Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/23/2020
12:01 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

To Avoid Disruption, Ransomware Victims Continue to Pay Up

For all the cautions against doing so, one-third of organizations in a Proofpoint survey said they paid their attackers after getting infected with ransomware.

Ransomware attacks on organizations are likely to continue unabated in the near term if the results of a new survey by Proofpoint are any indication.

The security vendor recently polled 600 IT security professionals from around the world on trends related to phishing and other email-borne threats.

The results showed that 33% — or nearly 200 of the organizations represented in the survey — paid a ransom last year to get their data back after experiencing a ransomware infection. Another 32% reported being infected with ransomware but refusing to accede to attacker demands for payment.

Sixty-nine percent of the organizations that paid a ransom said they got back access to their data and systems after the first payment. But 22% never regained access to their data after paying the demanded ransom, while 7% got hit with additional demands and ended up walking away empty-handed anyway. Two percent were forced to pay more money to regain access to encrypted systems and data.

Proofpoint said it is unclear what the organizations that didn't pay a ransom did to recover access to encrypted systems and data or what disruption they might have endured as a result of their refusal to pay.

Results from the Proofpoint survey are another reminder that for all the cautions against doing so, many ransomware victims are willing to pay off their attackers if it means avoiding the disruption, work, and cost involved in restoring data on their own. A September 2019 Dark Reading survey showed a nearly fourfold increase over 2018 — from 4% to 15% — in ransomware victims that paid to get their data back after an infection.

"We regularly observe that cybercriminals target entities that could be highly motivated to pay a ransom," says Gretel Egan, security awareness training strategist at Proofpoint.

For example, healthcare organizations are a particularly appealing target for ransomware attacks because of the nature of their business, she says. Even those with good data backup systems could be motivated to pay because of the time required to restore ransomware-infected systems. Recent reports have shown how a ransomware attack can force hospitals and medical centers to essentially shut down and turn patients away, Egan says.

"Because of this, a hospital that loses access to critical data and systems may feel it's to their benefit to pay the ransom and get the servers decrypted and functional instead of exhausting traditional remedies, like restoring from backup," she notes.

Going Against Advice
The survey results are likely to dismay many security experts who say that paying ransoms is only going to encourage more attacks. Over the past 18 months or so, threat actors have shifted from mass-volume spray-and-pray attacks on consumers to more targeted and carefully planned ransomware campaigns against businesses, government, and public-sector entities. Municipal entities, in particular, have been targeted heavily.

According to security vendor Kasperksy, there were at least 174 municipal institutions and more than 3,000 affiliated organizations targeted in ransomware attacks in 2019. The average ransom demands in these attacks tended to range from around $1 million to over $5.3 million. Scores of school districts and colleges were also targeted in ransomware attacks last year.

Most victims refused to pay. In July, for example, some 1,400 mayors from around the country committed to not paying a ransom in case they were attacked. Cities and municipalities that refused to pay ended up spending millions of dollars and multiple weeks to recover access to locked up data. The attacks also crippled city services and forced many to resort to manual operation for days. Some victims — like the City of Riviera in Florida — paid their attackers to regain access to locked-up data.

For enterprise organizations, it is not just the volume of ransomware attacks that is a concern, but also their growing sophistication. These days many ransomware attacks are multiphased in nature, with attackers first breaking into a target network and lurking around for some time to identify the most high-value systems before striking. Threat actors are increasingly attacking backup systems, threatening public disclosure of corporate data, and generally making recovery much harder for victims in order to force them to pay.

"We've observed cybercriminals often launching 'quieter' primary infections via targeted emails with banking Trojans, downloaders, etc., that can potentially sit on infected machines for extended periods collecting data," Egan says. In many cases, once a cybercriminal gains a foothold into a corporate network this way, that person then uses the network as a platform to launch incredibly targeted secondary attacks, she says.

For organizations, the trend highlights the need for a more people-centric security focus. "As widespread, critical technical vulnerabilities become increasingly rare and therefore more expensive to acquire and use, cybercriminals have shifted their efforts to target individuals through email" and social engineering, Egan says.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The Y2K Boomerang: InfoSec Lessons Learned from a New Date-Fix Problem."

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.