50%) round out the top five selection criteria.

Sixty percent of organizations expect their budget for ransomware security to increase over the next 12 months. That is the strongest budget increase intent we have seen in years of cybersecurity research – likely driven by the dramatic rise in ransomware attacks and their devastating impact. Thirty-six percent do not expect a change in their budget, while the remaining 4% foresee a decrease in their ransomware security funding.

EMAIL SECURITY

Cybercriminals use email as a common entry vector to gain access into organizations; it is a popular medium for the spread of spam, phishing attacks and ransomware. The top two challenges facing Security Operation Centers against evolving email threats are detection time (67%) and mitigation time (50%).

Phishing attacks trick employees into sharing sensitive company information, by posing as legitimate businesses or trusted contacts, often containing malware in attachments or hyperlinks to compromised websites. Security professionals confirmed that their employees are most often victims of spoofing and impersonation (67%), followed by branded (35%) and seasonal attacks (31%). This clearly shows the need for better detection and InMail tools to help employees spot spoofing and impersonation attacks.

Remediation of attacks is one of the biggest security challenges. An alarming half of organizations say it takes a day or longer to remove a phishing email from endpoints once a phishing attack has been reported to the SOC/security team (46%).

ransomware email threat challenges

We asked security practitioners what they consider the most effective email security technologies to help thwart email threats. They prioritize automated inbox scanning and email forensics (72%), over automated incident response (45%), followed by anti- impersonation with InMail banner alerts (36%) and global human-verified phishing intelligence (35%).

Ninety-three percent of respondents agree that humans and technology need to work side by side in order to better detect and respond to sophisticated email phishing attacks.

Ransomware typically spreads via spam or phishing emails, but also through websites or drive-by downloads, to infect an endpoint and penetrate the network. Once in place, the ransomware then locks all files it can access using strong encryption. Finally, the malware demands a ransom (typically payable in Bitcoins) to decrypt the files and restore full operations to the affected IT systems.

HOW TO PROTECT AGAINST RANSOMWARE

  1. SEGREGATE NETWORKS and turn off network shares to minimize the spread of a ransomware infection
  2. TURN OFF ADMIN RIGHTS for users who don’t require them and apply least privilege policies
  3. RESTRICT WRITE PERMISSIONS on file servers as much as possible
  4. EDUCATE YOUR USERS on the most common phishing and ransomware email patterns and how to respond
  5. MAKE FREQUENT, COMPREHENSIVE BACKUPS of critical files and keep them offline
  6. PROTECT EMAIL AND WEB ACCESS with email and web security gateways with advanced threat protection capabilities
  7. DEPLOY SOPHISTICATED ENDPOINT SECURITY with behavioral and intelligent monitoring of suspicious patterns
  8. PATCH EARLY AND OFTEN to close known vulnerabilities in operating systems, browsers, and web plugins

GOT AN ACTIVE RANSOMWARE INFECTION

  • ISOLATE AND SHUT DOWN NETWORKS AND SYSTEMS in the event of an active ransomware infection to prevent further spread
  • IDENTIFY AND ERADICATE THE RANSOMWARE and follow best practices for dealing with this specific strain, including deploying ransomware removal tools or hiring experts
  • WIPE INFECTED MACHINES AND RESTORE FROM BACKUPS to make sure no ransomware remnants remain hidden in your system
  • POST MORTEM ANALYSIS AND MONITORING to understand the anatomy of the attack and prevent similar attacks from occurring again