Ransomware has been headline news in 2021, highlighted by the Colonial Pipeline hack and underlined by scores of other attacks.
Data on ransomware infections varies, with multiple estimates suggesting the majority of organizations worldwide have been affected. Even more conservative measurements point to a widespread security problem. A recently published survey conducted by IDC found nearly one-third (31 percent) of organizations globally have been hit by ransomware in the previous 12 months. (IDC found a far lower rate among U.S.-based companies.)
Such data points also tend to indicate that ransomware attacks are increasing. According to research group Statista, the percentage of organizations globally that have been impacted by ransomware has grown steadily each year from 2018 through 2021.
By any measure, ransomware is a real – and potentially expensive – problem. And the reason it exists is fundamentally simple. “Ransomware is in the news a lot these days,” says Gordon Haff, technology evangelist at Red Hat. “But at the end of the day, it’s just another way of monetizing attacks on IT systems.”
[ How can the DevSecOps approach help? See What is DevSecOps. ]
5 facts about ransomware
That’s the first basic truth any IT or business leader should know about ransomware: Attackers use a variety of techniques to infect and encrypt an organization’s systems and data. The name tells you what’s next: They hold those systems and data ransom, demanding payment in exchange for restoring access.
Ransomware is disruptive. The Colonial Pipeline attack illustrates that point well. It’s also lucrative for attackers and costly for the victims – Colonial initially paid around $5 million to its attackers, according to multiple news reports, some of which was later recovered by law enforcement authorities.
Let’s expand on that point and several other facts about ransomware that both IT executives and business leaders need to understand, especially in the context of a growing problem.
1. Ransomware is prevalent because it works
Ransomware wouldn’t exist if it was ineffective.
In fact, ransomware works very well. The truly eye-opening stat in IDC’s survey has nothing to do with infection rates but with payment rates: 87 percent of companies victimized by ransomware in the past 12 months paid the ransom, according to the research firm.
The average ransom payment was approximately $250,000 among that survey sample, though IDC notes that the number was driven higher by a few large payments of more than $1 million.
The financial impacts are most staggering when viewed in the aggregate: Cybersecurity Ventures has previously predicted that global ransomware damages would reach $20 billion in 2021, up from $325 million in 2015.
IDC also found that it wasn’t uncommon for organizations that have been breached to be attacked – and with systems and/or data held ransom – multiple times. (This suggests that cybercriminals will gladly hit the same target again and again until it no longer pays off.)
Haff and other experts point out that cryptocurrencies have enabled attackers to more successfully collect payments – an overlapping trend that has made ransomware more effective.
“Ransomware has become more popular since 2010, when companies and individuals started using Bitcoin and other new cryptocurrencies,” says Amit Bareket, CEO and co-founder of Perimeter 81. “With these cryptocurrencies, it is much easier for hackers to actually collect money from their targets.”
2. Ransomware can affect any organization
These kinds of numbers unfortunately mean that ransomware has become a big business. This reveals another truth: You can’t write off ransomware as an overly hyped threat. It can affect virtually any organization, regardless of its size or industry. And beyond the actual ransom, there’s the collateral damage to consider, including to reputation and trust. This isn’t how you want to make the news.
“Ransomware is one of the fastest-growing threats in cybersecurity,” Bareket says. “We’ve seen many new industries being targeted by ransomware throughout the pandemic, including healthcare, real estate, and law. Government and critical infrastructure are always relevant targets as well.”
Don’t make the mistake of thinking that you’re too small or too big to become a victim. Nor should you be overconfident in your security posture: As with other threats, it’s an evolving landscape that requires continuous review and adjustment.
“Ransomware attacks are increasing,” says Asher de Metz, security consulting senior manager at Sungard AS. “It’s no longer a question of if you’ll be targeted by a hacker, but when you’ll be hit.”
3. You're only as strong as your weakest link
Let’s shift to the facts about attack tactics and prevention. With the former, many methods should sound familiar.
“Ransomware attacks all the usual weak spots in an IT infrastructure, including poor or untested backup procedures, unpatched software – including those related to lack of scanning of containers and other elements of the software supply chain – and user error,” Haff says.
[ Automation can play a key role here. Read also: How to automate security and compliance with Kubernetes: 3 ways. ]
As with many other forms of malware and other security threats, attackers often look for the soft spots in your organization, such as a a legacy VPN that does not have multi-factor authentication (MFA) set up.
This is a general pattern in IT security: Gain access via a single entry point and wreak havoc from there. Basic security hygiene is anything but basic – it’s a critical foundation for managing risks.
“Depending on your network layout and patching posture, it only takes one instance of ransomware to potentially impact other machines on your network,” says Brian Wilson, CISO at SAS. “Applying OS and third-party patches or documented workarounds in a timely manner can help prevent the spread of malicious payloads throughout your network.”
This is an underlying problem with security holes. Many organizations don’t know they exist until they’re exploited.
“Organizations should perform a security gap analysis to see where they are most vulnerable to an attack,” de Metz says. “Communicating with executives from other areas of the business can show just how vulnerable the organization really is and can really help with implementing the necessary security strategies and planning.”
4. Ransomware attacks often start with phishing
Phishing scams don’t quite generate the same headline attention as ransomware. “Ransomware” sounds bigger and scarier; phishing has been around so long as to seem boring by comparison.
There’s an important link between the two. As Haff points out, user error is one of the key causes of infection. As a result, phishing is often the initial entry point for eventual ransomware infection. Security pros generally agree that email and other vectors for scam links are one of the tried-and-true tools for ransomware delivery.
“Many ransomware attacks are generated from phishing attacks, which occur when employees open unfamiliar or deceptive emails and click on malicious links,” Bareket says.
Back to that point about basic security hygiene: Phishing is as “basic” as it gets, but it’s as widespread as ever. Make sure you’re not sleeping on this major vector.
“Email is the most common vector of compromise, where an unwitting employee clicks a malicious attachment or download link,” Wilson says. “Additional technologies are needed that can perform attachment sandboxing and URL-rewriting – both for blocking known bad sites and keeping track of who clicked what.”
Now, let's explore four essential strategies for minimizing your risk: