Octree Observer

What are Your Chances of Suffering a Ransomware Attack — Really?

1 December 2016 0 Comments Cybercrime
  • Ransomware has quickly become a top security concern, but does the risk actually merit the hype?

    A big thanks to Jonathan Crowe of Barkly for once again highlighting the growing phenomenon of ransomware. I have witnessed it first hand – it is dangerous and widespread.

    Earlier this month, a post appeared on the Spiceworks IT Community titled, "Have we just been lucky?"

    The question was referring to the fact that, despite all the headlines and widespread attention ransomware has been getting, the poster had yet to experience an infection first-hand. Curious as to whether that might be attributed to the protection they had in place or sheer dumb luck, the poster turned to the Spiceworks community to get more perspectives.

    Were others experiencing ransomware attacks? Was not having experienced an attack really that unique? Was it only a matter of time before their luck ran out?

    Responses to the question varied (they're really worth reading in full). Some IT pros acknowledged they hadn't been hit yet, either, while others reported their organizations had been hit multiple times. The general consensus, however, was that (as with all things security) the best approach was to prepare as if it weren't a matter of IF an attack would happen, but WHEN.

    Especially as long as attacks target the one vulnerability that's never fully under your control — your users.

    Looking beyond the initial "better safe than sorry" lesson, however, I thought this post also tiptoed close to asking another very interesting and valid question:

    How can you determine your risk for ransomware? What are the odds of you suffering an attack?

    This is the type of question that security experts hate, because there are typically way too many factors and variables to consider. Coming up with anything approaching a definitive answer is impossible and foolhardy.

    But that doesn't mean we can't take a crack at it.

    In fact, one could argue that taking the pulse of groups of IT pros to find out who has experienced attacks and who hasn't is a perfectly good way to start. By doing that you can get a sense of how prevalent ransomware attacks are and whether you're in the majority or minority as a victim or non-victim.

    Lucky for us, in addition to the awesome informal poll conducted on Spiceworks, we can also get a sense of the bigger picture via a survey from Osterman Research sponsored by Malwarebytes. Not only does it offer stats from a larger sample size (540 organizations, 165 U.S.-based), it provides industry-specific data, as well.

    Here's what they found:

    47% of U.S. companies have experienced ransomware attacks in the past 12 months





    Source: Understanding the Depth of the Global Ransomware Problem (Osterman Research)



    Translation: The odds of experiencing a ransomware attack are roughly equal to you playing roulette and the ball landing on black (just remember you're playing with your files instead of chips, and if you lose they get encrypted).


    That’s broadly speaking, of course, but it does provide a baseline for understanding how prevalent ransomware attacks are becoming. The 47 percent figure also matches up with a survey we conducted earlier this year in which 147 out of 335 IT pros reported they had experienced a ransomware attack (44 percent).

    As mentioned, there are of course plenty of factors that can raise or lower your likelihood of seeing an attempted ransomware attack. It's interesting to note two of the biggest appear to be industry and geography. For example, healthcare and financial services both experienced slightly more attacks than average.

    Ransomware attack statistics by industry





    Source: Understanding the Depth of the Global Ransomware Problem (Osterman Research)

     



    Note: These stats appear to confirm a bit of common sense — that industries dependent on managing sensitive and critical (read: lucrative) information are more likely targets for ransomware attacks. But other studies, including a recent report from security ratings company BitSight, indicate that there has been a significant increase in ransomware attacks across all industries in the past 12 months.

    In terms of geography, if your organization is based in the U.S. or the U.K. it's more likely you've experienced a ransomware attack.





    Source: Understanding the Depth of the Global Ransomware Problem (Osterman Research)

    Really the full picture? 46% of ransomware attacks may be going unreported



    Another thing to keep in mind, especially when considering the industry stats, is that not all ransomware victims are eager to come forward and admit when they've suffered an attack.

    In fact, a survey conducted by research firm Vanson Bourn found that just 61 percent of IT security pros notified their organization's CEO or board when they suffered a ransomware attack. Only 54 percent notified law enforcement.

    While victims may be more open to reporting attacks in anonymous surveys, it's worth pointing out that the actual percentage of companies infected could be higher.

    Better question: "How damaging would a ransomware attack be?" (risk is more than just your likelihood of getting attacked)



    Something else that tends to get lost in these statistics is the sense of not just how common ransomware attacks are becoming, but how severe the consequences may be if you do suffer an attack. That's a crucial variable that can impact the way you think about your odds of dealing with ransomware quite a bit.

    Ex: You may not worry too much about having a 50 percent chance of twisting your ankle. Make that a 50 percent chance of twisting your ankle while being chased by a bear, though, and your cavalier attitude may change considerably.

    In other words, depending on the consequences, risk can be more or less daunting to take on.

    For that reason, instead of getting too wrapped up in calculating the likelihood of you facing a ransomware attack, maybe a better question to ask is, “How damaging would it be if we did get hit?”

    If you don’t know the answer, it’s time to walk through some mock worst case scenarios:
    • What happens if a ransomware attack originates or spreads to a user with access to critical information and/or administrative privileges?
    • What happens if it spreads to file servers, network shares, and/or backups?
    • What is the cost of downtime if individual users, groups of users, or entire services have to go offline?
    Asking yourself questions like these will help you get a better sense of the risk ransomware poses, along with gaps in protection you need to address.

    We can also look to others' experiences to get a sense of the average extent of ransomware infections and the level of damage they cause, but just keep in mind the way an attack will play out on your network is very much dependent on how your systems are setup and the security you have.

    4 out of 10 ransomware infections spread beyond the first infected endpoint





    Source: Understanding the Depth of the Global Ransomware Problem (Osterman Research)

    3 out of 10 ransomware attacks resulted in lost data despite having backups





    Source: Understanding the Depth of the Global Ransomware Problem (Osterman Research)

    In both cases, those numbers are actually lower than the results we've seen in our own ransomware surveys, where 50 percent of IT pros reported ransomware infections spreading to shared network drives, and 68 percent reported ultimately losing data due to ransomware attacks (despite 100 percent of them having backups in place).

    The most common reasons they weren't able to fully recover with backup?

    1. Unmonitored and failed backups
    2. Local, accessible backup drives were also encrypted
    3. Loss of between 1-24 hours of data from the last incremental snapshot
    You can spend a lot of time deciding whether to worry about ransomware, or you can get busy preparing for it

    When it comes to ransomware, the one thing virtually everyone agrees on is that the volume of attacks and ransomware varieties is dramatically increasing.

    Ransomware variants have grown by a factor of 10x since 2015





    Source: Proofpoint Q3 2016 Threat Summary

    97% of phishing emails delivered Locky ransomware in Q3 2016





    It's becoming increasingly likely for organizations to be exposed to ransomware. Whether those exposures result in successful infections or not, and just how damaging those infections are, will depend on the security measures in place.

    New tools are emerging that can help you protect your organization's most vulnerable blindspot — your users and their endpoints — and in many cases a handful of relatively simple preventative efforts can considerably reduce your risk. For more sound, practical advice contact the nice chaps at Octree.



Comments (0)

Leave a comment

Octree Cyber Essentials
Cyber security – don’t know where to start?
Talk to Octree, specialists in helping SMEs achieve Cyber Essentials status.
GPDR Survey

Recent Posts

Blog Categories

Blog Archive