THE RISE OF ENTERPRISE RANSOMWARERisk exposure & strategies for mitigation
www.safe.security
2
SAFE SECURITY GUIDE TO ENTERPRISE RANSOMWARE
Overview• The rise of enterprise ransomware
• Ransomware is changing
• The cost and business impact of ransomware
• Global ransomware statistics and your exposure to attack
• How to stay one step ahead of attackers with breach prediction
• How SAFE works: Beyond a score
Safe Security Guide to Enterprise Ransomware
3
As ransomware becomes more sophisticated, Big Game Hunting activities have increased. Rather than synchronizing attacks on multiple organizations, cyber criminals are focusing their efforts on large companies that will yield a higher return on investment.
This form of cyberattack is known as enterprise ransomware.
Enterprise ransomware is very different to its predecessors:
It aims to destroy, not encrypt
Data backups alone will not resolve an attack
Company credentials and data is likely to be stolen and leaked
Attackers aim to expose sensitive data
Customers may be contacted directly and threatened
When attacking organizations with deeper pockets, cybercriminals seek to increase their financial gain without any increase in effort, which is why enterprise ransomware attacks are so aggressive.
The rise of enterpriseransomware
4
201920182014 20172013 20162010 20152009200820062005
The evolution of modern ransomware
First variants of modern ransomware appear in the wild
Scareware dominated by fake AV and rogue utility tools
Over 10,000ransomware samples• Birth of Bitcoin
• Screen-lockingransomware appears
Over 250,000 ransomware samples• CryptoLocker appears• Use of 2048-bit RSA
encryption keys• Ransomware set at $300
• CryptoLocker revenue:$30 million in 100 days
JavaScript ransomware appears• Locky rise• Hospital pays
$17,000 ransom
• Ransomware revenue> $ 1 billion
Emergence of big game hunting
Ransomware goes from 56-bit encryption to 660-bit RSA public key encrypiton
Malware evolves from pushing rogue antivirus (AV) to encrypting files
• Scaom program FileFix ProExtorts $40 to “help” decrypt files
Over 10,000 ransomware samples• Ransoms set to $200
• Law enforcementimitation ransomware
Over 4 million ransomware samples• Ransomware-
as-a-service appears
• TeslaCrypt appears
Nation-state sponsored WannaCry and NotPetya combine worm-like techniques to spread worldwide
BGH targets state and local governments
• Local governmentpays $460K in ransom
201920182014 20172013 20162010 20152009200820062005
The evolution of modern ransomware
First variants of modern ransomware appear in the wild
Scareware dominated by fake AV and rogue utility tools
Over 10,000ransomware samples• Birth of Bitcoin
• Screen-lockingransomware appears
Over 250,000 ransomware samples• CryptoLocker appears• Use of 2048-bit RSA
encryption keys• Ransomware set at $300
• CryptoLocker revenue:$30 million in 100 days
JavaScript ransomware appears• Locky rise• Hospital pays
$17,000 ransom
• Ransomware revenue> $ 1 billion
Emergence of big game hunting
Ransomware goes from 56-bit encryption to 660-bit RSA public key encrypiton
Malware evolves from pushing rogue antivirus (AV) to encrypting files
• Scaom program FileFix ProExtorts $40 to “help” decrypt files
Over 10,000 ransomware samples• Ransoms set to $200
• Law enforcementimitation ransomware
Over 4 million ransomware samples• Ransomware-
as-a-service appears
• TeslaCrypt appears
Nation-state sponsored WannaCry and NotPetya combine worm-like techniques to spread worldwide
BGH targets state and local governments
• Local governmentpays $460K in ransom
Safe Security Guide to Enterprise Ransomware
5
Ransomware is changingOne of the first ransomware attacks documented was the PS Cyborg. Harvard-trained evolutionary biologist Joseph L. Popp sent 20,000 infected diskettes labelled “AIDS Information – Introductory Diskettes” to attendees of the World Health Organization’s international AIDS conference.
Victims were asked to send $189 to a P.O. box in Panama to restore access to their systems.
