In today’s digital landscape, ransomware has become a significant and persistent threat for organisations.
No longer an emerging risk, ransomware has been a well-established concern facing many companies for some time. In 2021, for example, a survey from Gartner revealed ransomware as the top threat on the minds of business leaders.
However, despite widespread awareness of the challenge, the problem of ransomware has not diminished but grown.
Many ransomware groups are now operating like businesses. They run highly organised operations complete with structured revenue models, marketing strategies and recruitment efforts. They function like legitimate enterprises, and their efforts are proving lucrative, generating substantial profits. Just last year, for instance, one report estimated that ransomware group ‘Black Basta’ had raked in around $107 million in in the short time since it first emerged in early 2022.
On top of this, there’s an entire marketplace dedicated to ransomware-as-a-service (RaaS) solutions. Black markets for ransomware tools mean even those with minimal technical skills can launch attacks. By selecting malware, encryption or distribution tools from various providers, even basic attackers can now easily execute ransomware campaigns. This serves to only lower the bar to entry for cybercrime even further.
Ransomware is rampant
There is no reason why ransomware will cease to be a major threat anytime soon.
Once individuals have crossed the moral threshold of engaging in criminal behaviour, there’s little else to deter them from continuing with ransomware activities. There are two key factors that could dissuade them: high chances of getting caught or low financial reward. However, niether are presently significant concerns for ransomware actors.
Indeed, many major ransomware groups are state sponsored. Some governments actively encourage them to target companies or critical infrastructure in rival nations. This kind of backing significantly reduces the likelihood of arrests. And, as a result, these threat actors often operate with a degree of impunity in their home countries.
Further, it’s not all that hard for ransomware organisations to continue to find targets and extract value, as Semperis’ 2024 Ransomware Risk Report shows.
The survey of almost 1,000 IT and security leaders highlights that ransomware is a reality facing many companies. The majority (83%) of responding organisations having been targeted by ransomware in the past 12 months. Of these enterprises, 74% were attacked multiple times.
The report also shows that, in most cases, firms are not prepared to combat ransomware demands. Over three-quarters (78%) of targeted organisations paid a ransom at least once.
Patch management isn’t currently taking priority
These figures might seem surprising. Shocking, even. Nonetheless, they are a reflection of how much the ransomware threat has evolved as firms have failed to respond.
Today, there are several critical aspects of security that are not always adequately prioritised. Patch management is one of them.
It’s easy to ignore those pop-up notifications prompting you to install an important Windows update. This is especially true when you’re in the middle of something important with a tight deadline. However, dismissing these notifications and moving on can lead to serious risks.
With ransomware attacks becoming more pervasive and opportunistic, this mindset therefore needs to change. According to a report from Deloitte, ransomware groups are increasingly leveraging zero-day exploits to target systems. Currently, over a third of ransomware victims are now breached in this way.
For this very reason, companies need to prioritise patch management. Instead of delaying updates for weeks or months, they must be affirmed in hours or days.
Phishing campaigns have become more sophisticated
Zero-day attacks are not the only technique that threat actors can leverage. Cybercriminals are also continuing to prey on the security vulnerabilities perpetuated by people themselves.
These days, phishing efforts are impressively crafted, making them significantly harder to detect and counter. Campaigns are exceptionally convincing: Attackers meticulously impersonate trusted brands and individuals, often monitoring email communications to understand user behaviours and identify suitable targets.
The advent of artificial intelligence has further complicated this landscape, enabling scammers to generate artwork and compose polished emails that mimic the tone and style of legitimate correspondence.
As a result, phishing attempts are becoming both more persuasive and increasingly difficult for even the most vigilant users to spot.
No industry or organisation is off limits
In addition, ransomware attackers are also focusing on organisations that they perceive as both vulnerable and more inclined to pay ransoms.
Take the healthcare sector as an example. It’s sad to see that cybercriminals are actively targeting hospitals. Even in wartime, the rights championed by organisations like the Red Cross, which offer protection and assistance to victims of armed conflict and strife, are generally upheld. However, with many threat actors being financially motivated, there is no moral barrier and hospitals have become regular targets.
Why? Not only do these organisations often lack the funding to adequately invest in IT and security improvements, but threat actors know that any disruptions they’re able to inflict may cause widespread chaos.
I have witnessed incidents where hospital groups were forced to divert or evacuate patients due to ransomware attacks that disabled critical equipment, such as insulin pumps and X-ray machines. It’s exactly what threat actors hope to achieve. In fact, results from the aforementioned Semperis ransomware report shows that nearly 70 % of healthcare organizations that were victimized by ransomware paid.
The risks of paying a ransom
From zero-days exploits and more sophisticated phishing tactics to targeting those organisations that are more likely to pay out, ransomware actors are continually refining an effective formula for their attacks, thereby bolstering their chances of success.
In contrast, organisations are all too often lagging in their response, failing to develop effective countermeasures to combat these threats. Again, Semperis’ latest report highlights the current gap that exists.
Critically, only about one-quarter of respondents have dedicated backup systems specifically for Active Directory. This is a serious problem. Without the ability to quickly recover their identity systems that are operationally vital, companies can be left feeling that they have no option but to pay their attackers.
Many respondents noted a desire to return to normal business as quickly as possible as a reason for paying ransom. However, firms that opt to do this fail to recognise that paying out once is likely to leave a greater target on your back, making you even more susceptible to future attacks.
A significant portion (32%) of companies that suffered a ransomware attack paid at least four times during the past year. About 10% of companies paid more than $600K in ransoms alone. If you experience a breach and choose to pay the ransom, you essentially set the stage for attackers to come after you again.
Therefore, for any organisation – especially those that have previously been breached or have paid ransoms – it is crucial to take a new approach, prioritising resilience by embracing an effective multilayered security strategy.
Start by getting the basics right
Today, the basics matter. You’d be surprised at how much you can reduce your attack surface through aggressive patch management. Even small, incremental updates can help prevent significant disruptions down the line.
Similarly, while companies have traditionally focused on keeping intruders out, it is equally important to put plans in place in case attackers succeed in breaching these first lines of defence. Critically, that means ensuring that backup systems are not only in place but also continuously tested to ensure they are functioning.
The fact that nearly 70% of respondents said they had an identity recovery plan, yet 78% of targeted organisations paid the ransom, is a problem: Backups, clearly, aren’t working as they’re supposed to be.
The fact that only 27% of organisations have dedicated systems for recovering Active Directory, Entra ID and other identity controls – the Tier 0 infrastructure upon which all systems rely for recovery – is also a major problem. It’s crucial to understand where your data resides, what data is essential for business operations, and how it is protected, and this includes your identity systems.
These things might not be exciting or interesting. But they are the building blocks of an effective security strategy.
Now, more than ever before, it’s about laying the right foundations. Yes, algorithmic flywheel functions and new AI solutions are cool, but firms must not forget to focus on the basics.
- Cybersecurity
