They say lightning never strikes twice in the same place. Still, new research from Cybereason begs to differ, as organizations that pay ransoms were found to incur an alarmingly high probability of a second attack.
The true cost of ransomware attacks on bussineses
Ransomware attacks can be very costly. For instance, the world’s largest meat processing company, JBS, paid a ransom worth $11 million after it was forced to shut down operations at 13 of its meat processing plants.
Cybersecurity technology company Cybereason assessed the troubling impact ransomware has had on its victims in a survey of 1,263 professionals from the U.S., U.K., Spain, Germany, France, United Arab Emirates, and Singapore. The most concerning discovery was that an alarming 80% of organizations that did pay the ransom fell victims to a second attack.
Almost half of the targetted organizations thought the second cyberattack was orchestrated by the same perpetrators as the first one, while 34% believed different offenders had carried it out.
To make things even worse, it seems payment does not even guarantee operations can resume their course. Of the survey respondents, 46% regained access to their data, but often the data was corrupted. 25% of victims were forced to shut down their organization.
Cybereason’s report shows troubling data regarding the ever-growing threat of repeat attacks. Cybereason co-founder Yonatan Striem-Amit said that the 80% figure was not surprising, although higher than expected. He explained that when companies agree to pay the ransom, they may resolve the problem in the short run, but they are also letting cybercriminals know they are willing to pay large amounts of money if attacked.
Striem-Amit also said that attackers had improved their strategies to identify potential targets. They are organized in larger ransomware groups specializing in attacking big multinational companies using targeted intrusion methods, also known as big game hunting. The threat is so present that the White House had to issue a ransomware directive for businesses.
“When victims are paying, they’re putting [up] a sign to attackers: We’re open for business. “The criminals then attack these victims again before they have a chance to ramp up their security practices.”Yonatan Striem-Amit, Cybereason co-founder
Potential causes of repeat attacks
Cybereason was not the only cybersecurity company to monitor the tendency of repeat attacks on organizations. Mandiant Incident Response director Nick Pelletier stated that the company had been observing companies targetted by the same threat actor. Often, the attackers’ subsequent attempt at soliciting ransom payment was not successful. In this case, Mandiant observed the threat actor increased their tactics’ aggressiveness by resorting to extortion using data theft and exposure.
“In this way, repeated targeting of the same organization helps accomplish the threat actor’s mission by increasing leverage. Furthermore, it’s disingenuous to frame repeated targeting as a mistake or lack of preparedness of the victim, as it’s more akin to a sustained attack without the luxury of time to investigate, remediate and increase resiliency, as opposed to multiple, distinct attacks.”Nick Pelletier, Incident Response director at Mandiant
In addition, the principal analyst at Omdia, Eric Parizo, said that the margin of error for incident response investigations and recovery is thin.
“Because every incident is unique, even if you have trained staff, good technology and sound processes supporting your IR effort, things can still go wrong if you don’t discover the event fast enough, identify all the affected places and take the right actions to mitigate it,” Parizo wrote in an email to SearchSecurity.Eric Parizo, Analyst at Omdia
Recovery costs after a ransomware attack
The study conducted by Cybereason also asked the ransomware victims what measures and policies they had established in their companies to protect their network from cyberthreats. The top five responses included security awareness training, security operations center, endpoint protection, data backup and recovery, and email scanning.
“Unfortunately, it’s not a pick one [approach] and only do that. If you build your entire security program around awareness, this will not succeed. But doing all these things together [is] very effective — deploying the right solutions, training the team and best practices will help. The businesses have to have a willingness to act.”Yonatan Striem-Amit, Cybereason co-founder
Cybereason also stated that insurance does not cover the whole damage of a ransomware attack in many cases. 42% of respondents said that their insurance covered the costs only partially. The attacks also affected the brands’ image and caused layoffs and disruptions.
According to Cybereason, even if the bigger picture suggests that ransomware attacks are decreasing this year, they are also becoming more complex. This can only mean that companies need to be very prepared.
“Focusing on hygiene, the right technologies [and] dropping away from antiquated to modern practices is dramatically cheaper than the overwhelming damage that will happen to you if you’re hit by a ransomware attack. Ransomware attacks these days are modern, sophisticated, and really go after everybody. Take it seriously now.”Yonatan Striem-Amit, Cybereason co-founder