Ransomware in 2021
The Sophos company publishes a study done on ransomware attacks among hundreds of medium-sized organizations in the retail sector, so that you don’t have to read all 21 pages. We have summarized the important things that everyone should know.
What is a ransomware attack?
Popular among hackers and involved in 22% of all cyberattacks, a ransomware attack begins with the installation of malicious software. This malware is designed to lock our data and hold it “captive” until the hacker’s demands are fulfilled. The malware can encrypt the information or lock our device, thus preventing us access.
After the requirements are met, usually in the form of cryptocurrency payment, the victim only has the attacker’s promise to rely on.
Types of ransomware
Encryption-This type of malware locates files that seem important to the user – texts, documents, images, PDF and more. It encrypts the information, thus preventing access to it. When the victim is an individual, the ransom usually amounts to several hundred dollars, and the requirement includes a transfer of the payment up to 72 hours, otherwise, the data is permanently deleted.
Lock –When the user is locked out of the device, and the ransom message appears on the screen.
Scareware- Perhaps the most cynical of them all, this attack mimics software that scans for security issues, such as antiviruses, and alerts us of critical findings. The error messages that appear to detect faults mimic legitimate antivirus software, and give a sense of reliable source by providing the IP address and geographic location information, or using the names of reputable and trusted companies. Afterward, access is denied until the victim allows the malware to repair these issues, for an additional fee.
DoxWare- Ransomware that threatens to leak victims’ data to sites on the Dark Web. the attacker might sell this information or leak it to sites for free.
Who is SOPHOS?
Sophos is a British based security software and hardware company, who develops products for communication endpoint, encryption, network security, email security, mobile security and unified threat management. Sophos is one of the leading companies in the supply of managed EDR systems, with firewalls that prevent ransomware from expanding into the corporate network by advanced learning techniques and responses based on analysis. Intercept X uses CryptoGuard technology that stops unauthorized encryption of files by viruses.
Ransomware state- 2021 research
5,600 IT people in medium to large organizations (100-5,000 employees) from 31 countries in the retail industry participated in Sophos’ annual study. The survey was conducted in January and February of 2022, and participants were asked to answer based on their annual experience in 2021.
Complexity, frequency, and impact of ransomware attacks
66% of organizations in the study were affected by ransomware in 2021, an increase from 37% in 2020.
The sharp increase proves that hackers have adapted more sophisticated capabilities to carry out significant ransomware attacks.
It also reflects the growing success of the Ransomware-as-a-Service model which significantly extends the reach of ransomware by reducing the level of skill required to deploy an attack. This model essentially allows users who have purchased a subscription to use ransomware tools for their own use, and the investors in the development of the software receive a percentage of each ransom paid. Like the SaaS users, the RaaS users do not need to have any knowledge or experience to take advantage of the capabilities of this tool.
In 2021, attackers succeeded in encrypting data in 65% of attacks, an increase in the encryption rate of 54% from what was reported in 2020.
57% experienced an increase in the volume of cyber attacks overall, 59% saw the complexity of attacks increase, and 53% said the impact of attacks increased.
72% saw an increase in at least one of these criteria.
Backups are the number 1 method used to restore data – 73% of the organizations in the survey used this method to restore encrypted data.
Cost of Ransomware attacks
Along with using data backup, 46% reported paying a ransom for data recovery – reflecting the fact that many organizations are using multiple recovery approaches to maximize the speed and efficiency with which they can get back up and running.
The payment of the ransom almost always ends with the recovery of the data, but not entirety.
On average, organizations that paid received 61% of their data back, down from 65% in 2020.
Similarly, only 4% of organizations that paid the ransom received all of their data in 2021, down from 8% in 2020.
965 of the organizations that paid a ransom revealed the exact amount to Sophos, and this paints a worrying picture –Average ransom payments have increased considerably over the past year.
In the past year, there has been an almost 3-fold increase in the proportion of victims who paid a ransom of one million dollars or more: an increase from 4% in 2020 to 11% in 2021.
Simutltaniously, the percentage of those paying less than $10,000 dropped from 34% in 2020 to one in five (21%) in 2021.
Overall, the average ransom payment reached $812,360, a 4.8-fold increase from the 2020 average of $170,000 (based on 282 respondents).
The average cost to pay for a ransomware attack has increased by 4.8 times from 2020.
Ransom attacks by the industry
There are considerable variations between industries, and hackers manage to extract a higher payment from some organizations.
The highest average ransom payments were $2.04 million in the manufacturing industry and $2.03 million in energy, oil/gas, and utilities.
The lowest average extortion payments were $197K in healthcare and $214K in state/local government.
Ransom attacks by industry – the media, leisure, and entertainment industry were hit the most, after real estate, and in third place was the energy and gas industry
Ransom attacks by country
In Italy, where extortion payments are illegal, meaning organizations are legally prohibited from paying, 43% of organizations hit by ransomware have admitted paying. The study proves that legislative barriers alone are not effective in stopping ransom payments.
Ransom attacks by country – Austria is the country most affected by a ransomware attack in 2021, followed by Australia and in third place Malaysia. Israel is in the 17th place, with 66% of organizations in Israel affected by ransomware.
Effects of a ransomware attack
90% of those hit by ransomware in the past year said the most significant attack affected their ability to operate.
Furthermore, among private sector organizations, 86% said it resulted in lost business/revenue.
Overall, the average cost to fix the impact of a ransomware attack in 2021 was $1.4 million. A decrease from $1.85 million in 2020, which is likely due to the fact that organizations are less afraid of the impact to their reputation, in light of the increase in high profile cases.
Another explanation of this is that the insurance providers of these organizations are able to guide the victims quickly and efficiently in response to an event, reducing the costs. It is worth noting that in many cases where the ransom is paid, the insurance, and not the victim, pays the bill.
On average, organizations that have suffered attacks in the past year need one month to recover from the most significant attack – a long time for most companies.
The slowest recovery was reported by higher education and central/federal government, with two in five taking more than a month to recover.
Conversely, the sectors that recovered the fastest were manufacturing (only 10% took more than a month) and financial services (only 12%), apparently as a result of planning and preparation.
Protection against Ransomware
In order not to fall victim to this brutal attack, we must adopt security procedures that prevent the download of a ransomware virus into our device and incorporate advanced protection systems which detect these attacks. In the case of an organization or business, those responsible for the organization’s information security, such as the CISO, must ensure the implementation of these procedures and the integration of security systems such as:
- You have purchased a reliable antivirus
- Choose passwords – Choose strong passwords with uppercase and lowercase letters, numbers, and characters. And perhaps most importantly, do not recycle the same password for all your accounts.
- Restrict user access and deny login
In order not to fall victim to a virus attack, we must employ safety procedures that prevent the download of a ransomware virus to our personal device, and integrate advanced protection systems that detect these viruses and attacks. If it is an organization or business, the officials responsible for the organization’s information security, such as the CISO, must ensure the implementation of these procedures and the integration of security systems such as: