The number of global ransomware attacks is on the rise. According to Threatpost, the global volume of ransomware operations reached 304.7 million attacks in H1 2021. That’s a year-over-year increase of 151%. What’s more, that’s 100k+ more attack attempts than what security researchers detected in all of 2020.
Some operations helped to drive that surge in ransomware activity more than others. One of them was Ryuk, a group of attackers with which we’re very familiar. We’ve been tracking Ryuk since it first began infecting victims in 2018. Since then, we’ve observed the attackers responsible for Ryuk partnering with other digital crime operations—sometimes in the same attack attempt.
Who can forget the time we saw Emotet download TrickBot deploying Ryuk? Cybercriminals targeting large enterprises were using spam emails to deliver the Emotet trojan in order to further distribute the TrickBot malware. Once a targeted machine was infected with the TrickBot malware, the attackers began to steal sensitive information and determine if the organization was a high value target--if so, they proceeded to deliver the Ryuk ransomware.
Ransomware: The Ongoing Challenge
The example discussed above highlights the extent to which ransomware remains one of the most prominent threats in the malware landscape. Consider the findings of the 2021 Data Breach Investigations Report (DBIR), for instance. In its publication, Verizon noted that 13% of incidents that did not involve a denial-of-service (DoS) attack included a ransomware component.
The researchers also noted in the report that ransomware had appeared in 10% of data breaches, thereby doubling its frequency over one year and becoming the third most-prevalent attack action in data breaches. This change reflects the extent to which ransomware gangs embraced double extortion-- the act of exfiltrating sensitive data in addition to encrypting it and threatening to leak or sell it if the ransom demand is not met. The added incentive complicates targeted organizations' recovery efforts and enables attackers to demand higher ransom payouts.
Double extortion wasn’t the only new technique that helped ransomware attackers grab the third spot in Verizon’s ranking of attack actions. Attackers also looked to exploit software vulnerabilities--some of them as much as seven years old at the time--as a means of capitalizing on an organization’s weak vulnerability management practices.
According to CSO, ransomware groups took special interest in CVE-2019-19781. The Ragnarok ransomware operation used this Citrix vulnerability to gain entry into vulnerable organizations’ networks and download attack tools while masquerading as part of Windows Certificate Services.
They then executed their binary before deleting the URL from the user’s certificate cache. Black Kingdom and other ransomware attackers also looked to leverage the CVE-2019-11510 Pulse flaw as a way of preying upon unpatched enterprise assets.
Increasing Ransomware Costs
Taken together, these tactics have helped to escalate the costs associated with ransomware attacks. IBM noted in its Cost of a Data Breach Study 2021 that the average ransomware attack now costs $4.62 million to recover from. This is more costly than the $4.24 million price tag for the average data breach, yet it doesn’t even include the costs associated with paying the ransom demand and other fallout from an attack.
So, what does the cost of a ransomware attack include? Our ransomware study from earlier this year, titled Ransomware: The True Cost to Business, provides some indication. Consider the following statistics:
- Loss of Business Revenue: Two-thirds of organizations said that they suffered revenue loss following a ransomware attack.
- Damage to Brand and Reputation: More than half (53%) of organizations said that they suffered damage to their brand and reputation after an attack.
- Loss of C-Level Talent: Approximately a third of respondents said that they lost C-Level talent after suffering a ransomware incident.
- Employee Layoffs: About three in 10 survey participants indicated that they were forced to lay off employees due to the financial pressures caused by a ransomware attack.
- Business Closures: A quarter of organizations temporarily closed their business operations after experiencing a ransomware infection.
Our follow-up report, titled Organizations at Risk: Ransomware Attackers Don’t Take Holidays, revealed that 60% of respondents said a weekend or holiday ransomware attack resulted in longer periods to assess the scope of an attack, 50% said they required more time to mount an effective response, and 33% said they required a longer period to fully recover from the attack. On the human side of the equation, 86% of respondents indicated they have missed a holiday or weekend activity because of a ransomware attack, a situation that can factor into employee job satisfaction and potential burnout.
But despite the significant impact ransomware attacks have on organizations, most simply are not prepared to adequately defend against them even if their organization has already suffered a successful ransomware attack. This latest study found that 49% believe the ransomware attack against their organization was successful because they did not have the right security solutions in place.
In fact, just 67% of organizations had a NextGen Antivirus (NGAV) solution deployed at the time of the attack, only 46% had a traditional signature-based antivirus (AV) in place, and just 36% had an Endpoint Detection and Response (EDR) solution in place.
Defending Against Modern Ransomware Attacks
These findings highlight the need for organizations to defend themselves against more complex, low-and-slow ransomware operations, or RansomOps™. You can’t rely on Indicators of Compromise (IOCs) from known attacks - today’s RanomOps are largely customized to the targeted organization.
The best strategy for organizations is to prevent a ransomware attack from being successful in the first place. To do that, you need to invest in a multi-layered solution that leverages Indicators of Behavior (IOBs) to detect and prevent a ransomware attack at the earliest stages of initial ingress, prior to the exfiltration of sensitive data for double extortion, and long before the actual ransomware payload is delivered.
The Cybereason operation-centric approach provides the ability to detect RansomOps attacks earlier, and is why Cybereason remains undefeated in the battle against ransomware with the best prevention, detection and response capabilities on the market.
Cybereason is dedicated to teaming with defenders to end ransomware attacks on the endpoint, across the enterprise, to everywhere the battle is taking place. Learn more about the Cybereason Predictive Ransomware Protection solution, browse our ransomware defense resources, or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.