Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/23/2020
12:01 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

To Avoid Disruption, Ransomware Victims Continue to Pay Up

For all the cautions against doing so, one-third of organizations in a Proofpoint survey said they paid their attackers after getting infected with ransomware.

Ransomware attacks on organizations are likely to continue unabated in the near term if the results of a new survey by Proofpoint are any indication.

The security vendor recently polled 600 IT security professionals from around the world on trends related to phishing and other email-borne threats.

The results showed that 33% — or nearly 200 of the organizations represented in the survey — paid a ransom last year to get their data back after experiencing a ransomware infection. Another 32% reported being infected with ransomware but refusing to accede to attacker demands for payment.

Sixty-nine percent of the organizations that paid a ransom said they got back access to their data and systems after the first payment. But 22% never regained access to their data after paying the demanded ransom, while 7% got hit with additional demands and ended up walking away empty-handed anyway. Two percent were forced to pay more money to regain access to encrypted systems and data.

Proofpoint said it is unclear what the organizations that didn't pay a ransom did to recover access to encrypted systems and data or what disruption they might have endured as a result of their refusal to pay.

Results from the Proofpoint survey are another reminder that for all the cautions against doing so, many ransomware victims are willing to pay off their attackers if it means avoiding the disruption, work, and cost involved in restoring data on their own. A September 2019 Dark Reading survey showed a nearly fourfold increase over 2018 — from 4% to 15% — in ransomware victims that paid to get their data back after an infection.

"We regularly observe that cybercriminals target entities that could be highly motivated to pay a ransom," says Gretel Egan, security awareness training strategist at Proofpoint.

For example, healthcare organizations are a particularly appealing target for ransomware attacks because of the nature of their business, she says. Even those with good data backup systems could be motivated to pay because of the time required to restore ransomware-infected systems. Recent reports have shown how a ransomware attack can force hospitals and medical centers to essentially shut down and turn patients away, Egan says.

"Because of this, a hospital that loses access to critical data and systems may feel it's to their benefit to pay the ransom and get the servers decrypted and functional instead of exhausting traditional remedies, like restoring from backup," she notes.

Going Against Advice
The survey results are likely to dismay many security experts who say that paying ransoms is only going to encourage more attacks. Over the past 18 months or so, threat actors have shifted from mass-volume spray-and-pray attacks on consumers to more targeted and carefully planned ransomware campaigns against businesses, government, and public-sector entities. Municipal entities, in particular, have been targeted heavily.

According to security vendor Kasperksy, there were at least 174 municipal institutions and more than 3,000 affiliated organizations targeted in ransomware attacks in 2019. The average ransom demands in these attacks tended to range from around $1 million to over $5.3 million. Scores of school districts and colleges were also targeted in ransomware attacks last year.

Most victims refused to pay. In July, for example, some 1,400 mayors from around the country committed to not paying a ransom in case they were attacked. Cities and municipalities that refused to pay ended up spending millions of dollars and multiple weeks to recover access to locked up data. The attacks also crippled city services and forced many to resort to manual operation for days. Some victims — like the City of Riviera in Florida — paid their attackers to regain access to locked-up data.

For enterprise organizations, it is not just the volume of ransomware attacks that is a concern, but also their growing sophistication. These days many ransomware attacks are multiphased in nature, with attackers first breaking into a target network and lurking around for some time to identify the most high-value systems before striking. Threat actors are increasingly attacking backup systems, threatening public disclosure of corporate data, and generally making recovery much harder for victims in order to force them to pay.

"We've observed cybercriminals often launching 'quieter' primary infections via targeted emails with banking Trojans, downloaders, etc., that can potentially sit on infected machines for extended periods collecting data," Egan says. In many cases, once a cybercriminal gains a foothold into a corporate network this way, that person then uses the network as a platform to launch incredibly targeted secondary attacks, she says.

For organizations, the trend highlights the need for a more people-centric security focus. "As widespread, critical technical vulnerabilities become increasingly rare and therefore more expensive to acquire and use, cybercriminals have shifted their efforts to target individuals through email" and social engineering, Egan says.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The Y2K Boomerang: InfoSec Lessons Learned from a New Date-Fix Problem."

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/5/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13864
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from a stored XSS vulnerability. An author user can create posts that result in a stored XSS by using a crafted payload in custom links.
CVE-2020-13865
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from multiple stored XSS vulnerabilities. An author user can create posts that result in stored XSS vulnerabilities, by using a crafted link in the custom URL or by applying custom attributes.
CVE-2020-11696
PUBLISHED: 2020-06-05
In Combodo iTop a menu shortcut name can be exploited with a stored XSS payload. This is fixed in all iTop packages (community, essential, professional) in version 2.7.0 and iTop essential and iTop professional in version 2.6.4.
CVE-2020-11697
PUBLISHED: 2020-06-05
In Combodo iTop, dashboard ids can be exploited with a reflective XSS payload. This is fixed in all iTop packages (community, essential, professional) for version 2.7.0 and in iTop essential and iTop professional packages for version 2.6.4.
CVE-2020-13646
PUBLISHED: 2020-06-05
In the cheetah free wifi 5.1 driver file liebaonat.sys, local users are allowed to cause a denial of service (BSOD) or other unknown impact due to failure to verify the value of a specific IOCTL.