Ransomware has grown considerably as a threat since Malwarebytes released its first annual State of Ransomware Report in 2016. No events better demonstrate this surge of enciphering strains than the WannaCry and NotPetya outbreaks. They highlight bad actors’ ongoing work to target businesses with new creations, including families that self-propagate across vulnerable machines by abusing publicly known security flaws. The attacks also raise an important question: are organizations prepared to confront next-gen ransomware of the future?
To answer that question, Malwarebytes published its second annual State of Ransomware Report in July 2017. Its study explores the efforts of 179 small- to mid-size businesses (SMBs) in the United States and 175 organizations in five other nations to prevent, detect, and sometimes recover from ransomware attacks. Here are a few highlights from Malwarebytes’ survey.
Ransomware Attacks and Their Consequences
Nearly two in five (38 percent) organizations located in the United States suffered a ransomware attack between 2016 and June 2017 when Malwarebytes conducted its survey. (Ransomware struck 35 percent of organizations globally during the same time period.) Close to a third of U.S. companies saw between one and five ransomware attacks, though 2 percent of enterprises encountered more than 20 crypto-malware infections.
For more than a half (56 percent) of U.S. organizations that suffered a ransomware attack, the scourge affected only one endpoint. Unfortunately, the infection spread to other devices in 40 percent of cases in the United States (35 percent globally). Two percent of companies worldwide even suffered infections in which the malware affected all their devices, whereas double that percentage of enterprises weathered similarly comprehensive attacks in the United States.
46 percent of U.S. customers lost access to their files as a result of an enciphering attack, compared to 37 percent globally. 12 percent lost revenue, whereas business stopped immediately for 20 percent of U.S. victims. Even so, ransomware caused downtime for just one in six organizations it affected in the United States. Those outages didn’t last longer than 24 hours for 80 percent of those companies. Even so, a few saw more than 100 hours of service interruptions.
In 54 percent of cases, email-based attack vectors (either attachments or links) delivered the ransomware to U.S. companies. 16 percent of cases involved a malicious website or web app. But 9 percent of American victims didn’t know what caused the infections. (Globally, that unknowing percentage was even greater at 27 percent.)
Detection of and Response to a Ransomware Attack
Detection rates for ransomware ranged across that board among those U.S. organizations that participated in Malwarebytes’ study. 44 percent of American companies accomplished detection within less than an hour; 13 percent found the infection in five minutes or less. But 56 percent of victimized businesses took hours or even days to discover the malware.
In 51 percent of infections affecting U.S businesses, attackers demanded less than $1,000. Only two percent demanded exorbitant ransoms of greater than $150,000. All the same, companies didn’t jump to meet the attackers’ demands. Just 20 percent of U.S. victims met the developers’ demands, which is slightly lower than the 28 percent average. A little shy of a third (32 percent) of those that didn’t pay lost files. Meanwhile, British and Australian victims saw the greatest rate of file loss at 46 percent and 40 percent, respectively.
Working to Combat Ransomware
Only a minority of IT decision makers surveyed by Malwarebytes saw any value in meeting attackers’ demands. Just six percent of U.S. organizations thought it was a good idea for victims to always pay the ransom. (The global average for this perspective was two percent or companies.) More than a third (36 percent) of U.S. participants said enterprises should consider paying the ransom depending on the value of the encrypted data, while over half (58 percent) saw no value in working with computer criminals.
Notwithstanding that determination, not all organizations were confident they could stop a crypto-malware attack. 50 percent of U.S. companies said they were “fairly” confident or “very” confident they could stop an infection. 37 percent of American enterprises said they were only “somewhat” confident. More than one in ten (12 percent) revealed they were “not too confident.”
Reflecting these levels of pose, 80 percent of U.S. IT decision makers said addressing ransomware is a “high” or a “very high” priority for them. (75 percent of organizations felt the same.) That explains why approximately 70 percent of U.S. companies were investing in tech and/or education to combat the crypto-malware threat.
That’s not to say they’re doing so in the same way, however. For instance, 80 percent of U.S. companies conducted security training, but some did so more than others. (24 percent educated their employees just once a year, whereas 22 percent held at least four trainings per year.) Similarly, just over three quarters (76 percent) of U.S. organizations used email security to defend against ransomware, while others implemented network segmentation and other technology-driven approaches.
A Balanced Approach
The best way for organizations to defend against ransomware is to use a balanced approach of human- and technology-centric strategies. Those security measures should include robust data backup plans, efforts to strengthen the organization’s security culture against phishing and other digital threats, and investment in solutions that are capable of monitoring critical endpoints for anomalous behavior.
For more information on the state of ransomware, please download Malwarebytes’ report here.