April 28, 2021 | 3 minute read
The digital threat landscape as a whole is constantly changing and evolving. That can make it difficult to keep track of new developments for specific threats like ransomware. Don’t worry though, Cybereason has got you covered.
After all, it’s our job to know what’s happening with ransomware and other threats to your organization. Here are five things you need to know about the current state of ransomware attacks:
The number of ransomware attacks continues to grow year after year. As an example, a report covered by ZDNet found that the number of ransomware attacks in H1 2020 grew by 715% compared to the first half of the previous year.
Over the course of those attacks, researchers witnessed established strains of ransomware subside and give rise to new families. The rest of the year was more or less the same. Indeed, Help Net Security reported that ransomware attacks increased by more than 150% over the course of 2020.
The cost of a ransomware attack is also on the rise. According to Infosecurity Magazine, the average ransomware payment increased by 171% from $115,123 in 2019 to $312,493 in 2020.
The security industry witnessed even higher ransom demands in the months that followed, however. None have topped the recent REvil gang’s demand of $50 million from PC manufacturer Acer. It’s the highest ransom demand to date as of this writing.
Of course, ransom payments aren’t the only costs associated with a ransomware attack. In one report for example, 64% of managed service providers (MSPs) said that their small- to medium-sized business (SMB) clients had experienced business productivity disruptions after suffering a ransomware attack. Close to half (45%) reported downtime, with the average cost of those disruptions having reached $141,000—more than 200% higher than it was in 2019 at just $46,800.
The utility of data backups has changed given the increasing prominence of double extortion. As we noted in another blog post on double extortion, ransomware operators have taken to exfiltrating a target’s data before launching the encryption routine, and then demand that victims pay up in order to not only get their systems decrypted but to prevent the attackers from publishing their data online.
Double extortion is useful from an attacker’s perspective. A backup might allow a victim to recover their encrypted information, but it won’t prevent an attacker from leaking their stolen data online. This tactic thus helps to put additional pressure on victims to pay up.
Victims want to avoid paying the ransom at all costs. That’s because doing so doesn’t guarantee that they’ll be able to recover their affected information. For example, another recent report found that over half (56%) of ransomware victims decided to pay the ransom in 2020, but 17% of those who did pay didn’t regain access to their data.
There are a couple of reasons why this is so. Both of them trace back to the attackers themselves. Sometimes, ransomware actors simply lack the skills to develop a decryptor that can successfully recover all of their victims’ files (think ProLock).
Other times, it’s simply about attackers being terrible people who do not keep their word. This became apparent in yet another ransomware report where five crypto-malware gangs stood out for their failure to keep their end of the bargain. Some published their victims’ information even after receiving a ransom, while others came back and re-extorted those individuals for the same information at a later date.
That’s not the only reason why victims should think twice before paying the ransom. There’s also the 2020 announcement from the U.S. Department of Treasury that U.S. persons could incur civil penalties for sending ransom payments to attackers in nations on its cyber sanctions list. No wonder the FBI does not support paying a ransom in response to a ransomware attack.
Acknowledging the above, the best ransomware defense for organizations is to focus on preventing a ransomware infection in the first place. They can’t rely on Indicators of Compromise (IOCs) to do that, however. There are lots of new ransomware families, after all, so there’s no guarantee that an attack at one organization will be useful in preventing an attack at other organizations.
Instead, organizations need visibility into the more subtle Indicators of Behavior (IOBs) that allow detection and prevention of a ransomware attack at the earliest stages. Cybereason delivers fearless ransomware protection via multi-layered prevention, detection, and response, including:
• Anti Ransomware Prevention and Deception: Cybereason uses a combination of behavioral detections and proprietary deception techniques surface the most complex ransomware threats and end the attack before any critical data can be encrypted.
• Intelligence-Based Antivirus: Cybereason blocks known ransomware variants leveraging an ever-growing pool of threat intelligence based on previously detected attacks.
• NGAV: Cybereason NGAV is powered by machine learning and recognizes malicious components in code to block unknown ransomware variants prior to execution.
• Fileless Ransomware Protection: Cybereason disrupts attacks utilizing fileless and MBR-based ransomware that traditional antivirus tools miss.
• Endpoint Controls: Cybereason hardens endpoints against attacks by managing security policies, maintaining device controls, implementing personal firewalls and enforcing whole-disk encryption across a range of device types, both fixed and mobile.
• Behavioral Document Protection: Cybereason detects and blocks ransomware hidden in the most common business document formats, including those that leverage malicious macros and other stealthy attack vectors.
Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere. Learn more about ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.
The Cybereason Security Team champions cyber defenders by providing future-ready attack protection that unifies security from the endpoint, to the enterprise, to everywhere the battle moves. The Cybereason Defense Platform combines the industry’s top-rated detection and response (EDR and XDR), next-gen anti-virus (NGAV), and proactive threat hunting to deliver context-rich analysis of every element of a Malop (malicious operation). The result: defenders can end cyber attacks from endpoints to everywhere.All Posts by Cybereason Security Team