However, ransomware as an attack vector, was not common until the turn of the 21st century. The invention of cryptocurrencies, such as Bitcoin in 2010, changed everything, providing an untraceable mode of payment and in 2011, as a result, ransomware activities escalated. Approximately 60,0001 new ransomware events were detected in 2011 and by 2012, the number more than doubled to over 200,000.
EXECUTIVE OVERVIEW
1 A Brief History of Ransomware Crowdstrike, A Brief History of Ransomware Varonis6
Traditional Ransomware Vs Enterprise Ransomware
Safe Security Guide to Enterprise Ransomware
7
Traditional Ransomware Enterprise Ransomware
TargetEvery attack targets multiple smaller organizations
Attackers target one medium to large organization at any one time
Tactics Attacks are automated Attacks are deployed manually
DeploymentAttackers aim to corrupt as many computers as possible
Each attack is highly targeted and controlled using administration tools
Timing Undertaken on an ad-hoc basis Timed to cause maximum disruption
Ransomware WannaCry, NotPetya BitPaymer, SamSam, Dharma
It is estimated that globally, a ransomware attack occurs every 11 seconds. In 2020, the FBI reported a 225% increase in losses caused by ransomware attacks in the U.S. This year, global losses as a result of ransomware damage are projected to reach $20 billion.
On average, it costs organizations US$800,00 to rectify the impact of ransomware attacks (considering downtime, people time, device cost, network cost, lost opportunity, ransom paid etc.). It is therefore not surprising that we have witnessed an increase in the number of organizations who are willing to pay a ransom in order to resume normal business activities. However, of the 32% of organizations who paid ransoms in 2021, 92% did not get their data back.
Paying ransoms can ultimately double the cost of an attack – the cost to recover data and assume normal service are likely to be the same whether the data is retrieved from cybercriminals or restored from backups.
The business impact of ransomware
THE COST AND BUSINESS IMPACT OF RANSOMWARE
1 A Brief History of Ransomware Crowdstrike, A Brief History of Ransomware Varonis8
Top 5 areas of impact following a ransomware attack
1. Loss of Business Revenue: 66%2 of organizations reported a significant loss of revenue following a ransomware attack.
2. C-Level Talent Loss: 32%3 of organizations reported losing C-Level talent as a direct result of ransomware attacks
3. Brand and Reputation Damage: 53%4 of organizations indicated that their brand and reputation were damaged as a result of a successful attack
4. Redundancies: 29%5 reported being forced to make redundancies due to financial pressures following a ransomware attack
5. Business Closures: A startling 26%6 of organizations reported that a ransomware attack forced the business to close their business for some period of time.
Safe Security Guide to Enterprise Ransomware
2, 3, 4, 5, 6Cybereason. Ransomware: The True Cost to Business 9
100
Global Average
Percentage of organizations hit by ransomware in the last year82%
65%63%
60%60%59%58%57%55%53%53%52%52%
49%48%48%
45%
45%44%44%42%41%40%39%
30%28%24%
Source: THE STATE OF RANSOMWARE 2020- Sophos
In the last year, has your organization been hit by ransomware? Base: 5,000 respondents.
10 7, 8Sophos (May 2020). The State of Ransomware 2020
The global impact of ransomware is significant. In the last year, over 50%7 of organizations surveyed in 13 countries including the U.S. Germany, France, India and Brazil have reported a ransomware attack.
The most common sectors experiencing a ransomware event were the leisure, IT & telecoms and energy/utilities industries – each reporting over 50% of organizations with experience of an attack in 2020.8 Other industries reporting high levels of ransomware attacks were professional services, construction, retail, financial services and manufacturing.
Global ransomware statisticsTHE COST AND BUSINESS IMPACT OF RANSOMWARE
There are distinct signs that ransomware is not slowing down, we have already witnessed a 41%9 increase in ransomware attacks since the beginning of 2021 and a 93% increase year on year.
