The State of Ransomware 2020: Key findings from Sophos & Malwarebytes
Introduction
Ransomware has become one of the most common and well-known threats to cybersecurity. 2020 saw a notable increase in ransomware attacks specifically on enterprise entities, as many organizations found themselves in the crosshairs of malicious actors. These attacks are becoming increasingly complex, as cybercriminals leverage new and sophisticated techniques to exploit computers and systems. The questions now are how successful the file-locking malware is in achieving its goals and how paying the ransom impacts the overall remediation cost.
This article will detail some key findings from Sophos’ “The State of Ransomware 2020” and Malwarebytes’ 2020 “State of Malware” reports, which offer brand-new insight into recent ransomware attacks and uncover the impact of fulfilling threat actors’ demands on overall recovery costs. But before we look at the findings, let’s quickly explore the definition of a ransomware attack to ensure you’re aware of the different attack vectors.
Hands-on threat intel training
What is a ransomware attack?
Ransomware is a type of malware that seizes control of your computer by encrypting its files in a way that you’re unable to access them normally. It typically spreads through malicious emails that ask you to download an attachment. When you do, the download launches a program that infects your system. Besides ransomware email, you can also get infected via malicious ads on compromised websites and drive-by downloads that exploit endpoints to infect entire networks. Advanced infection via remote desktop services is also possible.
After infecting a system, the ransomware locks every data file it can find, using strong encryption. It then displays a note demanding a ransom (typically payable in cryptocurrency) to decrypt the files and restore access to the affected system. Security experts, however, warn that paying the ransom does not guarantee that you will get the unlock tool or decryption key needed to regain access to your system. Some ransomware keeps files encrypted after the initial payment, demanding even more money and threatening to delete the data. That is why making regular data backups and investing in ransomware protection are becoming crucial.
Now that you know how ransomware attacks work, let’s look at how they’ve been affecting organizations and what has been the overall response to the threat.
Ransomware: 4 key findings from Malwarebytes and Sophos
1. Increase in new ransomware activity against organizations
Malwarebytes analyzed the year-over-year change in business cyberthreat categories from 2018 to 2019. Even though ransomware was overshadowed by other threat categories in volume, Windows detections in 2019 were both observable and concerning.
Many of the high-profile cyberattacks of last year consisted of ransomware, with advanced families like Ryuk and Sodinokibi wreaking havoc on enterprise systems. In fact, detections of Ryuk and Sodinokibi increased by 543 percent and 820 percent respectively over Q4 2018.
Based on the trend, we expect these ransomware families to remain hot-button threats in 2020 and beyond. Ryuk has already managed to infect and bring down branches of the steel manufacturer EVRAZ, while Sodinokibi hijacked data files of two large food distributors.
2. Ransomware prevalent in EMEA and APAC regions
The 2020 State of Malware Report also explored malware types in the four global regions: NORAM (North America), EMEA (Europe, the Middle East and Africa), APAC (Asia Pacific) and LATAM (Latin America), ransomware was most prevalent in EMEA and APAC. European victims of the malicious software included the Norwegian aluminum and renewable energy giant Norsk Hydro ASA, Belgian metal producer Nyrstar and the universities of Maastricht and Freiburg. In APAC, WannaCry ransomware continued to affect businesses. More broadly, ransomware injected via remote desktop applications was most prevalent in the region.
The report stated that the ASEAN region could suffer a $19 billion loss in a hypothetical global ransomware campaign because of loss in productivity, ransom payments and costs related to incident response.
3. Most ransomware victims got their data back via backups
According to Sophos’ commissioned survey of 5,000 IT managers, more than twice as many firms whose data was encrypted by ransomware restored it through backups. Almost 56% of the 94% organizations affected used this measure for remediating the ransomware attack. Of the remaining firms, 26% got their data back by paying the ransom while 12% stated that they regained access to their data through other means.
It’s also worth mentioning that besides the 26% of organizations who made the payment and got their data back, a further 1% of firms whose data was encrypted paid the ransom but didn’t regain access to their data. Overall, 473 of the 496 organizations that settled the ransom had their data restored.
4. Paying the ransom doubled the cost
Sophos also found that paying the ransom resulted in twice the remediation costs, compared to not paying at all or restoring data from backups. Not only do you gain peace of mind from not transferring money to cybercriminals, but the best part is that you save money in the long run.
