THE RISE OF ENTERPRISE RANSOMWARERisk exposure & strategies for mitigation

www.safe.security

2

SAFE SECURITY GUIDE TO ENTERPRISE RANSOMWARE

Overview• The rise of enterprise ransomware

• Ransomware is changing

• The cost and business impact of ransomware

• Global ransomware statistics and your exposure to attack

• How to stay one step ahead of attackers with breach prediction

• How SAFE works: Beyond a score

Safe Security Guide to Enterprise Ransomware

3

As ransomware becomes more sophisticated, Big Game Hunting activities have increased. Rather than synchronizing attacks on multiple organizations, cyber criminals are focusing their efforts on large companies that will yield a higher return on investment.

This form of cyberattack is known as enterprise ransomware.

Enterprise ransomware is very different to its predecessors:

It aims to destroy, not encrypt

Data backups alone will not resolve an attack

Company credentials and data is likely to be stolen and leaked

Attackers aim to expose sensitive data

Customers may be contacted directly and threatened

When attacking organizations with deeper pockets, cybercriminals seek to increase their financial gain without any increase in effort, which is why enterprise ransomware attacks are so aggressive.

The rise of enterpriseransomware

4

201920182014 20172013 20162010 20152009200820062005

The evolution of modern ransomware

First variants of modern ransomware appear in the wild

Scareware dominated by fake AV and rogue utility tools

Over 10,000ransomware samples• Birth of Bitcoin

• Screen-lockingransomware appears

Over 250,000 ransomware samples• CryptoLocker appears• Use of 2048-bit RSA

encryption keys• Ransomware set at $300

• CryptoLocker revenue:$30 million in 100 days

JavaScript ransomware appears• Locky rise• Hospital pays

$17,000 ransom

• Ransomware revenue> $ 1 billion

Emergence of big game hunting

Ransomware goes from 56-bit encryption to 660-bit RSA public key encrypiton

Malware evolves from pushing rogue antivirus (AV) to encrypting files

• Scaom program FileFix ProExtorts $40 to “help” decrypt files

Over 10,000 ransomware samples• Ransoms set to $200

• Law enforcementimitation ransomware

Over 4 million ransomware samples• Ransomware-

as-a-service appears

• TeslaCrypt appears

Nation-state sponsored WannaCry and NotPetya combine worm-like techniques to spread worldwide

BGH targets state and local governments

• Local governmentpays $460K in ransom

201920182014 20172013 20162010 20152009200820062005

The evolution of modern ransomware

First variants of modern ransomware appear in the wild

Scareware dominated by fake AV and rogue utility tools

Over 10,000ransomware samples• Birth of Bitcoin

• Screen-lockingransomware appears

Over 250,000 ransomware samples• CryptoLocker appears• Use of 2048-bit RSA

encryption keys• Ransomware set at $300

• CryptoLocker revenue:$30 million in 100 days

JavaScript ransomware appears• Locky rise• Hospital pays

$17,000 ransom

• Ransomware revenue> $ 1 billion

Emergence of big game hunting

Ransomware goes from 56-bit encryption to 660-bit RSA public key encrypiton

Malware evolves from pushing rogue antivirus (AV) to encrypting files

• Scaom program FileFix ProExtorts $40 to “help” decrypt files

Over 10,000 ransomware samples• Ransoms set to $200

• Law enforcementimitation ransomware

Over 4 million ransomware samples• Ransomware-

as-a-service appears

• TeslaCrypt appears

Nation-state sponsored WannaCry and NotPetya combine worm-like techniques to spread worldwide

BGH targets state and local governments

• Local governmentpays $460K in ransom

Safe Security Guide to Enterprise Ransomware

5

Ransomware is changingOne of the first ransomware attacks documented was the PS Cyborg. Harvard-trained evolutionary biologist Joseph L. Popp sent 20,000 infected diskettes labelled “AIDS Information – Introductory Diskettes” to attendees of the World Health Organization’s international AIDS conference.

Victims were asked to send $189 to a P.O. box in Panama to restore access to their systems.

