Repeat ransomware attacks hit 80% of victims who paid ransoms

Organizations that pay up after a ransomware attack incur a high probability of a second attack.

New research from endpoint security vendor Cybereason examined the short and long-term impacts ransomware has on businesses through a survey of 1,263 infosec professionals from the U.S., United Kingdom, Spain, Germany, France, United Arab Emirates and Singapore. One of the most significant findings of the survey was that 80% of organizations that paid ransom demands experienced a second attack.

To make matters worse, of those who did get attacked again, nearly half said they believed it was at the hands of the same attackers, while just 34% said they believed the second attack was perpetrated by a different set of threat actors.

Additionally, paying does not guarantee operations will go back to normal, according to the Cybereason report. Of those surveyed, 46% regained access to their data following payment, but some or all of the data was corrupted. And 25% of respondents said a ransomware attack led to their organization closing down.

Cybereason's report presents troubling data around the growing threat of repeat attacks. Though 80% is higher than Cybereason co-founder and CTO Yonatan Striem-Amit expected, he said it was not that surprising. The reason for the remarkably high percentage is that when businesses make the choice to pay the ransom, they may be solving an immediate problem, Striem-Amit said. But they are also announcing their willingness to pay potentially large sums of money to resolve a crisis.

Striem-Amit said cybercriminals have gotten better at identifying would-be targets, and the larger ransomware groups are specializing in big game hunting -- going after major multinational corporations with targeted intrusion techniques. The problem has become so bad that the White House recently issued a ransomware directive just for businesses.

"When victims are paying, they're putting a sign to attackers: we're open for business," he said. "The criminals then attack these victims again before they have a chance to ramp up their security practices."

Repeat attack causes

Cybereason isn't the only vendor to observe the trend of organizations being attacked multiple times. Nick Pelletier, Mandiant incident response director, told SeachSecurity that his company has performed investigations for companies repeatedly victimized by the same ransomware threat actor. However, they often occurred in situations where the threat actor's attempts to elicit a ransom payment have been unsuccessful. According to Pelletier, in those instances Mandiant observed an escalation in the threat actor's tactics; first by increasing the scope of encryption, and later by resorting to extortion via data theft and exposure.

"In this way, repeated targeting of the same organization helps accomplish the threat actor's mission by increasing leverage. Furthermore, it's disingenuous to frame repeated targeting as a mistake or lack of preparedness of the victim, as it's more akin to a sustained attack without the luxury of time to investigate, remediate and increase resiliency, as opposed to multiple, distinct attacks," Pelletier said in an email to SearchSecurity.

Additionally, incident response following an attack can be tricky. Eric Parizo, a principal analyst at Omdia, told SearchSecurity that because every incident is unique, even if the staff is trained, has good technology and sound processes supporting the IR effort, things can still go wrong.

"If you don't discover the event fast enough, identify all the affected places and take the right actions to mitigate it, [repeat attacks can occur]" Parizo said in an email to SearchSecurity.

Jon Oltsik, principal analyst at Enterprise Strategy Group, a division of TechTarget, said other issues are informal and untested programs and a lack of trained IR personal. "Typically, customers do listen to IR providers, but they may not have the skills, resources or workflows to do so in a timely manner," Oltsik said in an email to SearchSecurity.

Post-attack investments

Cybereason asked the portion of surveyed respondents who in the last 24 months to share which solutions they invested in following an attack, in order to protect their networks from any future events. The top five were email scanning, data back-up and recovery, endpoint protection, security operations center (SOC) and rounding out the top spot was security training awareness at 48%.

"Unfortunately, it's not a pick one and only do that," Striem-Amit said. "If you build your entire security program around awareness, this will not succeed. But doing all these things together are very effective -- deploying the right solutions, training the team and best practices will help. The businesses have to have a willingness to act."

While Striem-Amit said cyber insurance is an important component in an enterprise's cybersecurity posture, Cybereason is seeing many cases where insurance doesn't cover the entirety of damage. According to the survey, 42% of respondents said their insurance carrier only covered some of the financial losses. Between brand reputation damage, layoffs, business disruptions and more, the costs pile up.

"Can insurance ever really cover the full cost of ransomware attack? The answer is no. It probably isn't sufficient as the only or major way you mitigate risk in your organization," Striem-Amit said.

On the bright side, Cybereason's report said the overall volume of attacks appeared to be decreasing this year. However, the report said the said attacks that are occurring are more sophisticated. Striem-Amit said ransomware operations today are almost indistinguishable from the sophistication and knowledge of nation-state hackers. Therefore, enterprises need to be prepared.

"Focusing on hygiene, the right technologies, dropping away from antiquated to modern practices is dramatically cheaper than the overwhelming damage that will happen to you if you're hit by a ransomware attack," he said. "Ransomware attacks these days are modern, sophisticated and really go after everybody. Take it seriously now."