But why does the cleanup cost more if you’ve already fulfilled a threat actor’s demand? Because even after paying the ransom, an organization still has to do a lot of work to get back their data. In fact, the costs of data restoration and bringing things back to the normal state are likely to be the same whether data is restored by criminals or via your own backups. Now that is something worth thinking about.
Conclusion
The four findings indicate that ransomware is a very real threat in 2020 and is expected to remain so in the foreseeable future. As such, it is important to invest in ransomware removal and detection technology to prevent unauthorized file encryption. Making regular backups and storing data offline and offsite also helps as restoring data from backups costs considerably less than paying the ransom.
Finally, organizations should consider implementing a layered defense consisting of secure email gateway technologies, employee training, network patching, system updates and application whitelisting to defend against all vectors of ransomware attacks.
Sources
What Is Ransomware?, CompTIA
2020 State of Malware Report, Malwarebytes
The State of Ransomware 2020, Sophos
In this Series
- The State of Ransomware 2020: Key findings from Sophos & Malwarebytes
- Dark Web hacking tools: Phishing kits, exploits, DDoS for hire and more
- Dependency confusion: Compromising the supply chain
- BendyBear: A shellcode attack used for cyberespionage
- ATP group MontysThree uses MT3 toolset in industrial cyberespionage
- BlackBerry exposes threat actor group BAHAMUT: Cyberespionage, phishing and other APTs
- Top 9 cybercrime tactics, techniques and trends in 2020: A recap
- KashmirBlack botnet targets WordPress, Joomla and other popular CMS platforms
- BAHAMUT: Uncovering a massive hack-for-hire cyberespionage group
- Linux security and APTs: Identifying threats and reducing risk
- Top 6 ransomware strains to watch out for in 2020
- 2020 Verizon data breach investigations report: Summary and key findings for security professionals
- How hackers use CAPTCHA to evade automated detection
- Dark web fraud: How-to guides make cybercrime too easy
- Top 6 malware strains to watch out for in 2020
- Top Cybersecurity Predictions for 2020
- Malware spotlight: What is click fraud?
- What does dark web monitoring really do?
- ThreatMetrix Cybercrime Report: An interview
- Are dark web monitoring services worth it?
- Cybercrime and the underground market [Updated 2019]
- Verizon DBIR 2019 analysis
- Common causes of large breaches (Q1 2019)
- The Magecart Cybercrime Group Is Threatening E-Commerce Websites Worldwide
- Russian Cyberspies Target 2018 U.S. Midterm Elections
- The Increasing Threat of Banking Trojans and Cryptojacking
- Leaders’ Meetings: A Privileged Target for Hackers
- Fraud as a Service (FaaS): Everything You Need to Know
- All about SamSam Ransomware
- The Decline of Ransomware and the Rise of Cryptocurrency Mining Malware
- Mechanics Behind Ransomware-as-a-Service
- The Art of Fileless Malware
- ZLAB MALWARE ANALYSIS REPORT: RANSOMWARE-AS-A-SERVICE PLATFORMS
- Which Are the Most Exploited Flaws by Cybercriminal Organizations?
- 5 New Threats Every Organization Should be Prepared for in 2018
- Memcrashed: The Dangerous Trend Behind the Biggest DDoS Attack Ever
- Open source threat intelligence tools & techniques
- Global Cost of Cybercrime on the Rise
- An Enterprise Guide to Using Threat Intelligence for Cyber Defense
- The Five Largest Ransomware Attacks of 2017
- Intellectual Property Crimes in the Dark Web
- Top 5 Smartest Malware Programs
- Is Russian Intelligence Using Tainted Software to Access Corporate and Government Networks?
- Vault 7 Leaks: Inside the CIA's Secret Kingdom (July-August 07)
- DragonFly 2.0: The Alleged Nation-State Actor Hits the Energy Sector Again
- Russian APT Groups Continue Their Stealthy Operations
- Massive Petya Attack: Cybercrime or Information Warfare?
- SAP SECURITY FOR CISO: SAP Attacks and Incidents
- Role of Threat Intelligence in Business World
- WikiLeaks Vault 7 Data Leak: Another Earthquake in the Intelligence Community
- Past and Present Iran-linked Cyber-Espionage Operations
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Threat Intelligence
Dark Web hacking tools: Phishing kits, exploits, DDoS for hire and more
Threat Intelligence
Threat Intelligence
Threat Intelligence
ATP group MontysThree uses MT3 toolset in industrial cyberespionage