Ride the Lightning

Ransomware Victims: 94% of Those Who Pay the Ransom Get the Data Back

May 14, 2020

Naked Security reported on May 12 that The State of Ransomware 2020 report commissioned by Sophos has been released. The research questioned 5,000 IT managers from 26 countries (500 from the US and 200 from the UK) in a range of sectors and company sizes from 100 to 5,000 employees.

Notably, organizations that decide to pay to get their data back do so in 94% of cases. Even though they get the data back, they have greater expense in the long run, major business disruption, the possibility of ongoing regulatory oversight for years, and public humiliation and lost business if an attack comes to light, which it often does.

Half of organizations in the survey experienced an attack during 2019, three quarters of which had their data encrypted.

Overall, the research found that while a malicious file download or link was still the biggest danger (29% of successful attacks), other methods such as remote attacks on servers (21%), unsecured Remote Desktop Protocol (9%), external suppliers (9%), and infected USB drives (7%) were also popular.

Cloud repositories and applications are another big target, with 59% of those successfully attacked mentioning that cloud data was targeted in some form.

Only one in four victims decides to pay the ransom, which is most often done by a cyber-insurance company rather than the victim. However, only around two thirds of US victims find they can file an insurance claim, with 20% of organizations paying for coverage they end up being unable to rely on.

Research found that paying ransoms costs more than reinstating data using backups. Not sure that's true. Downtime is often said to be the most expensive part of a ransomware attack – but the reason is that the cost of recovery is always high at an average of $732,000. Paying the ransom on top of that simply doubles the bill.

So once again, the thieves demonstrate honor by sending back encryption keys when paid – to do otherwise would undermine their business model. More and more ransomware attackers have recently started threatening to leak sensitive data stolen during attack as an extra inventive to pay up.

The article offers this advice:

• Make and test a backup plan, including storing data offsite where attackers can't locate it.
• If you're buying cyber-insurance, make sure it covers ransomware.
• Don't forget to protect data in the cloud as well as central data.
• Use dedicated anti-ransomware protection. Twenty-four percent of survey respondents that were hit by ransomware were able to stop the attack before the data could be encrypted.
• Lock down Remote Desktop Protocol (RDP). Criminal gangs exploit weak RDP credentials to launch targeted ransomware attacks. Turn off RDP if you don't need it, and use rate limiting, two-factor authentication (2FA) or a virtual private network (VPN) if you do.
• Pick strong passwords and use multi-factor authentication as often as possible. And don't re-use passwords, ever.
• Patch early, patch often. Ransomware like WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.

Good advice and fascinating stats. Remarkable how high the ransoms are these days. Make sure your entity thoroughly vets the steps it has taken to prevent contracting ransomware!

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson