Ransomware is a widespread threat to organisations across all sectors in 2021. According to The State of Ransomware 2021 report by Sophos, 37 per cent of organisations around the world were hit by ransomware in 2020 and the average cost of recovery from such an attack has more than doubled, from $0.76m in 2019 to $1.85m in 2020.
The average ransom paid was $170,404 – and almost a third of victims paid up. In addition to the significant financial cost and resource demands of recovering from an attack, ransomware can destroy brands and reputations, especially when personal data and other confidential information is involved. The annual Sophos survey, which polled 5,400 IT decision makers in 30 countries around the world, (mainly from mid-sized organisations) shows how not all industry sectors have been impacted as adversely by ransomware attacks.
Media, leisure and entertainment along with distribution and transport topped the list of sectors able to block an attack before their data was encrypted – with 47 per cent and 48 per cent, respectively, able to do so, compared to a global average of 39 per cent. In local government, which can have limited IT resources, only 28 per cent managed to avoid encryption, while healthcare (28 per cent) and oil and energy (25 per cent) also struggled.
The threat landscape for ransomware is changing. At one end of the spectrum there are unskilled criminals using off-the-peg ransomware-as-a-service (RaaS) software, such as Dharma, in a spray-and-pray approach. At the other end there are advanced, targeted and manually orchestrated attacks that involve innovative tactics, techniques and procedures as well as tools that are often also used by IT administrators and security professionals for everyday tasks. These advanced attacks involve the highest ransom demands, often running into millions of dollars. In addition, such attacks can combine encryption with the theft of data, which the attackers then threaten to make public unless a ransom is paid.
Some adversaries are skipping the data encryption stage altogether and are simply demanding a ransom to delete, or agree not to publish, the stolen data. A small, but significant 7 per cent of respondents to the global survey had experienced such attacks – double the 3 per cent affected in 2019. Anecdotal evidence suggests that central government and retail organisations may be particularly vulnerable to this kind of approach.
Does it pay to pay a ransom? The universal answer is no, but not everyone feels they have a choice. If you don’t have up-to-date offline backups, a decryption key provided by the attackers may be the only way of getting your data back. But it is rarely that simple. The survey found that of the organisations that pay a ransom, fewer than one in ten (8 per cent) get all their data back, while 29 per cent recovered no more than half.
Chester Wisniewski, principal research scientist at Sophos, says: “This could be in part because using decryption keys to recover information can be complicated. What’s more, there’s no guarantee of success. For instance, as we saw recently with DearCry and Black Kingdom ransomware, attacks launched with low-quality or hastily compiled code and techniques make data recovery difficult.”
Some attackers remain in the victim’s network after launching the ransomware, to see if the attack succeeded, but also so that they can threaten a repeat attack if the victim doesn’t pay. Identifying and removing any trace of the intruders is vital to prevent this from happening.
What did the survey respondents expect from ransomware in the future? Of the 62 per cent of organisations that had not been hit by ransomware in the past year, nearly three-quarters expect to be targeted at some point. Around half of them (47 per cent) said this was because of the increased sophistication of attacks. The good news is that 6 per cent of those that had escaped attack – and felt they were unlikely to be a target in the future – said this was down to the expertise of their IT teams.
Jonathan Lee is public sector director UKI at Sophos.