However, ransomware as an attack vector, was not common until the turn of the 21st century. The invention of cryptocurrencies, such as Bitcoin in 2010, changed everything, providing an untraceable mode of payment and in 2011, as a result, ransomware activities escalated. Approximately 60,0001 new ransomware events were detected in 2011 and by 2012, the number more than doubled to over 200,000.

EXECUTIVE OVERVIEW

1 A Brief History of Ransomware Crowdstrike, A Brief History of Ransomware Varonis6

Traditional Ransomware Vs Enterprise Ransomware

Safe Security Guide to Enterprise Ransomware

7

Traditional Ransomware Enterprise Ransomware

TargetEvery attack targets multiple smaller organizations

Attackers target one medium to large organization at any one time

Tactics Attacks are automated Attacks are deployed manually

DeploymentAttackers aim to corrupt as many computers as possible

Each attack is highly targeted and controlled using administration tools

Timing Undertaken on an ad-hoc basis Timed to cause maximum disruption

Ransomware WannaCry, NotPetya BitPaymer, SamSam, Dharma

It is estimated that globally, a ransomware attack occurs every 11 seconds. In 2020, the FBI reported a 225% increase in losses caused by ransomware attacks in the U.S. This year, global losses as a result of ransomware damage are projected to reach $20 billion.

On average, it costs organizations US$800,00 to rectify the impact of ransomware attacks (considering downtime, people time, device cost, network cost, lost opportunity, ransom paid etc.). It is therefore not surprising that we have witnessed an increase in the number of organizations who are willing to pay a ransom in order to resume normal business activities. However, of the 32% of organizations who paid ransoms in 2021, 92% did not get their data back.

Paying ransoms can ultimately double the cost of an attack – the cost to recover data and assume normal service are likely to be the same whether the data is retrieved from cybercriminals or restored from backups.

The business impact of ransomware

THE COST AND BUSINESS IMPACT OF RANSOMWARE

1 A Brief History of Ransomware Crowdstrike, A Brief History of Ransomware Varonis8

Top 5 areas of impact following a ransomware attack

1. Loss of Business Revenue: 66%2 of organizations reported a significant loss of revenue following a ransomware attack.

2. C-Level Talent Loss: 32%3 of organizations reported losing C-Level talent as a direct result of ransomware attacks

3. Brand and Reputation Damage: 53%4 of organizations indicated that their brand and reputation were damaged as a result of a successful attack

4. Redundancies: 29%5 reported being forced to make redundancies due to financial pressures following a ransomware attack

5. Business Closures: A startling 26%6 of organizations reported that a ransomware attack forced the business to close their business for some period of time.

Safe Security Guide to Enterprise Ransomware

2, 3, 4, 5, 6Cybereason. Ransomware: The True Cost to Business 9

100

Global Average

Percentage of organizations hit by ransomware in the last year82%

65%63%

60%60%59%58%57%55%53%53%52%52%

49%48%48%

45%

45%44%44%42%41%40%39%

30%28%24%

Source: THE STATE OF RANSOMWARE 2020- Sophos

In the last year, has your organization been hit by ransomware? Base: 5,000 respondents.

10 7, 8Sophos (May 2020). The State of Ransomware 2020

The global impact of ransomware is significant. In the last year, over 50%7 of organizations surveyed in 13 countries including the U.S. Germany, France, India and Brazil have reported a ransomware attack.

The most common sectors experiencing a ransomware event were the leisure, IT & telecoms and energy/utilities industries – each reporting over 50% of organizations with experience of an attack in 2020.8 Other industries reporting high levels of ransomware attacks were professional services, construction, retail, financial services and manufacturing.

Global ransomware statisticsTHE COST AND BUSINESS IMPACT OF RANSOMWARE

There are distinct signs that ransomware is not slowing down, we have already witnessed a 41%9 increase in ransomware attacks since the beginning of 2021 and a 93% increase year on year.

