Ransomware experts urge victims not to pay, but are they listening?
The number of attacks from, and payouts to, ransomware extortionists continue to rise despite only 20% saying giving into demands is the best course, Menlo Security finds.
There’s a growing reluctance to play ransomware demands, Menlo Security found in an online poll, but that reluctance may not reflect what victims are actually doing when hit by an attack. Respondents overwhelmingly agreed that ransoms shouldn’t be paid, with 79% saying so, while 20% said paying ransoms is the best way out. Sixty-nine percent said they’d like to see prison time for ransomware perpetrators, and 60% said the scheme should be treated the same as terrorist attacks.
SEE: Security incident response policy (TechRepublic Premium)
Opinions like these are all well and good, but Menlo Security pointed out that data from Cybersecurity Ventures shows 2021 ransomware losses are expected to exceed $20 billion, rising to $265 billion by 2031. Meno Security also cited data from The Beazley Group, which said that ransomware attacks increased by more than 130% in 2020. Factor in recent high-profile and high-dollar payouts from the Colonial Pipeline ransomware attack and similar incidents and you have a clear signal to cybercriminals: Ransomware works.
“Ransomware isn’t going away any time soon and with the rise of ransomware as a service it’s an increasingly easy way for cyber criminals to launch a profitable attack,” said Mark Guntrip, Menlo Security senior director of cybersecurity strategy. “If companies continue to pay ransom demands, then these criminal groups will continue to see the technique as an easy way to make massive monetary gains.”
Catching ransomware actors would be a way to slow them down, and with only 16% of survey respondents saying they think attackers will never be caught it seems there’s some consensus that cybercriminals aren’t immune. Not so, said Guntrip: “Given the location of the groups that have carried out ransomware attacks and the tools that they use, it is highly unlikely that they would be caught.”
Law enforcement is getting better at tracking ransomware actors, but Guntrip said that identifying those responsible is still next to impossible without inside intelligence and the assistance of the country where the attackers reside. In other words, don’t count on fear of prosecution from stopping the growing ransomware threat, which Guntrip said will likely increase in frequency, with more groups getting into the game because of perceived easy profitability versus low risk.
What, then, is an organization that falls prey to ransomware and has no intention of paying, to do? Guntrip warns that an attack that’s already happened may be too late. “If an organization doesn’t have [safe backups and a recovery plan] in place before a successful ransomware attack then the options to recover are limited. A company can either pay the ransom and hope that their data is actually restored, or wipe everything and start again,” Guntrip said, noting that depending on the size of the business and the size of the ransom, an attack that wasn’t prepared for could spell the end of a business.
Businesses that are resilient in the face of a ransomware attack are ones that follow several rules. Because ransomware often relies on tricking someone into opening a malicious file or visiting a harmful website, “The best way to try and avoid a successful attack is to prevent the threat from getting to the intended victim,” he said.
Don’t rely on reactive security technology, which has shown time and again that it’s not effective against ransomware attacks. Guntrip recommends a proactive security approach that limits access and only permits users to access portions of a network they absolutely need to be in, like zero-trust security.
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
There is a catch, though: Zero trust can often require more of users, and anything that impacts their day-to-day is ripe for circumvention. “While the proactive approach is more effective for security, it needs to be implemented in a way where security is invisible to end users. It cannot impact their work day, their processes or block them from content they need to access,” Guntrip said.