KazantsevAlexander - Fotolia
Ransomware payments to cybercriminals could soon become the rule rather than the exception, according to new research from Proofpoint.
Proofpoint's sixth annual "State of the Phish" report, released Thursday, surveyed 600 working infosec professionals across seven countries: the U.S., Australia, France, Japan, the U.K., Spain and Germany. The report showed that 33% of global organizations infected with ransomware in 2019 opted to pay the ransom. In the U.S. alone, 51% of organizations that experienced a ransomware attack decided to pay the ransom, which was the highest percentage among the seven countries surveyed.
Gretel Egan, security awareness and training strategist at Proofpoint, said she wasn't surprised that a third of survey respondents had made ransomware payments after being attacked. While law enforcement agencies and infosec vendors have consistently urged victims not to pay ransoms, she said she understood "the lure" such payments represent, especially for healthcare or critical infrastructure organizations.
"Often you see a hospital or a medical center having to completely shut down and turn patients away because life-saving services are not available," she said. "Those organizations, in that moment, can look at a $20,000 ransom [demand] and say 'I can be completely back online and running my business again very quickly' as opposed to going through a relatively lengthy process even if they're restoring from backups, which can take weeks to be fully operational again."
Egan said that even when organizations do make ransomware payments, there are no guarantees. According to 2020 State of the Phish report, among the organizations that opted to pay the ransom, 22% never got access to their data and 9% were hit with additional ransomware attacks. Because this was the first time Proofpoint asked survey respondents about ransomware payments, the vendor couldn't say whether the numbers represented an increase or decrease from 2018.
However, Egan said Proofpoint observed another concerning trend with ransomware attacks where threat actors exfiltrate organizations' data before encrypting and then threaten to shame victims by making sensitive data public. "They'll say 'I'm going to share your information because you're not going to pay me.' It's almost like doubling down on the blackmail," Egan said. "I tell people there is no low that's too low for [cybercriminals]."
Refusal to pay ransoms did not deter threat actors as 2019 saw a resurgence of ransomware attacks, according to Proofpoint's report. Last year's State of the Phish report showed just 10 percent of organizations experience a ransomware attack in 2018, as opposed to a whopping 65% in 2019.
"2018 was such a down year for ransomware in general, but it came storming back in 2019," Egan said.
In addition to the survey, Proofpoint also analyzed more than 9 million suspicious emails reported by customers and an additional 50 million simulated phishing attacks sent by the vendor. Egan said the data showed phishing emails aren't as big of a threat vector for ransomware attacks as in the past, which indicates cybercriminals are changing their strategies.
"We're not seeing as many ransomware payloads delivered via e-mail," she said. "From a threat level side, infections are coming in as secondary infections. There's a system already compromised with malware and then threat actors take advantage of first level infiltration to then launch ransomware within the system."
BEC on the rise
The report also found a significant rise in cybercriminals utilizing business email compromise (BEC) as a preferred attack. An alarming 86% of organizations surveyed by Proofpoint faced BEC attempts in 2019. Like ransomware payments, BEC attacks can result in millions of dollars in losses for organizations; 34% of respondents said they experienced financial losses or wire transfer fraud.
"There are many ways for attackers to benefit financially from initiating a BEC attack," Egan said. "For example, the FBI has flagged cases of people going after W2 employee forms and using that to commit tax fraud. In many cases, BEC attacks are underreported because of the embarrassment and issue with having to admit you've been fooled."
Egan said BEC attacks are typically successful because threat actors take their time and do their research, forging emails that appear innocuous to both the human eye and some email security products designed to detect such threats.
"Attacks like BEC are favorable for attackers because they don't have malware or payload attachments. There are no dangerous links imbedded in them so it's difficult for technical safeguards to stop and block them, particularly if you're dealing with an account that's been compromised," she said. "Many of the emails are coming from a known and trusted account, or within an organization, or person-to-person from an account that's been compromised. Attackers are switching to a more people-centric approach."
The trend of more people-centric attacks led to 55% of organizations dealing with at least one successful phishing attack in 2019.
"Business email compromise is a longer-term kind of con," Egan said. " Threat actors don't launch out of the gate asking for bank routing information. They establish a relationship over time to lull someone into believing they're a trusted email account, so the user isn't questioning it."
Proofpoint said security awareness training is a method that saw success in combating such threats, with 78% of organizations reporting that training resulted in measurably lower phishing susceptibility. The report emphasized the importance of understanding who is being targeted, and more importantly, the types of attacks organizations are facing and will face, to reduce social engineering threats such as BEC and spear phishing emails.