As ransomware becomes more targeted and dangerous, backup remains critical in minimizing its impact

Ransomware attacks today are more targeted and lethal than ever: backup is a key part of minimizing its risks

Ransomware is evolving; the risk it poses is today more costly than ever before. That, at least, is according to data put forward in a report published earlier this month by UK cyber security organization Sophos. The data, based on survey responses from 5,000 IT professionals around the world, suggests that while ransomware attacks appear to be declining — 51% of this year’s respondents said they had experienced a ransomware attack compared to 54% in 2017 when Sophos last ran a ransomware survey — these attacks are today more potent than ever.

“In 2017 mass market ‘spray and pray’ desktop ransomware was very common based on insights from SophosLabs” the report states. “These attacks were spread widely and indiscriminately, resulting in a high number of organizations being hit. Now, in 2020, the trend is for server-based attacks. These are highly-targeted, sophisticated attacks that take more effort to deploy.”

This means that organizations need to remain vigilant; complacency could be devastating. On average, ransomware the survey reports that the cost of remediation is, on average, costs $761,106 to recover from. For a business of any size, that’s going to seriously hurt you.

However, the report isn’t all doom and gloom. Sophos is eager to point out that its research underlines a number of key things that can help businesses to mitigate and better manage the ever present risk of ransomware attacks. Backup, the report shows, is one critical element — 56% of those respondents that had their data encrypted by attackers recovered it through backup.

That figure, while demonstrating just how important backup can be in tackling ransomware, also highlights that there are many organizations missing a critical component in their line of defence.

And although it’s true that a good cyber security posture is about much more than a single software product or service, the insights of Sophos study only further underlines how important it is to adopt a considered and proactive approach towards modern security threats.

Learn more about how Macrium protects backups against ransomware attacks with Macrium Image Guardian.

The cost of ransomware attacks

Any threat — software or otherwise — often only becomes tangible when there is a cost attached. There are many different studies and approaches to determining the cost of ransomware — and indeed, the picture is complex, as a single attack has a ripple effect. Costs are not only drawn by, say, paying the ransom to restore your data, but also by downtime and the knock on impact on other software releases.

However, through self-reporting, the Sophos report does a good job of offering a global snapshot of the cost of a global ransomware attack. As noted above, on average, the cost of a ransomware attack around the world is a not insignificant $761,601.

When you break this down by the size of the respondent’s organization, the figures demonstrate that attacks can be painful for both big and small businesses: for organizations with between 100 and 1,000 employees, a ransomware attack costs, on average $505,827; for larger organizations with between 1,000 and 5,000 employees, that sum almost doubles to $981,140.

This indicates that business size isn’t really a determining factor for being a victim of ransomware attacks. Put simply, all organizations need to be serious about the impact a potential ransomware attack could have on their business.

The cost of paying the ransom

One of the most interesting pieces of information in the Sophos report is that victims of ransomware end up, on average, paying twice as much as those that don’t. Sophos explains this by saying that “even if you pay the ransom, you still need to do a lot of work to restore the data.” The report continues, “the costs to recover the data and get things back to normal are likely to be the same whether you get the data back from the criminals or from your backups. But if you pay the ransom, you’ve got another big cost on top.”

While paying a ransom might sometimes be viewed as a quick fix to solve a successful ransomware attack, this data proves that such short term thinking will likely have a significant negative financial impact. Indeed, this is where backup software reveals its value — the 56% of companies that recovered their data through backup clearly saved a huge amount of money.

Where and how are ransomware attacks take place

It’s clear that ransomware attacks cost serious money. But what’s more, the Sophos report also highlights that victims of such attacks aren’t those that usually steal the headlines — hospitals, universities, and other government agencies and bodies.

In fact, public sector organizations, according to Sophos’ results, suffered the fewest attacks last year (45% of organizations, compared to the overall average of 51%).

“At first glance this is surprising” the report notes. “The news is full of stories of hospitals and government organizations that have been held to ransom.” However, it provides some useful context, explaining that while the public sector is required to report ransomware attacks, no such requirements exist or private sector organizations. This hints, then, at a huge number of unreported ransomware attacks lurking in the shadows of cyber security statistics.

This demonstrates that the widespread view that public sector organizations are the most vulnerable to ransomware attacks is false. Ransomware attacks happen across industries and sectors — as mentioned at the top, complacency could be devastating.

The vulnerability of public cloud

Public cloud has been an ever increasing part of how the world uses and builds software. For that reason it’s not unexpected that ransomware attacks should hit data on public clouds much more than anywhere else. However, Sophos report underlines this fact, with data showing that 59% of all ransomware attacks where data was encrypted (ie. successful) involved data residing in public clouds.

Sophos adds a caveat to this, saying that “it’s likely that respondents took a broad interpretation of public cloud, including services such as Google Drive and Dropbox and cloud backup such as Veeam”, not just large public cloud platforms like AWS. However, whatever the reality, Sophos takeaway is one we agree with wholeheartedly: “no data is safe, and you should ensure data stored in the cloud is as well protected and backed-up as data stored on premises.”

(Indeed, it would be interesting to dig deeper here to find out what platforms and cloud based products are the most common targets for ransomware attacks.)

Ransomware attack techniques vary

Just as no single industry or sector is susceptible to ransomware attacks, the report also reveals that attackers use a wide range of techniques. File downloads and malicious links via email account for the highest percentage of attacks at 29%, with remote attacks on servers in second with 21%. However, there was a relatively even spread across multiple approaches.

“Attackers are using a range of techniques and whichever defense has a weakness is how they get in. When one technique fails they move on to the next, until they find a weak spot,” the report suggests.

Conclusion: backup is the foundation of any defense against ransomware

Even though there are signs that ransomware attacks are declining (although it’s probably worth bearing in mind that this data was collected before the current Coronavirus pandemic), the report indicates that attackers are becoming smarter and more sophisticated in their approaches. To make things even more complex, it’s incredibly difficult to anticipate how and where these attacks will take place.

“Just focusing on a single technology is a recipe for infection, Sophos argues. This is true in a number of ways — not only can ransomware attacks take hold through many different routes, one single technology or product (like, for example, insurance). Is not enough to remove the risks of ransomware.

Ultimately, IT leaders need to adopt a thoughtful approach to their cyber security and infosec strategy — one which is open minded and sensitive to all points of vulnerability and potential weakness.

However, there are some vital foundations that are undoubtedly essential — and backup — offline and offsite, the report advises — is one of these. Given that paying a ransom can double the costs of an attack, simple, reliable backup doesn’t just make technological sense, it makes financial sense too.

Macrium can defend backup files from ransomware attacks thanks to Macrium Image Guardian.

Explore Macrium’s range of backup products for personal and business use here.