Successful ransomware attacks at record levels: How to avoid becoming a victim in the first place
by Tina Siering
The threat from ransomware is at a permanently high level.t. According to a forecast by Cybersecurity Ventures, companies must expect to become victims of ransomware every eleven seconds - and the trend is rising. At the same time, cybercriminals are becoming increasingly cunning and aggressive, extorting their victims in multiple ways and even paralyzing parts of public life and critical infrastructure with attacks on supermarkets, gasoline pipelines, municipalities or hospitals. The direct consequences for the affected companies and organizations can be existentially threatening.
Two-thirds of German companies affected by ransomware
The fact that German companies are now also virtually in a "ransomware minefield" is confirmed by the current study "State of Ransomware 2022" by the British security software manufacturer Sophos. According to the study, not only did the number of ransomware attacks in Germany increase dramatically in 2021, but also the amount of ransom paid.
We have summarized the most important results of the study for you:
Significant increase in ransomware attacks
67% of the German companies surveyed (66% globally) were victims of a ransomware attack in 2021 - that's 21% more than the year before.
Significant increase in the amount of ransom paid
The average ransom paid in Germany in 2021 was €253,160, almost double the amount paid in 2020. As many as 9% of German companies (11% globally) paid a ransom sum of at least 925,789 euros (i.e., $1 million) - no company did so the year before. By contrast, only 13% of the companies affected got away with paying less than EUR 9,257 (i.e. USD 10,000).
Increased willingness to pay ransom
Although security experts repeatedly strongly advise against giving in to the extortionists' demands, 42% of German companies (46% worldwide) were prepared to pay the ransom in 2021.
Significant financial consequences of a ransomware attack
In 2021, German companies spent an average of €1,601,615 to recover their data (US$1.4 million or €1,296,105 globally) and took one month to repair all consequential damage. A reduced ability to operate was experienced by 92% of affected German companies (90% globally), while business and/or financial losses were experienced by as many as 84%.
Cyber insurance does not cover all costs
80% of German companies surveyed (83% globally) said they had cyber insurance that covered ransomware attacks. While insurers paid some or all of the costs incurred in 98% of cases perpetrated in Germany, they covered the entire ransomware in only 41% of incidents. The perception of most new policyholders is that insurance prices and conditions have also changed to their disadvantage over the past twelve months.
Link tip: Premiums for cyber insurance soon unaffordable for SMEs? Can ACD be an alternative?
The fact that ransomware poses the greatest threat to your cybersecurity is also evidenced by the BSI Situation Report 2021, which showed a significant increase in ransomware attacks and variants during the reporting period. Compared to the Situation Report 2020, the number of newly registered malware variants increased by 22% to 144 million. The situation is now "tense to critical".
The triumph of ransomware: How has it got this far?
With all these findings, the question arises: How were cybercriminals able to write such a great success story with ransomware malware in the first place? Without a doubt, cryptocurrencies have played a very central role in the sharp increase in ransomware attacks. After all, Bitcoin and the like made it possible for the attackers to process ransom payments in a completely uncomplicated manner in the first place - anonymously, untraceable, and internationally feasible. Ransomware 1.0 was born.
This first generation of ransomware was still content with merely encrypting production data. But the success of the method did not last: companies used backup systems that enabled them to quickly restore their data themselves in the event of an attack, leaving the blackmailers empty-handed. The cybercriminals' response was not long in coming: soon, backup data and systems also became the target of ransomware attacks. This was the birth of Ransomware 2.0.
Today, cybercriminals take a multi-stage approach in their attack chains and are developing increasingly sophisticated strategies. After they have encrypted the data, they press their victims with further blackmail, for example. What is known in the private sector as outsourcing, namely a division of labor and the outsourcing of individual components of a task, is also becoming increasingly popular among cybercriminals. Cybercrime-as-a-service; hacker groups specializing in certain techniques take on parts of a complex cyber attack as contract work, while other groups publish tapped data on specially set up leak sites. The leaked data, in turn, can be conveniently purchased by further attackers and used for new cyberattacks.
