Report: Most Orgs Experience Ransomware Attacks

A recently published study by the Enterprise Strategy Group (ESG) found that most organizations have been victims to ransomware attacks, and that their security countermeasures are not adequate.

The study found 79 percent of survey respondents saying that their organizations had experienced a ransomware attack within the past year. Of that number, nearly three quarters also indicated that their organizations had been "financially or operationally impacted by these attacks."

Almost half (42 percent) of organizations represented in the survey had set up cryptocurrency wallets to pay for a future ransom demand. Some organizations (35 percent) indicated that they had purchased insurance plans to address ransomware attacks.

The report, "The Long Road Ahead to Ransomware Preparedness," is based on the responses of "620 IT and cybersecurity professionals" who were surveyed in December and January. The respondents represented various industries in North America (65 percent) and Western Europe (35 percent). The ESG study was sponsored by Copenhagen, Denmark-based data protection service provider Keepit, which offers a public link to the study here.

More than half (56 percent) of the organizations represented in the survey paid a ransom to get back access to their data, applications or systems. However, just one in seven of those paying the ransom got full access to their data in return.

Attack Avenues
E-mail wasn't the main conduit for initiating ransomware attacks. The report instead pointed to "vulnerable software and misconfigurations" as the principal entry points. The respondents characterized the initial compromise areas of ransomware attacks as follows:

  • Application software vulnerability -- 36 percent
  • Systems software vulnerability -- 33 percent
  • Application user permissions and misconfigurations -- 31 percent
  • Misconfiguration of externally exposed device -- 31 percent
  • E-mail -- 27 percent

However, application protection lagged. Only 14 percent of the respondents agreed that they were protecting "more than 90 percent of mission-critical applications."

About half (52 percent) of the respondents agreed that their organizations have vulnerability management gaps. Some of the top security controls against ransomware attacks included network security (43 percent), backup infrastructure security (40 percent), endpoint security (39 percent), e-mail security (36 percent), data encryption (36 percent) and identity and access controls (33 percent).

Detection Tools
More than half (55 percent) of the respondents said that they used endpoint detection and response solutions to detect attacks. More than half (54 percent) used a security information and event management solution. The same percent also using data protection analytics tools.

Response to attacks mostly got handled by internal IT staff, although half of the respondents used the services of managed detection and response providers. More than half (53 percent) of the respondents said they had formal communications plans to respond to ransomware attacks.

Backup and Restore
Ransomware typically targets backup systems to enforce ransom demands. The study found that almost half of the respondents (49 percent) said that they "take extra measures for all their backup copies."

The study generally favored the use of an "air-gapped" backup restoration capability to deal with ransomware attacks. Of the respondents, 37 percent said that they could restore data from an "air-gapped or isolated protection storage." However, another finding in the study was that just 30 percent had actually deployed an air-gapped solution.

Testing of data restorations was done weekly or more by 41 percent of organizations, per the survey results. However, the report's authors suggested that such a "testing cadence appears to be too low to sustain the current influx of attacks and their consequences." The authors added that data restorations after a ransomware attack are "not as straightforward as a 'normal' recovery, unless the data in the backups has been analyzed and deemed 'clean.'"

The study's sponsor, Keepit, had its view of the findings. Jakob Østergaard, Keepit's chief technology officer, commented that organizations are concerned that their backup copies could get corrupted by ransomware, but Keepit offers a solution.

"Our strategy is to build in security from the ground up with immutable, blockchain-verified technology, encryption, and air-gapping, and the ESG study clearly documents how," Østergaard said, in a released statement.

Keepit bills itself as "the world's only vendor-neutral and independent cloud." It offers threat analysis and mitigation services supported by blockchain technology.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.