SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Ransomware recovery costs more than doubled in past year
Thu, 29th Apr 2021
FYI, this story is more than a year old

The average total cost of recovery from a ransomware attack for businesses in Asia Pacific and Japan has more than doubled in the last 12 months, according to new research.

Cybersecurity firm Sophos unveiled the findings of its global survey, The State of Ransomware 2021, which reveals that recovery cost have increased by more than US$1 million, from US$1.16 million in 2020 to US$2.34 million in 2021.

According to the research, the average ransom paid by organisations in APJ is US$123,634, while only 5% of APJ organisations managed to get back all of their data after paying a ransom, with 19% getting back no more than half of their data.

While the number of organisations in APJ that experienced a ransomware attack fell from 53% of respondents surveyed in 2020 to 39% in 2021, and fewer organisations suffered data encryption as the result of a significant attack (68% in 2021 compared to 81% in 2020), the new survey results reveal worrying upward trends, particularly in terms of the impact of a ransomware attack.

"The apparent decline in the number of organisations being hit by ransomware is good news, but it is tempered by the fact that this is likely to reflect, at least in part, changes in attacker behaviours," says Chester Wisniewski, principal research scientist, Sophos.

"We have seen attackers move from larger scale, generic, automated attacks to more targeted attacks that include human hands-on-keyboard hacking," he says.

"While the overall number of attacks is lower as a result, our experience shows that the potential for damage from these more advanced and complex targeted attacks is much higher," Wisniewski explains.

"Such attacks are also harder to recover from, and we see this reflected in the survey in the doubling of overall remediation costs."

The research found the APJ average cost of remediating a ransomware attack grew by more than US$1 million. Remediation costs, including business downtime, lost orders, operational costs, and more, grew from an average of US$1.16 million in 2020 to US$2.34 million in 2021.

The average ransom paid in APJ was US$123,634. While US$3.2 million was the highest amount paid out of those surveyed globally, the most common payment was US$10,000. The proportion of APJ organisations that paid the ransom remained the same year on year at 39%

"The findings confirm the brutal truth that when it comes to ransomware, it doesn't pay to pay," says Wisniewski.

"Despite more organisations opting to pay a ransom, only a tiny minority of those who paid got back all their data," he says.

"This could be in part because using decryption keys to recover information can be complicated. What's more, there's no guarantee of success.

"For instance, as we saw recently with DearCry and Black Kingdom ransomware, attacks launched with low quality or hastily compiled code and techniques can make data recovery difficult, if not impossible."

The survey found around two thirds (65%) of APJ respondents believe cyberattacks are now too advanced for their IT team to handle on their own.

It also revealed extortion without encryption is on the rise. A small, but important 3% said that their data was not encrypted, but they were held to ransom anyway, possibly because the attackers had managed to steal their information.

"Recovering from a ransomware attack can take years and is about so much more than just decrypting and restoring data," says Wisniewski.

"Whole systems need to be rebuilt from the ground up and then there is the operational downtime and customer impact to consider, and much more.

"Further, the definition of what constitutes a ransomware attack is evolving."

For a small, but significant minority of respondents, the attacks involved payment demands without data encryption.

"This could be because they had anti-ransomware technologies in place to block the encryption stage or because the attackers simply chose not to encrypt the data," Wisniewski says.

"It is likely that the attackers were demanding payment in return for not leaking stolen information online. A recent example of this approach involved the Clop ransomware gang and a known financially-motivated threat actor hitting around a dozen alleged victims with extortion-only attacks."

 Wisniewski says it is more important than ever to protect against adversaries at the door, before they get a chance to take hold and unfold their increasingly multi-faceted attacks.

"Fortunately, if organisations are attacked, they don't have to face this challenge alone," he says.

"Support is available 24/7 in the form of external security operations centres, human-led threat hunting and incident response services."

Sophos recommends the following six best practices to help defend against ransomware and related cyberattacks:

1.       Assume you will be hit. Ransomware remains highly prevalent. No sector, country or organisation size is immune from the risk. Its better to be prepared, but not hit, rather than the other way round

2.       Make backups and keep a copy offline. Backups are the main method organisations surveyed used to recover their data after an attack. Opt for the industry standard approach of 3:2:1 (three sets of backups, using two different media, one of which is kept offline)

3.       Deploy layered protection. As more ransomware attacks also involve extortion, it is more important than ever to keep adversaries out in the first place. Use layered protection to block attackers at as many points as possible across an estate

4.       Combine human experts and anti-ransomware technology. The key to stopping ransomware is defense in depth that combines dedicated anti-ransomware technology and human-led threat hunting. Technology provides the scale and automation an organisation needs, while human experts are best able to detect the tell-tale tactics, techniques and procedures that indicate an attacker is attempting to get into the environment. If you don't have the skills in house, look at enlisting the support of a specialist cybersecurity company Security Operation Centres (SOCs) are now realistic options for organisations of all sizes

5.       Don't pay the ransom. Easy to say, but far less easy to do when an organisation has ground to a halt due to a ransomware attack. Independent of any ethical considerations, paying the ransom is an ineffective way to get data back. If you do decide to pay, bear in mind that the adversaries will restore, on average, only two-thirds of your files

6.       Have a malware recovery plan. The best way to stop a cyberattack from turning into a full breach is to prepare in advance. Organisations that fall victim to an attack often realise they could have avoided significant financial loss and disruption, if they had an incident response plan in place