“Ransomware has evolved from an ad-hoc single attack event to planned and systematic activity taken upon by cybercriminal groups. Since it is planned, it implies that businesses can prepare to prevent it. Unfortunately, cybersecurity is very project-led and not event-led. When you ask a CISO about what their ransomware risk posture is in real-time, their answers are usually in terms of things they have done - deploying EDRs, XDRs and Firewall or being NIST compliant… but the ‘So What?’ of cybersecurity remains unanswered. Knowing your enterprise’s likelihood of a ransomware breach can take you closer to an objective, unified and real time answer.” Saket Modi, CEO and Co-Founder, Safe Security

Gartner’s analysis of clients’ ransomware preparedness shows that over 90%10 of ransomware attacks are preventable, however in many cases, organizations are unaware of the risks they face and the performance of their

security tools.

It is critical that organizations have the empirical evidence to answer the following key questions:

How secure are we?

Do we know what our risks are?

Are we appropriately allocating resources?

Are we spending enough on cyber security?

How are we performing compared to other organizations?

What improvements do we need to make?

Safe Security Guide to Enterprise Ransomware

Understand your exposure to attack

9Checkpoint.com (June 2021). Ransomware attacks continue to surge 10Gartner (December 2019). Defend Against and Respond to Ransomware Attacks 11

There are a host of recommendations to help protect organizations from attack, including investment in strong data backups, technology to prevent unauthorized encryption and ransomware cybersecurity insurance coverage.

It is important to implement a multi-layered approach to enhance defenses and protect data irrespective of whether it is stored on the public cloud, private cloud or on premises.

Such recommendations – although useful – are easier said than done. As organizations continue to invest in cybersecurity services that cater to different aspects of their strategy, they are struggling to ensure their investments communicate with each other and convey cyber risks across the enterprise to senior decision makers. This results in jargon-rich cybersecurity efforts which deliver a disjointed cybersecurity strategy.

The solution to achieving a predictive approach to ransomware attacks lies in an enterprise-wide breach-likelihood metric that spans all vectors including people, process, technology and third-party applications.

Stay one step ahead of attackers with breach prediction

12

PEOPLEDriving theSecurity Culture

RISK SCORE: EFFECTIVENESS & CAPABILITY MATURITYBreach Likelihood per Employee, Hybrid Asset,

LoB/Crown Jewels and 1st/3rd Parties with 5-level CMMC Mapping of 17 Domains

$RISK & CYBER INSURANCEAnalyse $ risk you are sitting on and how your cyber insurance value can

vary based on your SAFE score

ATT&CK & HACK SIMULATIONAtt&ck Matrix and a simulation

of recent Hacks to view how SAFE you are?

REPORTING & ACTIONABLE INSIGHTSView what’s going well and what and

where can controls be improvised

CONTINUOUS COMPLIANCEHow Comprehensive is your

cybersecurity complinace coverage

POLICYCyberSecurity Intent& Governance

CYBERSECURITY PRODUCTS CyberSecurity ControlsFramework & Tools

THIRD PARTY Continuous Third PartyRisk Management (TPRM)

TECHNOLOGYResiliency of yourHybrid Tech Stack

Outputs from SAFE

INPUTS TO SA

FE

Safe Security Guide to Enterprise Ransomware

Enterprise wide breach likelihood360 approach to Continuous, Dynamic & Intelligent Quantitative Cyber Risk Management

13

The solution to having a predictive approach to ransomware attacks lies in knowing an enterprise-wide breach-likelihood metric. This metric should span across all vectors of people, process, technology and third-party. The individual cybersecurity products for these vectors give signals that are aggregated together. Using real-time machine learning-enabled risk quantification, a ransomware breach-likelihood score is generated for every employee, endpoint, cloud asset, business unit and more.

Safe Security’s unique approach predicts where cyber breaches may occur and delivers prioritized, actionable insights through three main deliverables:

1. Real time visibility of exposure to an attack through a single pane of glass view of your security status

2. Assessment of an organization’s ability to manage, measure and mitigate ransomware threats across the entire security stack

3. Documented evidence collated and prioritized in a single report to help teams communicate the specific cyber risks facing their business

Beyond a score: How does SAFE work?

To understand your breach likelihood and learn more about our approach to improving your security posture, get in touch today

www.safe.security

14

15

Safe Security Guide to Enterprise Ransomware

www.safe.security | info@safe.security

Standford Research Park,

3260 Hillview Avenue,

Palo Alto, CA - 94304