zephyr_p - stock.adobe.com

Repeat ransomware attacks hit 80% of victims who paid ransoms

New research from Cybereason offers troubling findings for organizations that pay ransoms, from repeat attacks to corrupted data and faulty decryption tools.

Organizations that pay up after a ransomware attack incur a higher probability of a second attack.

New research from endpoint security vendor Cybereason examined the short- and long-term effects of ransomware in a survey of 1,263 infosec professionals from the U.S., United Kingdom, Spain, Germany, France, United Arab Emirates and Singapore. One of the most significant findings was that 80% of organizations that paid a ransom demand experienced a second attack.

To make matters worse, of those who experienced a repeat ransomware attack, nearly half believed it was at the hands of the same attackers, while 34% thought the second attack was perpetrated by a different set of threat actors.

Additionally, payment does not guarantee that operations will go back to normal. Of those surveyed, 46% regained access to their data, but some or all of it was corrupted. And 25% of respondents said a ransomware attack led to their organization closing down.

Cybereason's report presents troubling data around the growing threat of repeat attacks. While the 80% figure cited is higher than Cybereason co-founder and CTO Yonatan Striem-Amit expected, he said it was not that surprising. When businesses pay a ransom, they may be solving an immediate problem, he said, but they are also announcing their willingness to pay potentially large sums of money to resolve a crisis.

When victims are paying, they're putting [up] a sign to attackers: We're open for business. The criminals then attack these victims again before they have a chance to ramp up their security practices.
Yonatan Striem-AmitCo-founder and CTO, Cybereason

Striem-Amit said cybercriminals have become much better at identifying would-be targets, with larger ransomware groups specializing in big game hunting -- going after major multinational corporations with targeted intrusion techniques. The problem has become so bad that the White House recently issued a ransomware directive for businesses.

"When victims are paying, they're putting [up] a sign to attackers: We're open for business," he said. "The criminals then attack these victims again before they have a chance to ramp up their security practices."

Deciphering the cause of repeat attacks

Cybereason isn't the only vendor to observe the trend of organizations being attacked multiple times. Nick Pelletier, incident response director at Mandiant, told SearchSecurity that his company has performed investigations for companies repeatedly victimized by the same ransomware threat actor. However, the subsequent attacks often occurred in situations where the threat actor's attempts to elicit a ransom payment were unsuccessful. In those instances, according to Pelletier, Mandiant observed an escalation in the threat actor's tactics, first by increasing the scope of encryption, and later by resorting to extortion via data theft and exposure.

"In this way, repeated targeting of the same organization helps accomplish the threat actor's mission by increasing leverage. Furthermore, it's disingenuous to frame repeated targeting as a mistake or lack of preparedness of the victim, as it's more akin to a sustained attack without the luxury of time to investigate, remediate and increase resiliency, as opposed to multiple, distinct attacks," Pelletier wrote in an email to SearchSecurity.

Additionally, incident response (IR) following an attack can be tricky. Eric Parizo, principal analyst, security operations at Omdia, told SearchSecurity that the margin of error for IR investigations and recovery is thin.

"Because every incident is unique, even if you have trained staff, good technology and sound processes supporting your IR effort, things can still go wrong if you don't discover the event fast enough, identify all the affected places and take the right actions to mitigate it," Parizo wrote in an email to SearchSecurity.

Jon Oltsik, principal analyst at Enterprise Strategy Group, a division of TechTarget, said other issues include informal and untested programs and a lack of trained IR personnel. "Typically, customers do listen to IR providers, but they may not have the skills, resources or workflows to do so in a timely manner," Oltsik wrote in an email to SearchSecurity.

Post-attack investments

Cybereason asked respondents who had suffered a ransomware attack in the last 24 months what technologies they had invested in to protect their networks from future events. The top five approaches cited were security training awareness, security operations center, endpoint protection, data backup and recovery, and email scanning.

"Unfortunately, it's not a pick one [approach] and only do that," Striem-Amit said. "If you build your entire security program around awareness, this will not succeed. But doing all these things together [is] very effective -- deploying the right solutions, training the team and best practices will help. The businesses have to have a willingness to act."

While Striem-Amit said cyber insurance is an important component in an enterprise's cybersecurity posture, Cybereason is seeing many cases where insurance doesn't cover the entirety of the damage. According to the survey, 42% of respondents said their insurance carrier only covered some of their financial losses. With attacks affecting brand reputation, and causing layoffs and other business disruptions, the costs can pile up.

"Can insurance ever really cover the full cost of [a] ransomware attack? The answer is no. It probably isn't sufficient as the only or major way you mitigate risk in your organization," Striem-Amit said.

While the overall volume of attacks appeared to be decreasing this year, according to Cybereason, they are more sophisticated. Striem-Amit said ransomware operations today are almost indistinguishable from the sophistication and knowledge of nation-state hackers. Therefore, enterprises need to be prepared.

"Focusing on hygiene, the right technologies [and] dropping away from antiquated to modern practices is dramatically cheaper than the overwhelming damage that will happen to you if you're hit by a ransomware attack," he said. "Ransomware attacks these days are modern, sophisticated and really go after everybody. Take it seriously now."

Next Steps

DarkSide ransomware funded by cybercriminal 'investors'

End users in the dark about latest cyber threats, attacks

How ransomware victims can make the best of a bad situation

CrowdStrike details new MFA bypass, credential theft attack

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing