Looking back at 2021, ransomware was without a doubt the top cybersecurity concern on everyone’s mind. The US Treasury Financial Crimes Enforcement Network found that in the first half of 2021, the amount paid out for ransomware reached over $590 million, more than the entire amount paid in the entire 2020 year. News stories on successful ransomware attacks like Colonial Pipeline, which took down critical US infrastructure, and Kaseya – a combination Ransomware/Supply Chain attack that took down over 1500 companies in a single attack, were everywhere.
With that said, we did not think this painted a complete picture of what was really going on. Focused on worst-case scenarios, most of these stories were big on vitriol and short on critical details. At Cymulate, we felt that underlying questions and gaps critical to understanding the current ransomware pandemic were woefully absent from the picture.
We ran a survey on ransomware with enterprises around the globe and received terrific responses. The community spoke candidly and shared vivid details, confirming that this threat touches every organization, regardless of geography, industry, or size. Some of the survey’s results were both surprising and exciting, providing a better understanding of lesser-known aspects of the current ransomware epidemic.
More importantly, it brought to light clear and decisive prescriptive recommendations on how enterprises could better prepare themselves. By following the survey participants’ example, enterprises can recover more gracefully with minimized damage and shortened duration of ransomware attacks’ lifecycle.
You are welcome to download the complete 2021 Ransomware Study – Unexpected Reasons for Optimism survey’s full results or check out the key takeaways below.
The majority of respondents felt that ransomware had risen above the confines of pure IT concern and reached business leadership and even at the boardroom. Whether a respondent experienced a ransomware attack directly or not, we found that the confidence level against defeating the next ransomware attack was almost equally low.
Respondents directly targeted by ransomware could not be categorized by any criterion. It seems ransomware attackers prey on everyone equally. There was no region of the world, industry, enterprise size that had not been a victim of ransomware attacks in a substantial fashion. While there was some risk variance and a few unexpected outliers – be it region, industry, or size, there was no “get out of jail free” card.
For in-depth details and analysis see the full report.
For those who have faced a ransomware attack directly, the survey inquired in detail about the level of damage, attack duration, and frequency, which yielded surprisingly uplifting results.
The majority of ransomware attack victims were able to recover from a ransomware attack suffering only minimal damage, with just a small minority suffering “considerable” to “business down” damage in an attack. In terms of downtime duration, most victims were also able to recover within a few hours to a few days, with only a small minority taking a week or longer.
My excitement level at this point was high. As the survey showed, everyone is targeted, and, more importantly, the heightened awareness and anxiety which has risen, in most cases, to the business/boardroom level has spurred action. These actions resulted in minimized damage and duration for the majority of the respondents who had been hit.
The last survey section brought detailed answers on what enterprises are doing to prevent and/or recover from ransomware gracefully.
For starters, most enterprises reported an increase in budget and headcount as a direct consequence of the rise of ransomware attacks. While ransomware victims added more budget and headcount than non-victims, the difference was not great as the mere perceived additional risk-induced anxiety led to similar increases.
Secondly, both among victims and non-victims, the majority of respondents modified their incident response plans to include ransomware. The only disappointing statistic in the survey was that only a minority had practiced these incident response plans. As a cyber security practitioner, I find practicing incident response plans crucial to find and close security gaps, optimize response management, and reduce MTTR. There is no better way to prepare your staff –including business, legal, PR, and executives.
We found that an overwhelming majority of respondents had added additional traditional security purchases and practices in direct response to ransomware. Enterprises have taken four actions, most prominently adding EDR solutions and multifactor authentication solutions to their security stack.
While EDR and multifactor authentication were the top two improvements made by both ransomware victims and non-victims, the victims’ preferred option was multifactor authentication, while non-victims opted more for EDR. I am curious as to why. So much so that we will do a second ransomware survey same time next year and ask more pointed questions about how the ransomware attacks hit victims. The other two additional traditional security purchases and practices we saw we are incorporating additional network segmentation and improved backup mechanisms.
Finally, we found that most participants - both ransomware victims and non-victims, had added offensive cybersecurity practices to their cyber defenses. Whereas some had added traditional pen testing, most had gone much further, incorporating advanced offensive testing solutions ranging from continuous automated red teaming, purple teaming, breach attack simulation to attack-based vulnerability management and attack-surface management. For me, this fact was the most encouraging.
Offensive cyber security practices allow you to test against ransomware threats safely from within your production environment. It provides you with the best way to understand and visualize risk and how to mitigate it, replacing assumptions with testing and empirical results.
By doing so, you optimize your security posture, instant response plans, and people. You reduce your level of risk by establishing a security posture baseline and tracking it over time. You can scale your effort as required and prove the value of your cybersecurity spending through quantified and traceable measurements.
Cyber threats like ransomware are seen as warranted business threats with dire consequences. Rising awareness and anxiety yields action. Cybersecurity is now seen as contributory to enterprise continuity, strategic to its survival, and the business's success.
All in all, companies are gaining the upper hand.
Easily, accurately, and safely test your enterprise against ransomware with our free Cymulate Ransomware Assessment.
Start simulating cyber-attacks today with a 14-day free trial of Cymulate's Extended Security Posture Management platform.
Dave Klein is the Director of Cyber Evangelism for Cymulate. With more than 21 years of real-world cybersecurity experience, he works with Cymulate teams, customers and industry thought leaders to address the challenges of securing modern enterprise environments. Dave’s long career includes working on the NIST response to President Obama’s Policy Directive 21 on Critical Infrastructure Security and Resilience, leading some of the largest sales engagements for US Federal security solutions, and working with the City of New York post 9/11, helping shore up cyber defenses.