For the second consecutive year, research from Cybereason showed that nearly 80% of organizations that paid a ransom suffered repeat ransomware attacks.
Despite government warnings, law enforcement alerts and previous reports showing that paying a ransom perpetuates the ransomware as a service (RaaS) model, many organizations continue to pay threat actors to decrypt data. While Cybereason's new research, released at RSA Conference 2022 Tuesday, showed that nearly 80% of victims that paid suffered a second attack, that data point becomes even more alarming down the line.
Of the more than 1,400 cybersecurity professionals who participated in Cybereason's 2022 "Ransomware: The True Cost to Business" global study, nearly half said their organizations paid the second ransom demand, and 9% said they paid a third time.
Of the 80% of organizations that paid a ransom and suffered a second attack, Cybereason found that the same threat actors committed the attacks. Companies were often unable to recover from the first attack before the next occurred, getting hit at the worst possible moment; the study stated that 68% of organizations were hit a second time within a month.
"Adding insult to injury, more than two-thirds of those subsequent attacks demanded a higher ransom than the initial attack, and nearly 6-out-of-10 organizations were unable to recover all of their systems and data even after paying the ransom," the report said.
On the other hand, 78% of organizations that did not pay a ransom said they were able to fully restore systems and data without receiving the decryption tool.
Cybereason CSO Sam Curry told SearchSecurity that in those cases, the businesses might have been more operationally prepared, or perhaps the ransomware actors didn't cause as much damage as they could have. Other factors can include contacting the authorities or infosec community, which could have obtained decryption keys or developed tools to unlock the data.
Even when companies did receive the decryption key after making a ransom payment, the Cybereason report said, the tool was "often buggy or slow," and companies were forced to restore from backups anyway. Curry noted concerns about downtime and associated business losses as reasons that victims would pay despite having backups in place.
He also told SearchSecurity that backups themselves can sometimes be infected by ransomware. In addition, some backup systems don't trace far enough back. "As much as 10% to 15% of storage is not recoverable, so some of the problem is just that they never tested it or they never verified it," Curry said.
In the 2022 study, only 42% of businesses confirmed restoration of all systems and data after paying the ransom. More alarming, 54% said they experienced persistent system issues or that some data was corrupted after decryption.
"While paying the ransom may seem like the easier choice, our research this year proves once again that it does not pay to pay," Cybereason CEO Lior Div wrote in the report.
Supply chain attacks increasing
The likelihood of being involved in a ransomware incident is growing as well. Nearly 75% of participants were targeted by at least one ransomware attack in the preceding 24 months, compared with 55% in the 2021 survey, according to the report. That amounts to an increase of 33% year over year.
Cybereason also observed an increase in supply chain attacks. Nearly 65% of organizations that suffered a ransomware attack in 2021 attributed the primary attack vector to a third-party supply chain compromise. However, distribution was unequal among victims.
"Small to medium-sized organizations were more likely to be compromised via supply chain attacks, while larger organizations were more apt to be infected by direct attacks on their environments," the report read.
One significant supply chain attack against Kaseya last year contributed to the increase and discrepancy in victims. The vendor, which specializes in remote management software for managed service providers, supports many smaller businesses that do not have the resources for in-house IT services.
Cyber insurance coverage also differed among business sizes. The larger the organization, the less likely it was to have cyber insurance for ransomware attacks, according to the report, which is surprising given how expensive insurance premiums have become.
"In fact, the larger the company, the less likely they were to have any cyber insurance at all, with 9% of companies with 1,500 or more employees reporting no cyber insurance protection," the report read.
However, 93% of respondents said their organizations have some type of cyber insurance policy in place -- a significant jump from 75% of respondents in the 2021 report. Cybereason also observed an increase in ransomware coverage in those policies and noted a 54% increase from last year's report.
Curry acknowledged that insurers are becoming more restrictive in what they will cover for ransomware attacks and under what conditions. Policies are no longer obtained by marking a simple checklist, but by demonstrating how well a business practices security, he said.
In addition to increased supply chain attacks, Cybereason also observed a shift to "more focused, custom attacks." The endpoint security vendor determined that threat actors are targeting organizations that are more likely and able to pay multimillion-dollar demands.
"It is becoming increasingly common for ransomware attacks to involve complex attack sequences in low-and-slow campaigns designed to infiltrate as much of the targeted network as possible versus infecting a single machine with the ransomware payload," the report read.
Cybereason refers to the increased sophistication as "RansomOps" attacks, which are "much more intricate and akin to the stealthy operations conducted by nation-state threat actors."
Prepare, prepare, prepare
Curry compared recent ransomware activity to traditional organized crime where companies essentially paid for protection. Part of the problem begins with ransomware affiliates that sell access to corporate networks, among other services they provide. Curry told SearchSecurity that if those affiliates see potential for a successful attack, they will turn around and resell it to other RaaS groups.
Cybereason recommended conducting tabletop exercises for incident response scenarios, and locking down critical accounts during weekends and holidays, when ransomware actors often strike.
"You should be prepared in peacetime as much as possible. When you get into trouble in the moment and get into flight-or-fight instinct, you may not come out with the most logical or best answer," Curry said. "Preparing ahead of time and rehearsing gives you the reflexes in the moment to make better decisions."
Curry also recommended organizations conduct postmortem reviews before the incident response is completed and security teams come down from high-alert mode.
Cybereason offered one silver lining in the report in terms of attack dwell time. A majority of enterprises confirmed that threat actors were in their network for up to six months before being detected. That prolonged activity could allow organizations to disrupt an attack before any serious effects on the business, as long as they have the proper detection tools in place.