Ransomware attacks on the rise, U.S. firms less likely to pay up

[Jos]

Ransomware is on the rise with nearly 50% of businesses across the United States, Canada, United Kingdom, and Germany reportedly experiencing an attack last year alone, according to a study sponsored by Malwarebytes. The survey included 540 CIOs, CISOs and IT directors from companies with an average of 5,400 employees in these countries.

This type of attack encrypts or locks files away before demanding payment in return for a key to decrypt them and return the PC to normal. The most heavily targeted industries for ransomware are healthcare and financial services.

Among organizations that have experienced a ransomware attack, roughly one-half have encountered the attack through a desktop computer, followed by laptops as the second most common ingress point. Mobile devices and servers are not common entry points.

As you would expect, email links and attachments are the primary method used by criminals to target organizations, making up nearly 60 percent of all infections.

An average user hit with ransomware may be asked to pay up $500 to $1,000, according to Malwarebytes, but when an enterprise gets hit the sum is $10,000 and up. The study found that ransom demands in excess of $10,000 are most common in Germany (48%), but much less common in the United Kingdom (22%), the United States (18%) and Canada (14%).

Many are apparently giving in to demands for payment as the cost of keeping operations closed is far higher -- as much as 40% pay up. Curiously, organizations in the United States were found to be far less likely to pay the ransom. Only 3% admitted to paying up versus 75% of ransomware victims in Canada, 22% in Germany and 58% in the UK.

Among organizations that chose not to pay the ransom after becoming infected with ransomware, more than one-quarter lost files as a result. You can check out the complete report here for other interesting tidbits on this growing pain for IT departments everywhere.

Permalink to story.

https://www.techspot.com/news/65837-ransomware-attacks-rise-us-firms-less-likely-pay.html

 

[PinothyJ]

It kind of serves them right for not have adequate backup. The company I now work for had an attack a few years ago and they just restored their backup, figuratively slapped the dumb employee responsible and everything else was fine.

 

[Skidmarksdeluxe]

If I was ever unfortunate to be caught out by this scam I'd simply perform a reformat of my HDD and start from scratch. Fortunately I believe in backing up important stuff and I'd never pay these criminals a plugged nickel.

 

[NatalieEGH]

It kind of serves them right for not have adequate backup. The company I now work for had an attack a few years ago and they just restored their backup, figuratively slapped the dumb employee responsible and everything else was fine.

You obviously know very little about the financial or health care services.

The only possible backup would be to have either constant backups going or to have all transactions backed up. That requires the system with the backups to be connected at ALL times. This could easily result in the ransomware affecting those systems also.

For a moment let us assume they can have a complete backup that is up to the second before the ransomware is activated.

During market hours a brokerage house must complete a trade request within seconds. More than one brokerage house has gone bankrupt because of rapid changes in the value of a stock and being unable to complete the trade fast enough. There are fines. There can also be punitive damages if the brokerage house does not cover all losses due to an increased cost when purchasing or a reduced value when selling. When you lose 5%, 10%, 100% of your life savings because the brokerage house has so many fines that they go under, and fines are paid before customers, are you going to say "Oh well, it is just money."

In a hospital, they cannot just shut down the computers and wait for a complete restore. Virtually all information is now in digital format. That goes from the xrays being used in operations to dosages of medications being automatically administered to just basic medical records. I am quite sure you would be upset if something happened to a member of your family because the doctor or hospital just shut down and began a restore in the middle of a treatment or operation. At least that up to the second backup would not necessitate repeating tests and procedures fully completed like maybe a you had finished a colonoscopy, everyone does so love the taste of GoLYTELY but then you might be in the middle of the test.

In neither case, I suspect, are you willing to just turn off the system preventing its spread or just restore the system losing all data since the last backup. Would you rage at the hacker that created the ransomware, the person that bought a copy and targeted the bank/brokerage house/hospital, the clerk that submitted your trade to the exchange/downloaded medical records, or the financial institution/hospital?

Would you be ready to begin litigation for your losses or inconvenience? I expect yes. And you just said, just do a restore. I think that comment should be used by the defense attorneys if you ever do have something like this happen.

There are many more businesses out there that cannot just stop everything and do a restore. Examples are 911 system, utilities, police, fire, FAA, military during operations, ... Some might even consider communications companies as shutting down an entire node might affect the others.

Where possible, I agree, not having multiple backups that can immediately used to restore your system to a pre-crash/pre-malware status is very ill-advised. Backups should be done daily. If it is possible to backup transactions and know no malware could be backed up also. It does little good to have the malware on the backups. I have seen that and restores just restored an earlier state of infected.

I agree, if you system is not used in a critical area and must be kept running, upon discovery of malware, a system restart, all disks formatted, and all data restored to a time prior to infection is the appropriate action.

 

[DelJo63]

@NatalieEGH hmmmmmm
Surely you are aware that critical systems don't run on desktop --that's were the GUI FE operates. The meat and potatoes is on a server, typically non-local and non-standard port configuration.

Network segmentation and access control by job function limits the span of an intrusion and a good disaster recovery plan ( other than Heck restore all) mitigates recovery time.

So the issue becomes having skill staff that can do more than rest passwords and schedule backups

 

[NatalieEGH]

I trust you are also aware that not only have desktops been subject to ransomware but routers and even large servers have been attacked. The WannaCry ransomware was specifically designed to attack Windows Servers as the EternalBlue was a exploit. There are supposedly thousands of such exploits known and used by various governments. I believe most servers now are using either Intel or AMD processors for their CPUs. Further they are running enterprise versions of Windows.

Network segmentation does not always work if the network is itself attacked with malware. Access control can be similarly compromised.

 

[DelJo63]

1. Network segmentation does not always work if the network is itself attacked with malware.
   
2. Access control can be similarly compromised.

Neither of these can be compromised UNLESS credentials have been acquired. Using a good IDS, the changes can be detected and corrected easily and quickly.

If we want to pick, physical security comes before all things - - lockdown USB, CD, DVD and all remote change capability.