Huge toll of ransomware attacks revealed in Sophos report

Ransomware might be a dreadful enterprise, but nobody could accuse the criminals behind these attacks of being weak on customer service.

They’re always easy to communicate with – just email the address on the screen. And while it’s true they don’t offer many payment options, the one they do, Bitcoin, is fast and reliable to transact in.

Best of all, according to The State of Ransomware 2020 global study conducted earlier this year on behalf of Sophos, organisations that decide to pay to get their data back, do so in an efficient 94% of cases.

What’s the catch? Only greater expense in the long run, major business disruption, the possibility of ongoing regulatory oversight for years, and the small matter of public humiliation and lost business should an attack come to light (which increasingly it does thanks to the attackers).

The research questioned 5,000 IT managers from 26 countries (500 from the US and 200 from the UK) in a range of sectors and company sizes from 100 to 5,000 employees.

That’s a healthy sample size, whose results underline one of the most interesting facts about ransomware that can get lost in the headlines – it now affects anyone, anywhere.

It doesn’t seem to matter how big an organisation is, nor which sector or country you look at. Ransomware is ubiquitous, with half of organisations in the research having experienced an attack during 2019, three quarters of which had their data encrypted.

Ironically, this is despite organisations tightening security to reduce trivial attacks.

How did ransomware respond? By spending more time targeting companies by researching less obvious weaknesses, looking to exploit several at the same time.

Overall, the research found that while a malicious file download or link was still the biggest danger (29% of successful attacks), other methods such as remote attacks on servers (21%), unsecured Remote Desktop Protocol (9%), external suppliers (9%), and infected USB drives (7%) were also popular.

Cloud repositories and applications are another big target, with 59% of those successfully attacked mentioning that cloud data was targeted in some form.

Only one in four victims decides to pay the ransom, which is most often done by a cyber-insurance company rather than the victim. However, only around two thirds of US victims find they can claim on insurance, with 20% of organisations paying for coverage they end up being unable to activate.

Don’t pay ransoms

Importantly, research found that paying ransoms costs more than reinstating data using backups.

Some might doubt that – downtime is often said to be the most expensive part of a ransomware attack – but the reason is simply that the cost of recovery is always high at an average of $732,000.  Paying the ransom on top of that simply doubles the bill.

Now you can see why ransomware attacks almost always send back encryption keys when paid – any doubt in the mind of victims would quickly destroy the whole extortion racket as companies knuckled down to do the hard work themselves.

Anxiety over this might explain why more and more ransomware attackers have recently started threatening to leak sensitive data stolen during attack as a an extra inventive to pay up.

What to do

Far from being a counsel of despair, it’s clear that organisations can limit the effect of ransomware attacks by assuming an attack is inevitable and planning for it.

Our advice:

  • Make and test a backup plan, including storing data offsite where attackers can’t locate it.
  • If you’re buying cyber-insurance, make sure it covers ransomware.
  • Don’t forget to protect data in the cloud as well as central data.
  • Use dedicated anti-ransomware protection. Twenty-four percent of survey respondents that were hit by ransomware were able to stop the attack before the data could be encrypted.
  • Lock down Remote Desktop Protocol (RDP). Criminal gangs exploit weak RDP credentials to launch targeted ransomware attacks. Turn off RDP if you don’t need it, and use rate limiting, two-factor authentication (2FA) or a virtual private network (VPN) if you do.
  • Pick strong passwords and use multi-factor authentication as often as possible. And don’t re-use passwords, ever.
  • Patch early, patch often. Ransomware like WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.

It’s also worth reading Naked Security’s advice on common mistakes that make ransomware easier to pull off from the attacker’s point of view. For more detailed advice, please check out our end of ransomware page.

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.