Support 100 years of independent journalism.

Advertorial feature by Sophos
  1. Spotlight
20 May 2021updated 09 Sep 2021 9:09am

The price and politics of security

Companies should brace themselves for breaches but not bow down to intimidation tactics.

By Jonathan Lee

Ransomware is a widespread threat to organisations across all sectors in 2021. According to The State of Ransomware 2021 report by Sophos, 37 per cent of organisations around the world were hit by ransomware in 2020 and the average cost of recovery from such an attack has more than doubled, from $0.76m in 2019 to $1.85m in 2020.

The average ransom paid was $170,404 – and almost a third of victims paid up. In addition to the significant financial cost and resource demands of recovering from an attack, ransomware can destroy brands and reputations, especially when personal data and other confidential information is involved. The annual Sophos survey, which polled 5,400 IT decision makers in 30 countries around the world, (mainly from mid-sized organisations) shows how not all industry sectors have been impacted as adversely by ransomware attacks.

Media, leisure and entertainment along with distribution and transport topped the list of sectors able to block an attack before their data was encrypted – with 47 per cent and 48 per cent, respectively, able to do so, compared to a global average of 39 per cent. In local government, which can have limited IT resources, only 28 per cent managed to avoid encryption, while healthcare (28 per cent) and oil and energy (25 per cent) also struggled.

The threat landscape for ransomware is changing. At one end of the spectrum there are unskilled criminals using off-the-peg ransomware-as-a-service (RaaS) software, such as Dharma, in a spray-and-pray approach. At the other end there are advanced, targeted and manually orchestrated attacks that involve innovative tactics, techniques and procedures as well as tools that are often also used by IT administrators and security professionals for everyday tasks. These advanced attacks involve the highest ransom demands, often running into millions of dollars. In addition, such attacks can combine encryption with the theft of data, which the attackers then threaten to make public unless a ransom is paid.

Some adversaries are skipping the data encryption stage altogether and are simply demanding a ransom to delete, or agree not to publish, the stolen data. A small, but significant 7 per cent of respondents to the global survey had experienced such attacks – double the 3 per cent affected in 2019. Anecdotal evidence suggests that central government and retail organisations may be particularly vulnerable to this kind of approach.

Sign up for The New Statesman’s newsletters Tick the boxes of the newsletters you would like to receive. Quick and essential guide to domestic and global politics from the New Statesman's politics team. A weekly newsletter helping you fit together the pieces of the global economic slowdown. The New Statesman’s global affairs newsletter, every Monday and Friday. The best of the New Statesman, delivered to your inbox every weekday morning. The New Statesman’s weekly environment email on the politics, business and culture of the climate and nature crises - in your inbox every Thursday. Our weekly culture newsletter – from books and art to pop culture and memes – sent every Friday. A weekly round-up of some of the best articles featured in the most recent issue of the New Statesman, sent each Saturday. A newsletter showcasing the finest writing from the ideas section and the NS archive, covering political ideas, philosophy, criticism and intellectual history - sent every Wednesday. Sign up to receive information regarding NS events, subscription offers & product updates.

Does it pay to pay a ransom? The universal answer is no, but not everyone feels they have a choice. If you don’t have up-to-date offline backups, a decryption key provided by the attackers may be the only way of getting your data back. But it is rarely that simple. The survey found that of the organisations that pay a ransom, fewer than one in ten (8 per cent) get all their data back, while 29 per cent recovered no more than half.

Chester Wisniewski, principal research scientist at Sophos, says: “This could be in part because using decryption keys to recover information can be complicated. What’s more, there’s no guarantee of success. For instance, as we saw recently with DearCry and Black Kingdom ransomware, attacks launched with low-quality or hastily compiled code and techniques make data recovery difficult.”

Some attackers remain in the victim’s network after launching the ransomware, to see if the attack succeeded, but also so that they can threaten a repeat attack if the victim doesn’t pay. Identifying and removing any trace of the intruders is vital to prevent this from happening.

What did the survey respondents expect from ransomware in the future? Of the 62 per cent of organisations that had not been hit by ransomware in the past year, nearly three-quarters expect to be targeted at some point. Around half of them (47 per cent) said this was because of the increased sophistication of attacks. The good news is that 6 per cent of those that had escaped attack – and felt they were unlikely to be a target in the future – said this was down to the expertise of their IT teams. 

Jonathan Lee is public sector director UKI at Sophos.