Skip to main content
Articles

The Economics of Ransomware Attacks

By CybelAngel Wed Feb 1, 2023
The economics of ransomware attacks: An ounce of prevention is worth a pound of payment

An Ounce of Prevention is Worth a Pound of Payment

No company is immune to ransomware attacks; if you have information worth taking, there is a cybercriminal who is ready to take it and then charge you to give it back. The number of attacks is increasing, the payments are going up and more victims are paying up. Over the past few years, ransomware payments have steadily increased around the world—in the United States alone, payments have increased 480% over the past two years with the average payout being $170K in 2020 and just over $800K in 2022. Manufacturing and utility companies had the highest average ransom payment in 2021, coming in at roughly $2 million. And after all that, only about 8% of organizations get back all of their data [1].

How are cybercriminals gaining access to so much valuable information? And what can you do to prevent it?

How Ransomware Attacks Happen

Malicious actors can utilize multiple points of entry to a network in order to conduct a ransomware attack. Shadow IT is a popular target, as there are often open ports to be found. Shadow IT refers to internet-facing assets that a company’s IT department does not know about and therefore cannot protect. Other points of entry include phishing campaigns (tricking a user into providing information) or drive-by downloading (tricking a user into downloading malware/spyware).

There is a bright side: Sophos found 73% of companies that were victims of a ransomware attack were able to restore their data through backups [2].  In fact, modern offsite backups allow small businesses to be back up and running fairly quickly after identifying a ransomware attack. If a “bare-metal” backup (a backup from the original state with no customizations, etc.) is available, companies can restore it to a new device within a few hours and have most data available shortly thereafter. Still, on average, larger corporations take roughly one month and $1.5M to fully recover from a ransomware attack.

The Reality of Data Recovery

To be clear, being able to quickly recover from an attack is essential, so some form of backup is absolutely mandatory. That said, there is a downside to the security that backups provide: Sophos.com found that 72% of respondents from companies that were not victims of a ransomware attack felt they were not going to be the victim of an attack in the future due to either backups or cyber insurance, neither of which will prevent a ransomware attack[3]. What’s more, Veeam Software found that 95% of ransomware attacks attempted to infect backup repositories as well [4].

Even worse? A recent study showed 60% of organizations who paid still could not fully recover data [5]. Data security is formulated around the “CIA triad”: confidentiality, integrity and availability. If a cybercriminal has your data, its availability has already been compromised and it is no longer confidential. This naturally means that the data’s integrity can no longer be guaranteed. From a data security perspective, you’ve lost everything because once cybercriminals have your data, they can make copies and sell it after you paid the ransom.

Prevention 1.0: The Bare Minimum in Ransomware Protection

The simple fact is, ransomware attacks rely on people slipping up. Either they fail to take an action that they should have taken or they take an action that they should not have.

Basic IT measures for preventing attacks include blocking specific ports and web pages in firewalls, blocking specific domains in email filters, properly patching devices, and closing any open sensitive ports on internet-facing devices. Employee education is also essential. Ensure that employees understand what shadow IT is and how it can damage the company. Provide regular updates on known scams so that employees know what to look out for. Train employees to recognize files with ransomware extensions (e.g., .micro, .exx, .encrypt, .crypz, etc.). Conduct phishing drills as a way to keep employees alert and engaged in prevention efforts. Actions like these can help prevent attacks from happening in the first place.

Prevention 2.0: For a Healthier Cybersecurity Posture

There’s only so much that a typical organization can do to prevent ransomware attacks because, chances are, your company already has vulnerabilities. Attackers who exploit those vulnerabilities are looking for two things: money and credibility. They get money from the ransom but even if you don’t pay, they can get money by selling your data to others. And if by chance no one buys? They’ll give it away to gain credibility and reputation within hacker groups.

In order to prevent these types of attacks, preemptive security is the only strategy that works. That’s where CybelAngel offers a more advanced approach: We find those vulnerabilities before the cybercriminals can. A few of the key methods we use include:

Scanning the entire IPV4 space every 24 hours. By identifying third-party servers and continually scanning keywords, CybelAngel can monitor these internet-facing devices for any malicious activity. For example, one of our customers is a Fortune 100 company that had a third-party supplier in Hong Kong. Through keyword matching, CybelAngel detected sensitive files pertaining to the client on a device that had recently been compromised by the Mars Ransomware. CybelAngel alerted the client to the ransomware server so appropriate measures could be taken.

Identifying malicious domains, which phishing attacks often use in an attempt to gain access to corporate devices. CybelAngel recently found a homoglyph, a type of attack using characters that look similar in order to mimic a legitimate URL. We can alert your organization’s security team so they can block these domains prior to an attack taking place.

Finding and inventorying unknown assets and potential threats. For one customer, CybelAngel found 42 common vulnerabilities & exposures, including an open remote desktop protocol on assets they weren’t aware of—often the entry point for ransomware attacks. This list of critical threats, prioritized by degree of severity with actionable information, enabled the customer’s security team to take remediation prior to exploitation.

CybelAngel’s proactive measures enable an organization to identify a threat before it can move across networks or devices. To quickly learn if you have exposure that are putting you at risk, request an External Exposure Scan today, or click here to learn more about ransomware prevention.