Selling sensitive data represents the next stage in the attacker's strategy and leads to the emergence of Ransomware 3.0.; data exfiltration here again takes the threat to a new level.
Faced with such cunning tactics, it is not surprising that many victims see no other way out than to pay the high ransom demands. Our recommendation in this context: never pay the demanded ransom - because by doing so, you give the hackers exactly what they want. And you will certainly become a target of this form of cyberattack again in the near future.
Forewarned is forearmed: How to proactively protect your company
One thing you should always keep in mind: Compared to the financial damage you may face from ransom payments, business downtime and recovery efforts, the expense of a good security solution is more manageable. Since a ransomware attack takes place on average over months in several phases and the encryption is only executed at the end of the three-stage kill chain (endgame phase), i established security solutions such as firewalls and virus protection are simply insufficient as a standalone security solution.
Effective protection against extortion Trojans can only be provided by an early attack detection system - for example, Allgeier secion's Active Cyber Defense (ACD) service. The threat-hunting and incident-response software proactively and continuously scans all activities within the network for anomalies, thus uncovering a compromise at an early stage. This gives you enough time to avert the actual attack or limit the damage. Network monitoring is not limited to servers and workstations, but also includes printers, smartphones and IoT devices.
The following tips to protect against ransomware attacks should also be taken to heart:
- Perform backups on an ongoing basis and divide your network into multiple subnetworks.
- Set up effective multi-factor authentication for all employees in your organization.
- Make your employees aware of ransomware with training, manuals and action catalogs.
Conclusion
Ransomware is one of the most dangerous forms of cybercrime. Due to the enormous pressure that cybercriminals exert on their victims these days with multi-layered attacks, more and more companies find themselves forced to pay the high ransom demands. Not to mention the horrendous follow-up costs, which are often in the millions. Don't let it get to the point where you are faced with the question: Pay the ransom or not? Actively prevent such attacks and use the time in which the cybercriminals are frequently undetected in the network for weeks and months to actively detect conspicuous behavior. Because time is the critical factor in detection and the successful elimination of cyber threats like ransomware.
The great success of ransomware is not only due to the attackers' clever extortion strategies, but also to the use of inadequate security solutions. For effective protection against ransomware, you should rely on solutions for early attacker detection. Allgeier secion's ACD service offers such an early warning system, which operates preventive security monitoring and immediately identifies anomalies in your network. Only if you can react quickly will you manage to stay one decisive step ahead of the attacker!
Need help upgrading your IT security for 2022? Contact us!
Related articles
For several days now, there has been a strong accumulation of successful compromises by the "QakBot" malware (also known as "QBot" and "QuackBot") worldwide. We have also already identified successful attacks as part of our ACD monitoring. After infection, criminals can gain access to online banking accounts, leak user data, and reload further malware. As one measure to mitigate the risk, we urgently recommend adjustments to the Group Policy Objects (GPO).
Cybercriminals are true masters at constantly adapting their attack mechanisms to effective IT security measures. New tools and iterative changes to existing malware are used to mercilessly exploit security vulnerabilities. Among the numerous threats, ransomware stands out as one of the biggest. More and more companies have to face extortion Trojans. A completely new threat called LockFile now relies on intermittent encryption. LockFile not only encrypts much faster than previous ransomware, but also bypasses security solutions that work reliably. This article shows why criminals are increasingly relying on intermittent encryption and how companies should react to the new threat.
Read more … New ransomware trend: Why criminals increasingly rely on intermittent encryption
Due to the war in Ukraine, secion provides an assessment of the threat situation for companies and examines the question of whether increased Russian attacks on companies in Germany, Austria and Switzerland can be identified. There is currently no evidence of an acute increase in the threat posed by Russian state actors in Western Europe, but there is increased public awareness of these cyberattacks. In addition, "third-party actors" are creating a new dynamic.