Ransomware is a special form of cybercrime. The word says it all: hostage-taking. The cybersecurity benchmark survey conducted by Conscia in collaboration with commercial market research firm The Blue Hour shows that ransomware is considered the biggest threat (82%).

Meanwhile, multiple studies on ransomware show the figures for 2021. Conclusion: the amount of ransom demanded continues to rise, as do the payments made. Does this mean organisations are at the mercy of ransomware 'gangs'? Certainly not! Even if we don't see them, a lot of valuable information is collectively gathered and shared about the tactics and techniques used by these 'gangs'.

For instance, we know that 35 new ransomeware "gangs" were added in 2021. [1] Some groups listen to misleading names like Hello Kitty and Robinhood. In short, they are groups of criminals who have found a lucrative business in ransomware. So 'successful' in fact that Ransomware as a Service (RaaS) is being offered, by criminals to criminals. Their activities are only expected to increase in the coming years.

Facts and figures at a glance

This growth was already noticeable last year. The number of victims rose by 85%, with the Americas being the biggest target with 60%. Followed by EMEA with 31% and Asia Pacific with 9%. The amount of ransom demanded also increased by 144% to $2.2 million. The amount finally paid averaged around $500,000; 78% higher than in 2020. [1] Of organisations affected by ransomware, 58% proceed to pay. 14% pay more than once. 41% recovered from the attack within a month, 61% within three months.

According to Maarten Werff, Solution Consultant Cybersecurity at Conscia, the fact that they are often paid for is an eye opener. "It is an increasingly mature industry and often they perform a double attack. So first they encrypt data so it is unavailable. If you don't pay quickly enough, they bring out the stolen data - such as personal data. The business impact then is not only crippling the organisation, but also image damage."

Method unravelling

The structure of a ransomware attack is often the same. After entering, usually via a phishing attack, they remain silent for a while before moving sideways. Not surprisingly, the majority (67%) of respondents to the benchmark survey say they do not know how many days it takes for an attack to be noticed. It is in the attackers' interest to stay in as long as possible, to steal as much as possible.

Once revealed, it is often clear which 'gang' one is dealing with. Usually, the criminal organisation has a service desk (strange but true!). However, that is not the only thing through which the identity of the ransomware group is revealed. Worldwide, knowledge and information is shared about these 'gangs', about the tactics and techniques they use. Conscia also shares in this through the MITRE ATT&CK framework. Knowledge makes power and it ensures that attacked organisations can resist, even though the criminals are already inside. Even though organisations usually do not make it public that they have paid (for fear of more attacks and reputational damage), it can still help fight cybercrime to do so. According to Werff, there are certainly cases where this has been done. "Very brave and very instructive for other experts!"

Defense-in-Depth

100% protection against Ransomware-related malware is not realistic, which is why we recommend adopting a "defence-in depth" approach. This means applying layered security from different angles; from implementing technical measures to creating policies and procedures. By taking this approach, you have more chances of detecting and stopping malware before it does damage to your organisation.

The starting point in the defence-in-depth approach is "assume breach" where you assume that any security mechanism is eventually breached. But instead of throwing in the towel, you can take steps to mitigate the impact of this by applying strong detection that allows you to speed up incident response time. However, these detective and responsive measures require knowledge, time and expertise from IT/Security staff. We therefore see many organisations (partially) outsource these detection and response activities to a managed security provider. In this way, the IT security team can focus on strengthening cyber resilience and ensure better alignment with the organisation's objectives. It is important to remember that cybersecurity is an ongoing process that needs to be constantly evaluated and adapted to keep up with the ever-changing threat landscape.

Source: Conscia