One year on from the global outbreaks of WannaCry and NotPetya, which established ransomware as one of the most notorious cyber threats on any businesses’ radar, organisations around the world are continuing to fall prey to new attacks.
A fully-fledged ransomware infection can potentially cripple an organisation by locking away mission critical files and systems, and many firms will quickly cave in to the criminal’s demands and pay exorbitant fees in the hope of quickly restoring operations. The total cost of infection can quickly reach hundreds of thousands of pounds due to lost revenue from downtime and the time and resources needed to contain the outbreak and restore back-ups.
The heavy cost of infection
Ransomware attacks cost UK businesses a combined £356m over the last year alone, according to recent research commissioned by SentinelOne. The research carried out in February 2018, surveyed security and risk professionals at 500 business in the UK, France, Germany and USA on their experiences with ransomware.
With attacks on the rise, having the right response strategy in place can make a significant difference to the costs incurred. Deciding to pay a ransom is a risky move, as there are many incidents where attackers have not decrypted the files even after taking the money; our research found that 60% of UK organisations didn’t receive their decrypted files despite paying the ransom demand. In addition to there being no honour among thieves, many of these cases are due to the use of shoddily coded ransomware that lacks the ability to unlock encrypted files. We recently saw this with the Thanatos ransomware, which failed to save the keys created for each encryption, rendering it impossible for criminals to undo their damage even if they wanted to. Paying a ransom also helps to encourage future attacks by perpetuating ransomware as a reliable money-maker from criminals.
The UK appeared to be notably resistant to paying ransoms compared to other countries included in the research. Only three percent of UK-based respondents had recently paid a ransom, and the average payment was £27,000, against the global average of £34,000. Encouragingly, companies are overall less likely to pay a ransom today, with 32 percent saying they were likely to pay, compared to 40 percent in a similar study conducted in 2016.
Unavoidable costs?
Even when businesses either will not, or cannot ,pay the ransom demands, a ransomware infection can still rack up extremely high costs in a short amount of time. SentinelOne’s research found that the amount of time spent decrypting ransomware attacks stood at an average of 40 man-hours.
40 percent of respondents in the UK reported an average of five attacks over the last 12 months, with the average total cost coming to £329,976 per annum. On a global scale, the average yearly cost to individual businesses stood at £591,238. Lost business due to interrupted or halted operations is a major cause of the high cost of ransomware, along with the additional time and resources needed to undo the damage and restore systems.
The City of Atlanta, which was hit with the SamSam ransomware in March, was presented with a ransom of roughly $50,000 in bitcoin but ended up spending more than $2.6m in emergency efforts such as incident response and digital forensics.
Prevention is better than cure
With a major ransomware infection still coming with a heavy cost even for stalwarts who refuse to pay, organisations must invest in their ability to defend against attacks. SentinelOne’s study found that one in two businesses blamed employees for causing the outbreak, supported by the fact that phishing emails were used to trick staff into initiating the compromise in 69 percent of instances.
Better awareness among employees is a good response to the threat of deceptive emails delivering ransomware but, alongside this, firms must also ensure that they can detect and shut-down ransomware infections before they can spread and harm their operations.
With almost all ransomware outbreaks starting with a single compromised endpoint, defence should begin with the moment the malicious file is saved to the file system on the endpoint device. By constantly searching the binary for the unique behavioural characteristics that indicate ransomware, it is possible to detect the malicious activity before it can truly begin. One key indicator is binary entropy, which is a sign of the obfuscation and packing activity common in ransomware.
Ransomware can also be detected through searching for activity such as scanning the hard drive, rapidly encrypting files, and interfering with shadow copies. Most of these actions are outside of normal user behaviour and so can be instantly identified using behavioural analytics. As soon as signs of ransomware are detected, the compromised endpoint can immediately be cut off from the rest of the network, preventing the infection from spreading. The individual device can then be rolled back and cleaned of the infection.
By shutting down a ransomware outbreak before it can truly begin, organisations can see off the threat with minimal disruption or cost to their operations, long before they even have to consider taking a chance on paying a king’s ransom in the hope of getting their files back.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.