Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/23/2020
12:01 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

To Avoid Disruption, Ransomware Victims Continue to Pay Up

For all the cautions against doing so, one-third of organizations in a Proofpoint survey said they paid their attackers after getting infected with ransomware.

Ransomware attacks on organizations are likely to continue unabated in the near term if the results of a new survey by Proofpoint are any indication.

The security vendor recently polled 600 IT security professionals from around the world on trends related to phishing and other email-borne threats.

The results showed that 33% — or nearly 200 of the organizations represented in the survey — paid a ransom last year to get their data back after experiencing a ransomware infection. Another 32% reported being infected with ransomware but refusing to accede to attacker demands for payment.

Sixty-nine percent of the organizations that paid a ransom said they got back access to their data and systems after the first payment. But 22% never regained access to their data after paying the demanded ransom, while 7% got hit with additional demands and ended up walking away empty-handed anyway. Two percent were forced to pay more money to regain access to encrypted systems and data.

Proofpoint said it is unclear what the organizations that didn't pay a ransom did to recover access to encrypted systems and data or what disruption they might have endured as a result of their refusal to pay.

Results from the Proofpoint survey are another reminder that for all the cautions against doing so, many ransomware victims are willing to pay off their attackers if it means avoiding the disruption, work, and cost involved in restoring data on their own. A September 2019 Dark Reading survey showed a nearly fourfold increase over 2018 — from 4% to 15% — in ransomware victims that paid to get their data back after an infection.

"We regularly observe that cybercriminals target entities that could be highly motivated to pay a ransom," says Gretel Egan, security awareness training strategist at Proofpoint.

For example, healthcare organizations are a particularly appealing target for ransomware attacks because of the nature of their business, she says. Even those with good data backup systems could be motivated to pay because of the time required to restore ransomware-infected systems. Recent reports have shown how a ransomware attack can force hospitals and medical centers to essentially shut down and turn patients away, Egan says.

"Because of this, a hospital that loses access to critical data and systems may feel it's to their benefit to pay the ransom and get the servers decrypted and functional instead of exhausting traditional remedies, like restoring from backup," she notes.

Going Against Advice
The survey results are likely to dismay many security experts who say that paying ransoms is only going to encourage more attacks. Over the past 18 months or so, threat actors have shifted from mass-volume spray-and-pray attacks on consumers to more targeted and carefully planned ransomware campaigns against businesses, government, and public-sector entities. Municipal entities, in particular, have been targeted heavily.

According to security vendor Kasperksy, there were at least 174 municipal institutions and more than 3,000 affiliated organizations targeted in ransomware attacks in 2019. The average ransom demands in these attacks tended to range from around $1 million to over $5.3 million. Scores of school districts and colleges were also targeted in ransomware attacks last year.

Most victims refused to pay. In July, for example, some 1,400 mayors from around the country committed to not paying a ransom in case they were attacked. Cities and municipalities that refused to pay ended up spending millions of dollars and multiple weeks to recover access to locked up data. The attacks also crippled city services and forced many to resort to manual operation for days. Some victims — like the City of Riviera in Florida — paid their attackers to regain access to locked-up data.

For enterprise organizations, it is not just the volume of ransomware attacks that is a concern, but also their growing sophistication. These days many ransomware attacks are multiphased in nature, with attackers first breaking into a target network and lurking around for some time to identify the most high-value systems before striking. Threat actors are increasingly attacking backup systems, threatening public disclosure of corporate data, and generally making recovery much harder for victims in order to force them to pay.

"We've observed cybercriminals often launching 'quieter' primary infections via targeted emails with banking Trojans, downloaders, etc., that can potentially sit on infected machines for extended periods collecting data," Egan says. In many cases, once a cybercriminal gains a foothold into a corporate network this way, that person then uses the network as a platform to launch incredibly targeted secondary attacks, she says.

For organizations, the trend highlights the need for a more people-centric security focus. "As widespread, critical technical vulnerabilities become increasingly rare and therefore more expensive to acquire and use, cybercriminals have shifted their efforts to target individuals through email" and social engineering, Egan says.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The Y2K Boomerang: InfoSec Lessons Learned from a New Date-Fix Problem."

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4230
PUBLISHED: 2020-02-19
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.1 and 11.5 is vulnerable to an escalation of privilege when an authenticated local attacker with special permissions executes specially crafted Db2 commands. IBM X-Force ID: 175212.
CVE-2019-4429
PUBLISHED: 2020-02-19
IBM Maximo Asset Management 7.6.0 and 7.6.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 162886.
CVE-2019-4457
PUBLISHED: 2020-02-19
IBM Jazz Foundation 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, and 6.0.6.1 could allow an authenticated user to obtain sensitive information that could be used in further attacks against the system. IBM X-Force ID: 163654.
CVE-2019-4640
PUBLISHED: 2020-02-19
IBM Security Secret Server 10.7 processes patches, image backups and other updates without sufficiently verifying the origin and integrity of the code which could result in an attacker executing malicious code. IBM X-Force ID: 170046.
CVE-2020-4135
PUBLISHED: 2020-02-19
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow an unauthenticated user to send specially crafted packets to cause a denial of service from excessive memory usage.