The rapid rise of ransomware has made it the latest marquee threat in cybersecurity. The growth in victims and damages has been widely reported, with successful attacks being waged against organizations of all sizes and stripes. However, this trend has had a disproportionate impact on small and medium-sized businesses.
To get a fresh, direct line on the effect ransomware is having on these organizations we surveyed members of Spiceworks, a IT community site numbering well over a million account holders geared to IT administrators and managers in the SMB. We asked respondents whether they had been victims of ransomware, how they responded (or how they thought they would respond), and how the threat of ransomware has affected their organization. Their answers were consistent and described a common frustration, resignation, and uncomfortable urgency with the issue.
When they get hit, they disconnect
Most ransomware does not hide the fact it has just locked down your system or encrypted your critical files. It alerts you. As a result, a majority of survey respondents said they were aware they had been compromised within an hour of the event. 90% were aware of the attack within 24 hours.
This is very different from traditional data breaches, where the average time of discovery is measured in months, not hours, according (PDF) to research from Ponemon Institute.
Unfortunately, the mission of the ransomware attack is accomplished in a much shorter period. Typical lockdown or encryption of a system happens within a minute or two of the ransomware’s execution. At that point, there are only two choices left: pay or start cleaning up. Regardless, the very first task most survey respondents focus on is isolating the infection. 75% of the victims pull the machines as soon as possible and begin some form of restoration process.
Common Ground: Don’t Pay
The most surprising response was the near unanimous resistance of these IT professionals to pay the ransom. Reporting on attacks at places like Hollywood Presbyterian Hospital in California and others have shown the willingness of organizations to pay. Back in 2014, Kent University reported that 40% of CryptoLocker victims had chosen to pay, and more recently the US DoJ reported on millions spent on ransomware and recovery efforts since 2005.
Both of the respondent groups (prospective and actual victims) agreed that paying was not a viable option, as 95% of ransomware victims refused to pay the ransom. Over 80% of the not-yet victims also indicated they wouldn’t pay if they were attacked. Their reasons were mixed, but most were unconvinced paying would result in them actually getting their data back. Others felt that they would do well enough by restoring from their own backups.
Lessons Learned: Backups Can Come Up Short
The most common mitigation for these organizations was to restore their affected systems from backup. The unaffected groups indicated that they were backing up almost 100% of their data, and 81% felt that these backups would allow them to completely recover. Unfortunately, among the victims, only 42% were able to recover all of their data during the restoration process. They were able to make substantial progress in recovery, but their comments highlighted gaps that included unmonitored and failed backups, accessible backup drives which were also encrypted, and the loss of between 1-24 hours of data from their last incremental snapshot.
An effective backup strategy is the most common recommendation for organizations looking to blunt the effect of ransomware. Surprisingly, when these administrators were asked what changes they made to their security in the wake of the attack, only 8% of the victims reported improving their backup strategies. Instead, the majority focused on increased restrictions of access and content through technology (63%) and providing additional awareness training in hopes of changing user behavior (47%).
The market forces driving ransomware are still in their infancy. The business models, tools, and actors are evolving, and defensive strategies need to do so as well.
Even now, existing ransomware tools like Teslacrypt and Locky are emerging with new techniques and improved abilities to hide themselves and spread. This survey helps highlight three key areas where the actual victims and targets of ransomware see the need to improve:
● They want new tools that will help to prevent them from becoming victims.
● They want to help their users understand the threats that they are under to make them a defensive asset and not a vulnerability.
● They want to be able to broadly recover without paying the criminals.
If they can accomplish these three things, the profit motive driving the growth in ransomware will begin to erode. Then organizations can turn their focus to addressing whatever new criminal trend will be waiting around the corner.