Weekly Ransomware Attacks Taking a Toll on Security Pros

A third of organizations experience a ransomware attack at least once a week, indicating businesses are struggling to keep up with a steady stream of attacks, according to a report from Menlo Security. 

The survey of more than 500 IT security decision makers at organizations with more than 1,000 employees found 61% of U.S. organizations and 44% of UK organizations have been the victim of a successful ransomware attack in the last 18 months.

Customers and prospects are the most likely entry point for an attack, while partners/suppliers and employees/contractors are also seen as serious security risks. However, one in 10 respondents admitted they were unable to identify how the attackers got in.

Email (54%), web browsers via a desktop or laptop (49%) and mobile devices (39%) were the top three ransomware attack vectors, according to the report.

Ransomware Attacks: Too Fast, Too Furious

“In terms of how dire the situation is, there are a few angles to consider—there’s the monetary angle, which is well covered, but there’s also the lack of ability to respond to these attacks even if a company focused on it,” said Mark Guntrip, senior director of cybersecurity strategy at Menlo Security.

Guntrip said he believes this is the most worrying point—that the attackers are outpacing the security teams and that the security teams know and feel it.

“Keep in mind that these are specifically ransomware attacks,” he added. “Other types of attacks are happening as well. We’re seeing threat actors become more organized, more targeted and more global in their attacks.”

According to the report, the average estimated cost is $326,531.00, with insurance payouts extending up to an average of $555,971.00, although a significant minority (24%) admitted they didn’t know the value of their insurance policy or if they even had coverage.

Industry figures, however, showed the average total cost of recovery from a ransomware attack in 2021 was $1.4 million.

“This potential gap in coverage could still cause substantial financial pain to companies who get hit, and that are not sufficiently covered,” Guntrip said.

In the coming months and years, he believes organizations will become much more accurate in calculating what the cost of a ransomware attack could be for them and adjusting their insurance coverage to match that reality.

Combined with this, as regulations are put in place across many critical verticals, companies are likely to deploy more advanced security to not only attempt to mitigate threats but also to lower their cyberinsurance premiums.

“Insurance will become a more integrated step in ransomware payment—to the point that it is no longer profitable for the insurance companies. As an analogy, this is similar to what we have seen in terms of obtaining fire coverage for properties in areas with a high risk for wildfires,” he said. “At that point, companies will likely struggle to define their security risk tolerance.”

A Global Issue

Matthew Warner, CTO and co-founder at Blumira, a provider of automated threat detection and response technology, said in many ways, the news about ransomware is similar to the news of global issues at the forefront.

“Ransomware impacts us all in different ways, either as something we have experienced directly or have heard about the impact of from peers,” he said. “The velocity of ransomware is the biggest change for the world and it does require a change in posture.”

Previously, a vulnerability or misconfigured single-factor user could have sat unfettered for a much longer period of time.

He pointed out that the early VMware Horizon ransomware campaigns kicked off with a high rate of attacks against exposed targets, targeting information easily obtained through several sources such as Censys, Shodan and Zoomeye.

“Ransomware is only as dire as the maturity and posture of an organization,” Warner added. “Focusing on defense-in-depth and detection of threats, consistent with ransomware playbooks at each layer from on-premises to cloud, will help significantly reduce ransomware risk.”

Andrew Barratt, vice president at Coalfire, said the situation is “pretty dire,” and added that ransomware has become a go-to weaponization strategy for bad actors who have multiple motives, such as pure cash extraction.

He pointed out that ransomware can be monetized quickly for a return if initial access was bought ‘wholesale’ for targeted disruption, by nation-states with a degree of plausible deniability.

“It has really become the Swiss Army knife of the malware family,” he said.

Barratt explained that the best defense against ransomware is hard, as it requires both the ability to recover well from backups as well as sophisticated endpoint defenses that can spot ransomware or a potential ransomware binary before it is executed.

“However, as access is often bought wholesale, it is easier to plant ransomware loaders if privileged access is compromised,” he said. “Ransomware really shows why you can’t take your eye off the IT organization on the security side.”

The challenge is that IT security is already overburdened trying to do more with less, which means the temptation to cut corners from a security perspective is greater.

Warner said businesses should invest in products that improve security maturity over time, rather than taking a “more is better” mindset and layering on an overabundance of shiny new security tools. 

“Look for tools that save time for busy security teams, not ones that generate countless alerts that need to be investigated,” he says. “Alert fatigue contributes to burnout and causes security teams to miss crucial alerts, resulting in security gaps.” 

Prioritized alerts, for example, help security pros determine which alerts need immediate attention.

He added that playbooks can cut down on investigation time, helping admins quickly take the necessary steps to remediate an incident, while automation can also help; dynamic blocklists, for example, can automatically block malicious source IPs or domains.

Human Error Remains the Greatest Risk

Finally, the study revealed that respondents’ biggest concern is the risk of employees ignoring corporate security advice and clicking on links or attachments containing malware.

Barret said it’s difficult to make employee training more effective because the training should only be there to help enforce a culture of understanding and reduction in blame.

“Too often, blame culture kicks in and destroys any good work done by awareness training,” he said. “The reality is that better technical restrictions are needed, and the education should focus on ‘Why you can’t just do whatever you want on your computer,’ rather than ‘Hey, don’t click that link.'”

Guntrip said another issue that may harm organizations in the future is that while many companies look to limit exposure, many only care about ransomware while they are under attack.

As organizations look to layer their backup/response plans (useful once the ransom has been demanded) with detection and response (useful while an attack is underway) and add in the preventative layers (to prevent initial incursion into the network), they will become more tolerant to attacks.

“The best time to prevent ransomware and put in place a process and a response plan is when nothing is happening and there’s no imminent event underway,” Guntrip said.

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 250 posts and counting.See all posts by nathan-eddy