Once again, Arctic Wolf has taken the temperature of organisations across the globe to determine how the cybersecurity landscape of 2022 is shaping their 2023 concerns and actions. While the survey covered a number of topics, one stood out: ransomware.
48% of organisations ranked ransomware as their number one concern for the coming year. While that’s down from 70% in 2022, it doesn’t mean that ransomware is going away. Ransomware-as-a-service (RaaS) has gained momentum, lowering the barrier to entry for amateur hackers, and it’s continuing to be a favorite among threat actors. 42% of the organisations we surveyed experienced a ransomware attack last year, while only 8% of organisations experienced any other type of breach.
Clearly, ransomware is running away with the lead.
What’s even more concerning than the rate of attacks is that organisations are willing to pay the requested ransom, not only rewarding these threat actors but potentially motivating them to attempt future breaches.
Three Reasons Organisations Pay Ransom During an Attack
The question remains as to why an organisation would pay the ransom during an attack, and the answer is more complicated than just “wanting data back,” though that, of course, is a motivating factor.
74% of the time someone, either the victim themselves or a representing body such as an insurance company, chose to pay some percentage of the ransom. To break that down; 11% allowed an insurance provider or outside entity to pay some of the ransom, 22% agreed to pay a portion themselves after negotiating with attackers, and 41% paid the ransom in full. While it’s important to note that the FBI recommends never paying the ransom, that’s not what’s happening in practice.
There are three main reasons organisations feel payment is the best option during an attack:
1. Their Cyber Insurance Company Is Negotiating with the Attackers
Cyber insurance is becoming more critical for organisations, and these businesses rely on cyber insurance to help them out (and make the important decisions) if a breach happens. Some insurance companies may decide negotiation is the best path forward depending on the amount of the ransom, the value and volume of the data compromised, and how much remediation and restoration costs could be. For them, it’s a financial decision with long-term value in mind.
2. The Ransom Is Small
While it’s true that the average ransomware payment can be in the millions, partially because cyber criminals have turned their sights to larger enterprises, it’s not always that high. It can be as low as thousands of US dollars, and for a smaller organisation, that ransom is less than the cost of dealing with the fall out of the attack (think compliance fines, reputation damage, and remediation costs).
3. It’s the Best Option for the Organisation
Whether to negotiate and potentially pay depends on a number of factors including, as mentioned above, the advice of the cyber insurance company and the amount of the ransom. Other factors include the kind of attack — for example a double-extortion attack — the data that’s been encrypted, and what the fall out could be from operational downtime, exfiltrated data, and remediation. All those factors vary from organisation to organisation, and for some, just writing a check or wiring crypto currency is the most cost-effective option, even if it motivates the cyber criminals to conduct future attacks.
How to Prevent Ransomware Attacks
The best way for an organisation to avoid paying ransom is to implement security strategies and solutions that can prevent an attack before it reaches that stage.
There are a few steps organisations can take to both improve their overall security posture and put themselves in a strong position to defend against ransomware attacks:
- Employ vulnerability management. The majority of attacks start with an external vulnerability, so implementing vulnerability management techniques, including consistent monitoring and patching, can help an organisation lock doors that attackers could otherwise pass through.
- Have strong access and identity management, including safeguards like multi-factor authentication (MFA). Having strong access management can prevent a cybercriminal from entering a network or being able to move laterally within it, helping keep the most critical assets safe.
- Utilise constant monitoring with a solution like managed detection and response. Knowledge and visibility are power when it comes to cybersecurity, so being able to know if there’s unusual behavior happening and where can stop a threat from becoming a full-blown ransomware attack.
- Invest in cyber insurance and incident response. Considering the statistics, it’s best to be prepared for the worst-case scenario, and cyber insurance companies and incident response organisations are ready for just that. They can help organisations deal with both the immediate and long-term effects of a ransomware attack.
Learn more about the top 2023 trends and what they mean for cybersecurity moving forward with the “State of Cybersecurity: 2023 Trends Report.”
Explore how a proactive, operations-focused approach can prevent future ransomware attacks.
