Ransomware Resilence Series
EVALUATING THE RISK POSED BY RANSOMWARE THREATS
Arguably the greatest threat to organisations in 2021 is ransomware.
Ransomware attacks proliferated in 2020, increasing by 435% compared to 2019. The number of ransoms paid has also increased from 39% in 2018 to 58% in 2020 (the figure is likely to be even higher when factoring in those organisations that have not disclosed whether a ransom has been paid).
To make matters worse, ransomware attacks are evolving. They are no longer limited to the encryption of victim systems. Ransomware 2.0 now involves extortion under the threat of information leakage. Under a ransomware 2.0 attack, not only are the victim’s systems encrypted but any data extracted will be made public if payment is withheld, opening the victim up to further damages due to the mishandling of sensitive data.
The reality today is that ransomware attacks are becoming more targeted – although not in the conventional sense. Any organisation with a strong reason to pay is vulnerable.
While ransomware attacks are inherently opportunistic in nature, attackers will refine the targets on their hit list to align their efforts with the greatest chance of reward. While not quite ‘targeted’, ransomware attacks are better described as prioritised. Ransomware 2.0-style extortion attacks in particular entail significant human investment in terms of time and resources. To ensure they maximise the returns on their investment, attackers will research an organisation before committing resources to a full compromise - not only prioritising who they attack, but calculating what ransom sum the organisation is able to pay.
Ultimately, attacker groups (and more specifically criminal fraternities motivated by financial reward) operate like legitimate businesses. If the potential return on investment from targeting an organisation is limited, they will invest their time and resources on other targets more likely to yield results.
This means that organisations who rely on digital products and services to deliver their core business services (and are therefore exposed to the greatest risk), who also have the resources to pay a ransom, are most likely to be targeted.
In this article, we analyse the lessons learned from recent ransomware attacks and payments, evaluating what this tells us about the concept of ‘resilience’ in the context of ransomware, and why cyber insurance alone is not enough to effectively reduce the risk.