Ransomware in 2020: what, why, and whether to pay?
The cyber security landscape is continually evolving and cyber attacks increasing in sophistication. Nevertheless, tried and tested threats are never too far from threat actor’s toolkits.
About the author
Adenike Cosgrove is the Cybersecurity Strategist for international markets at Proofpoint.
One of these attack methods – phishing – is practically ancient in digital years, yet it remains as popular as ever. In fact, Proofpoint’s State of the Phish report 2020 found that over half of organisations encountered at least one successful phishing attack last year, illustrating that it’s a tool that’s very much still part of a cybercriminals’ arsenal.
In 2019, attackers’ modus operandi remains varied:
- 88% of organisations worldwide reported spear-phishing attacks
- 86% reported BEC attacks
- 86% reported social media attacks
- 84% reported SMS/text phishing (smishing)
- 83% reported voice phishing (vishing)
- 81% reported malicious USB drops
Whatever the method of attack, however, a familiar payload was delivered time and time again: ransomware. In fact, 65% of global organisations reported a ransomware infection last year.
Phishing-driven ransomware attacks increased notably in 2019, thanks in part, to popular RaaS offering GrandCrab – which is estimated to have generated over $2bn in ransom payments.
That these ‘traditional’ methods of attack still see success should be met with much concern within the cybersecurity industry. Why, when our collective eyes are very much open to these tactics and aware of the proven consequences, do they continue to cause such damage?
A surprising lack of understanding about aspects of internet security may be the answer. Both in how to defend against an attack and what to do when one occurs.
How much do we really know about ransomware?
When it comes to end-users, the answer to this question may come as a surprise: very little. Across the board, recognition of common cybersecurity terms is worryingly low.
In fact, out of the 3,500 workers surveyed across seven countries, just 31% correctly understood the definition of ransomware. This figure is even lower among the younger generation. Just 28% of those aged between 18 and 22 understood the term, along with 24% aged 23 to 38, 33% aged 39 to 54, and 43% aged 55+.
This potential language barrier poses a significant challenge when it comes to educating end-users on how to spot and defend against such common threats. It is important for users to know and understand the differences between different types of malware.
The security of our organisations depends on end-users to make good decisions. They are often the last line of defense between a successful ransomware attempt and a successful ransomware infection. That so many are unfamiliar with what can be considered a relatively basic term is something of an eye-opener.
Clearly, cybersecurity teams cannot afford to hold any assumptions. Cybersecurity training and education for staff must be regular and comprehensive. Covering not just the latest threat du jour, but also topics such as ransomware, where an element of prior knowledge may have previously been assumed.
To pay or not to pay?
Unfortunately, this lack of understanding around ransomware doesn’t end with how to spot an attack. There is just as much confusion about what to do if and when an attack is successful.
Governments and law enforcement often issue conflicting advice. While acknowledging that the final decision lies with the victim, the UK’s National Crime Agency (NCA) encourages organisations not to pay ransoms.
This is also now the official advice of the FBI. However, speaking at a recent Cyber Security Summit, Assistant Special Agent Joesph Bonavolonta, revealed that the FBI did, in some cases, advise organisations to pay up. The thinking being that cybercriminals would not jeopardize a lucrative business model by cheating victims once a ransom is paid.
That being said, any decision to pay a ransom lies ultimately with the victim. There is a school of thought that opting to pay a ransom is a business decision like any other. It should be made having weighed up every possible option and assessing the risk versus the reward.
For service-critical organisations such as hospitals and local government, for example, paying a ransom may appear to be the fastest and most effective solution. However, this solution depends on cybercriminals staying true to their word. And as many businesses found out to their cost last year, this is rarely the case.
Of the organisations infected with ransomware in 2019, 33% opted to pay a ransom. Fortunes were mixed. Over two-thirds (69%) regained access to data and systems after payment. Of the rest, 22% did not regain access, 7% were hit with additional ransom demands and did not regain access, and 2% paid additional ransoms before regaining access to data and systems.
Fighting ransomware – before, during and after
Just as tried and tested attacks continue to see success, so too do tried and tested defenses – when implemented effectively. As always, prevention is far better than cure.
A broad and deep cybersecurity defense is vital. And this starts with education and training at every level. The aim is not to create teams of end-users who can quote the dictionary definition of ransomware but to build a culture where cybersecurity is always front of mind.
This means comprehensive and continued training that goes well beyond how to spot an attack.
Employees must understand the motives behind a ransomware attack, what to do if they suspect one, how their behavior can impact success rates, and how to recover should the attack become an infection.
When it comes to the thorny issue of ransoms, there is no simple answer.
Before making any decision, exhaust all other options, consult with cybersecurity professionals, restore backups, and know that paying a ransom is not a silver bullet. Despite the idiom to the contrary, there is very little honor among thieves.
- Keep your business connections secure with the best VPN.