Over a third of ransomware cases were repeat victims in 2022

ransomware
Image by AndreyPopov | Bigstockphoto

Despite growing awareness of the risk and impact of ransomware, ransomware remains an enduring and evolving cyberthreat. And this is despite more effective security measures and international collaboration to bring down attack groups and disrupt their criminal operations. Every organization is a potential target.

New international research shows that in 2022, just under three-quarters (73%) of the organizations surveyed globally and in Asia-Pacific (APAC) reported being hit with at least one successful ransomware attack. The high victim count likely reflects the widespread availability of low-cost, accessible attack tools through ransomware-as-a-service offerings, bringing ransomware attacks within the reach of many cybercriminals.

In 2022 more than a third (38%) were repeat attacks

But that’s not the only concern. The research also shows that in 2022, more than a third (38%) of the organizations surveyed fell victim to a repeat ransomware attack. This means that they were hit twice or more, either by the same or by different ransomware attackers. A number of research reports in recent years have covered this risk, and it deserves greater emphasis.

A single successful ransomware attack can cripple day-to-day operations and customer supply chains, causing chaos and financial losses, and damaging company reputations as well as customer relationships. How much more destructive might a repeat attack be, especially if the victim has yet to recover fully from the impact of a previous incident?

To help organizations better defend themselves against repeat attacks, it is worth exploring what could be putting them at risk in the first place. The research findings suggest it is likely to be a combination of several factors, including ineffective security and incident response measures and a willingness to pay the ransom, either by choice or because there seems to be no alternative.

Risk factors that could leave organizations exposed to repeat attacks

Inadequate security measures

The research shows that for 69% of organizations affected by ransomware, the attack started with a malicious email, such as a phishing email designed to steal credentials that would allow the attackers to breach the network. Web applications and web traffic are the second most widely seen starting point and represent an area of growing risk as part of an ever-expanding threat surface. Organizations need to have these bases covered.

Inadequate incident response and neutralization during and after the attack

The fact that multiple successful attacks are possible suggests that security gaps are not fully addressed after the first incident. There may be several reasons for this. For example, a lack of security controls, incident response, and investigation capabilities, coupled with growing attacker sophistication and stealth, could mean that implanted backdoors or other persistence tools left by attackers are not identified and removed.

Access points might be left open and account passwords not reset so that stolen credentials can be abused again. Fully neutralizing an attack is made harder because the attackers often misuse legitimate IT admin tools that are also used by IT teams for benign, everyday business purposes, so their appearance in the network may not immediately arouse suspicion.

Paying a ransom

The research found that organizations that were hit multiple times were more likely to say they’d paid the ransom to recover encrypted data. 42% of those affected three times or more paid the ransom to restore encrypted data, compared to 34% of those hit twice and 31% of those hit just once. Repeat victims were also less likely to use a data backup system to help them recover. There is a risk that once it is known that an organization is willing to pay a ransom, other attackers will target the same victim. 

Having cyber insurance in place

The research found that 77% of organizations with cyber insurance were hit with at least one successful ransomware attack, compared to 65% without cyber insurance. This could mean cybercriminals are more likely to target organizations with insurance, in the belief that the insurers will be willing to cover the ransom cost to speed up recovery. Organizations affected by two or more ransomware attacks were also more likely to have cyber insurance in place (70%).

Defending against ransomware

Many organizations may underestimate how exposed they are. The findings show that only 27% of the organizations surveyed felt underprepared to tackle a ransomware attack.

The security industry has an essential role to play in helping organizations address the challenges of ransomware through deep, multilayered security technologies. These include AI-powered email protection and Zero Trust access measures, application security, threat hunting, extended detection and response (XDR) capabilities, and effective incident response to spot intruders and close gaps so that attackers cannot easily find their way in.

Further details of the research can be found in the 2023 Ransomware Insights report.

Related article: Fighting ransomware starts with KYE (know your enemy

Be the first to comment

What do you think?

This site uses Akismet to reduce spam. Learn how your comment data is processed.