“Ransomware has evolved from an ad-hoc single attack event to planned and systematic activity taken upon by cybercriminal groups. Since it is planned, it implies that businesses can prepare to prevent it. Unfortunately, cybersecurity is very project-led and not event-led. When you ask a CISO about what their ransomware risk posture is in real-time, their answers are usually in terms of things they have done - deploying EDRs, XDRs and Firewall or being NIST compliant… but the ‘So What?’ of cybersecurity remains unanswered. Knowing your enterprise’s likelihood of a ransomware breach can take you closer to an objective, unified and real time answer.” Saket Modi, CEO and Co-Founder, Safe Security
Gartner’s analysis of clients’ ransomware preparedness shows that over 90%10 of ransomware attacks are preventable, however in many cases, organizations are unaware of the risks they face and the performance of their
security tools.
It is critical that organizations have the empirical evidence to answer the following key questions:
How secure are we?
Do we know what our risks are?
Are we appropriately allocating resources?
Are we spending enough on cyber security?
How are we performing compared to other organizations?
What improvements do we need to make?
Safe Security Guide to Enterprise Ransomware
Understand your exposure to attack
9Checkpoint.com (June 2021). Ransomware attacks continue to surge 10Gartner (December 2019). Defend Against and Respond to Ransomware Attacks 11
There are a host of recommendations to help protect organizations from attack, including investment in strong data backups, technology to prevent unauthorized encryption and ransomware cybersecurity insurance coverage.
It is important to implement a multi-layered approach to enhance defenses and protect data irrespective of whether it is stored on the public cloud, private cloud or on premises.
Such recommendations – although useful – are easier said than done. As organizations continue to invest in cybersecurity services that cater to different aspects of their strategy, they are struggling to ensure their investments communicate with each other and convey cyber risks across the enterprise to senior decision makers. This results in jargon-rich cybersecurity efforts which deliver a disjointed cybersecurity strategy.
The solution to achieving a predictive approach to ransomware attacks lies in an enterprise-wide breach-likelihood metric that spans all vectors including people, process, technology and third-party applications.
Stay one step ahead of attackers with breach prediction
12
PEOPLEDriving theSecurity Culture
RISK SCORE: EFFECTIVENESS & CAPABILITY MATURITYBreach Likelihood per Employee, Hybrid Asset,
LoB/Crown Jewels and 1st/3rd Parties with 5-level CMMC Mapping of 17 Domains
$RISK & CYBER INSURANCEAnalyse $ risk you are sitting on and how your cyber insurance value can
vary based on your SAFE score
ATT&CK & HACK SIMULATIONAtt&ck Matrix and a simulation
of recent Hacks to view how SAFE you are?
REPORTING & ACTIONABLE INSIGHTSView what’s going well and what and
where can controls be improvised
CONTINUOUS COMPLIANCEHow Comprehensive is your
cybersecurity complinace coverage
POLICYCyberSecurity Intent& Governance
CYBERSECURITY PRODUCTS CyberSecurity ControlsFramework & Tools
THIRD PARTY Continuous Third PartyRisk Management (TPRM)
TECHNOLOGYResiliency of yourHybrid Tech Stack
Outputs from SAFE
INPUTS TO SA
FE
Safe Security Guide to Enterprise Ransomware
Enterprise wide breach likelihood360 approach to Continuous, Dynamic & Intelligent Quantitative Cyber Risk Management
13
The solution to having a predictive approach to ransomware attacks lies in knowing an enterprise-wide breach-likelihood metric. This metric should span across all vectors of people, process, technology and third-party. The individual cybersecurity products for these vectors give signals that are aggregated together. Using real-time machine learning-enabled risk quantification, a ransomware breach-likelihood score is generated for every employee, endpoint, cloud asset, business unit and more.
Safe Security’s unique approach predicts where cyber breaches may occur and delivers prioritized, actionable insights through three main deliverables:
1. Real time visibility of exposure to an attack through a single pane of glass view of your security status
2. Assessment of an organization’s ability to manage, measure and mitigate ransomware threats across the entire security stack
3. Documented evidence collated and prioritized in a single report to help teams communicate the specific cyber risks facing their business
Beyond a score: How does SAFE work?
To understand your breach likelihood and learn more about our approach to improving your security posture, get in touch today
www.safe.security
14
15
Safe Security Guide to Enterprise Ransomware
www.safe.security | [email protected]
Standford Research Park,
3260 Hillview Avenue,
Palo Alto, CA - 94304