Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/23/2020
12:01 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

To Avoid Disruption, Ransomware Victims Continue to Pay Up

For all the cautions against doing so, one-third of organizations in a Proofpoint survey said they paid their attackers after getting infected with ransomware.

Ransomware attacks on organizations are likely to continue unabated in the near term if the results of a new survey by Proofpoint are any indication.

The security vendor recently polled 600 IT security professionals from around the world on trends related to phishing and other email-borne threats.

The results showed that 33% — or nearly 200 of the organizations represented in the survey — paid a ransom last year to get their data back after experiencing a ransomware infection. Another 32% reported being infected with ransomware but refusing to accede to attacker demands for payment.

Sixty-nine percent of the organizations that paid a ransom said they got back access to their data and systems after the first payment. But 22% never regained access to their data after paying the demanded ransom, while 7% got hit with additional demands and ended up walking away empty-handed anyway. Two percent were forced to pay more money to regain access to encrypted systems and data.

Proofpoint said it is unclear what the organizations that didn't pay a ransom did to recover access to encrypted systems and data or what disruption they might have endured as a result of their refusal to pay.

Results from the Proofpoint survey are another reminder that for all the cautions against doing so, many ransomware victims are willing to pay off their attackers if it means avoiding the disruption, work, and cost involved in restoring data on their own. A September 2019 Dark Reading survey showed a nearly fourfold increase over 2018 — from 4% to 15% — in ransomware victims that paid to get their data back after an infection.

"We regularly observe that cybercriminals target entities that could be highly motivated to pay a ransom," says Gretel Egan, security awareness training strategist at Proofpoint.

For example, healthcare organizations are a particularly appealing target for ransomware attacks because of the nature of their business, she says. Even those with good data backup systems could be motivated to pay because of the time required to restore ransomware-infected systems. Recent reports have shown how a ransomware attack can force hospitals and medical centers to essentially shut down and turn patients away, Egan says.

"Because of this, a hospital that loses access to critical data and systems may feel it's to their benefit to pay the ransom and get the servers decrypted and functional instead of exhausting traditional remedies, like restoring from backup," she notes.

Going Against Advice
The survey results are likely to dismay many security experts who say that paying ransoms is only going to encourage more attacks. Over the past 18 months or so, threat actors have shifted from mass-volume spray-and-pray attacks on consumers to more targeted and carefully planned ransomware campaigns against businesses, government, and public-sector entities. Municipal entities, in particular, have been targeted heavily.

According to security vendor Kasperksy, there were at least 174 municipal institutions and more than 3,000 affiliated organizations targeted in ransomware attacks in 2019. The average ransom demands in these attacks tended to range from around $1 million to over $5.3 million. Scores of school districts and colleges were also targeted in ransomware attacks last year.

Most victims refused to pay. In July, for example, some 1,400 mayors from around the country committed to not paying a ransom in case they were attacked. Cities and municipalities that refused to pay ended up spending millions of dollars and multiple weeks to recover access to locked up data. The attacks also crippled city services and forced many to resort to manual operation for days. Some victims — like the City of Riviera in Florida — paid their attackers to regain access to locked-up data.

For enterprise organizations, it is not just the volume of ransomware attacks that is a concern, but also their growing sophistication. These days many ransomware attacks are multiphased in nature, with attackers first breaking into a target network and lurking around for some time to identify the most high-value systems before striking. Threat actors are increasingly attacking backup systems, threatening public disclosure of corporate data, and generally making recovery much harder for victims in order to force them to pay.

"We've observed cybercriminals often launching 'quieter' primary infections via targeted emails with banking Trojans, downloaders, etc., that can potentially sit on infected machines for extended periods collecting data," Egan says. In many cases, once a cybercriminal gains a foothold into a corporate network this way, that person then uses the network as a platform to launch incredibly targeted secondary attacks, she says.

For organizations, the trend highlights the need for a more people-centric security focus. "As widespread, critical technical vulnerabilities become increasingly rare and therefore more expensive to acquire and use, cybercriminals have shifted their efforts to target individuals through email" and social engineering, Egan says.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The Y2K Boomerang: InfoSec Lessons Learned from a New Date-Fix Problem."

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25159
PUBLISHED: 2020-11-24
499ES EtherNet/IP (ENIP) Adaptor Source Code is vulnerable to a stack-based buffer overflow, which may allow an attacker to send a specially crafted packet that may result in a denial-of-service condition or code execution.
CVE-2020-25654
PUBLISHED: 2020-11-24
An ACL bypass flaw was found in pacemaker before 1.1.24-rc1 and 2.0.5-rc2. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went throu...
CVE-2020-28329
PUBLISHED: 2020-11-24
Barco wePresent WiPG-1600W firmware includes a hardcoded API account and password that is discoverable by inspecting the firmware image. A malicious actor could use this password to access authenticated, administrative functions in the API. Affected Version(s): 2.5.1.8, 2.5.0.25, 2.5.0.24, 2.4.1.19.
CVE-2020-29053
PUBLISHED: 2020-11-24
HRSALE 2.0.0 allows XSS via the admin/project/projects_calendar set_date parameter.
CVE-2020-25640
PUBLISHED: 2020-11-24
A flaw was discovered in WildFly before 21.0.0.Final where, Resource adapter logs plain text JMS password at warning level on connection error, inserting sensitive information in the log file.