Recently, SonicWall published its most quoted ransomware data and trusted cyberattack intelligence Cyber Threat Report(SonicWall.com/Threat Report).which showed that although the overall ransomware numbers saw a 21% decline globally, the total volume in 2022 was higher than 2017, 2018, 2019 and 2020. In particular, total ransomware in Q4 (154.9 million) was the highest since Q3 2021.
With attacks growing in sophistication, and cybersecurity budgets and headcounts remaining stagnant, it’s important for organizations to understand what’s truly at stake in a cyberattack, so that they can properly allocate their resources and prioritize their prevention strategies.
Unfortunately, in cybersecurity, it’s often challenging to quantify risk — and some of our most common ways of evaluating risk fall short of capturing the effects of some attacks, particularly ransomware attacks.
Quantifying Risk
Most cybersecurity practitioners are familiar with the “heatmap” matrix commonly used to evaluate cybersecurity risk. On one axis, likelihood proceeds from “rare,” “remote” or “very unlikely” to “almost certain,” “very likely” or “frequent.” Along the other axis, attack impact is ranked with terms like “negligible” and “insignificant” on one end and “catastrophic” or “severe” on the other. Find the point where the axes intersect for whichever sort of incident you’re envisioning, and that’s your risk ranking. But while these matrices can be useful tools, they shouldn’t form the basis for your cybersecurity decision-making on their own. The context they can provide is valuable, but they aren’t capable of adequately capturing the full scope of risks posed by attacks such as ransomware.
How Risky is Ransomware?
In CISA’s most recent Cost_of_Cyber_Incidents_Study*, ransomware was only the second-most common loss category for SMBs, lagging significantly behind social engineering. Among large entities, there was only a single ransomware incident among the businesses surveyed, versus 18 for “malware/virus” and 20 for “hacker.”
More recently, IBM found that 28% of the businesses they surveyed had been victim of a ransomware or “destructive” attack, versus 83% that had experienced more than one data breach. In fact, ransomware made up only 11% of reported incidents — compared with 21% for human error and 24% for IT failures — making it the smallest category aside from “other.”
SonicWall’s own recent data showed ransomware falling by over a fifth in 2022, including a 48% decrease in North America — while almost every other threat type showed an increase.
If severity can be equated to financial impact, the data again seems to suggest ransomware isn’t too much of a concern. In the latest IC3 report, the most expensive form of cybercrime type in 2021 was BEC/EAC attacks, which resulted in a $2,395,953,296 loss — completely eclipsing ransomware’s losses of $49,207,908.
A More Comprehensive View of Ransomware Risk
While historical data is inarguably a valuable tool, security professionals need to ensure they’re taking ransomware statistics in context. And while cybersecurity vendors tend to have a pretty good idea of how much ransomware is going through their own solutions, that doesn’t mean that all of these incidents are necessarily being reported. As a result, there’s a growing concern about the scale of underreporting when it comes to ransomware.
This concern isn’t limited to any one country or region. Across the pond, an NCSC report released in November 2022 admitted that the impact of ransomware cannot be accurately determined. “The true numbers of ransomware attacks in the UK each year are far higher [than stated], as organizations often do not report the compromises,” the report stated. The number of incidents isn’t the only thing being undercounted, however. Due to the complexity of these attacks, much of the data that exists for ransomware paints an incomplete picture of the costs associated with the attacks that are reported.
What’s the Worst That Could Happen?
While we commonly refer to them as “ransomware attacks,” ransomware is best thought of less as an isolated incident, and more as a series of potential chain reactions. “Lucky” victims might pay the ransom and get a valid decryption key or quickly rebuild with current and intact backups, and that will be the end of it. But as ransomware gangs become both more creative and more ruthless, this is less and less likely to be the case.
Some of the additional concerns in the aftermath of a ransomware attack that should be calculated as part of a comprehensive risk assessment:
Broken/Incomplete Decryptors
Despite what ransomware operators claim, paying a ransom is no guarantee that files will actually be decrypted. It isn’t at all rare for the decryption key to be granted, only for the victim to find it didn’t decrypt the data entirely … or at all. And since cybercriminals don’t exactly operate on a “satisfaction or your money back” policy, these companies are out the total ransom amount and the cost of completely rebuilding.
Downtime
On average, organizations experience nearly three weeks of downtime following a successful ransomware attack. This downtime can have a significant impact on earnings.
Double and Triple Extortion
Sometimes a ransomware attack is not just a ransomware attack. Nearly two-thirds of today’s ransomware attacks are also data exfiltration operations, an increase of 106% from just five years ago. And while having sensitive data stolen in a double extortion incident is already a catastrophe, an increasing number of cybercriminals aren’t stopping there.
Repeat Attacks
In spite of promises to the contrary, paying a ransom offers no guarantee that criminals will actually delete the data that they’ve already stolen. And the fact that an organization has already shown a willingness to pay makes them an even more attractive target.
Lawsuits
Due to the sorts of data often exfiltrated in ransomware incidents, attack targets sometimes find they’re also the target of lawsuits filed by one or more affected parties.
Reputation Damage
Even organizations that aren’t taken to court following a ransomware incident often find themselves judged in the court of public opinion. And unlike costs such as forensic investigation and disaster recovery, cyber insurance may not cover all or any of the costs stemming from repairing your organization’s reputation.
Regulatory Fines
In cases where exfiltrated data includes certain types of personally identifiable information, such as financial and PCI (Payment Card Industry) data or medical records and other health information subject to HIPAA, organizations may face large regulatory fines.
The Power of Preventive Measures
While the risk of ransomware might be bigger than many organizations realize, the good news is that there’s plenty of measures that can be taken to help stop these attacks.
- Update: Whenever possible, automate the tracking and enumeration of vulnerabilities on applications and devices on your network. Patch early and often
- Upgrade: The older an operating system gets, the more malware and other threats are created to target them. Retire any software or hardware that is obsolete or no longer supported by the vendor.
- Duplicate: All important data should be backed up to a place inaccessible by attackers. Having adequate and upto-date backups on hand significantly eases recovery in the event of a ransomware attack.
- Educate: A staggering 91% of all cyberattacks start with someone opening a phishing email. Teach employees to be wary any time they receive an email, particularly one with an attachment or link.
- Test: Responsiveness measures aren’t “set it and forget it.” Check to see if your business continuity plan works and is up to date. Determine how long it takes to restore from a backup (and make sure your backups are being updated regularly). Verify that you have isolated, air-gapped domain controllers.
- Safeguard: The above steps are “best practices” and not “universal practices” for a reason. If any are allowed to lapse — or new methods are found to circumvent them — organizations will need a strong last line of defense. An advanced, multi-layer platform that includes endpoint security, next-gen firewall services, email security and secure mobile access can work to eliminate blind spots and eradicate both known and unknown threats
Conclusion:
While the information here can help organizations make more fully informed decisions, it’s ultimately up to each business to determine what their personal risk — and risk tolerance — to be. By adopting a proactive stance, organizations can lower their risk of attack while increasing their ability to respond to and recover from an attack if it does occur.