What Is Ransomware?
Ransomware is a type of malware that denies authorized users access to the files of a system; it encrypts files so they’re unusable until the targeted individual/company pays a ransom for the decryption key:
- Worldwide, over 200 million ransomware attacks occurred in the first half of 2022.
- 43% of all global ransomware attacks occur in the United States.
Ransomware attacks first hit the scene in 1989 and continue to grow in breadth and sophistication. Threat actors initially used ransomware in phishing attacks targeting an individual’s personal computer. Now, threat actors are using global ransomware attacks to extort millions of dollars from large corporations, governments, and regulatory organizations.
Whereas ransomware was originally deployed largely by individual threat actors, now large ransomware groups dominate the landscape. These groups function like legal organizations with sophisticated infrastructure, funding, and advanced tools to carry out devastating attacks.
In 2016, threat actors began producing and selling ransomware variants in packages to interested parties — often with technical support from the developer. This Ransomware as a Service (RaaS) model revolutionized ransomware, eliminating the need for specialized knowledge to use the malware.
Who’s At Risk?
Ransomware groups thoroughly research potential targets, narrowing down the search with the following criteria:
- Technical: Does the potential target have exploitable system vulnerabilities? Ransomware groups often look for low-hanging fruit or organizations with a poor security posture.
- Industry: Is the organization in a desirable industry? For example, industries that depend on their reputation to be successful (more likely to pay a ransom quickly), industries in the midst of a digital transformation (more likely to have security vulnerabilities from the mix of legacy and updated infrastructure), and highly interconnected industries (more likely to have vendors with shared data) are more likely to be targeted.
- Ransom payment likelihood: Will the organization pay? Ransomware gangs research each potential victim’s financial status to determine the probability of a ransom payout. This includes considering the success of past ransomware attacks and recent changes in the target’s financial status.
In our 2023 Ransomware Threat Landscape Report, we analyzed ransomware attack data from nearly 3,000 attacks publicized by ransomware groups on their underground blogs to identify emerging trends among threat actors and their targets. Trend highlights include:
- Nearly 35% of all ransomware victims were in the following industries:
- Technical services.
- Ransomware groups target companies with annual revenues of $50-60 million.
- Second to the U.S., organizations based in Europe are more likely to be targeted by ransomware groups.
Do You Know Your Cyber Ecosystem’s Ransomware Risk?
When it comes to ransomware, most organizations take the necessary precautions to protect themselves against threat actors trying to access company data and hold it for ransom.
An organization’s ransomware protection strategy might include:
- Educating employees to raise awareness of common ransomware attack types and how to avoid them.
- Using anti-malware tools to monitor email traffic, block suspicious file transfers, and perform system scans.
- Patching system software and performing regular maintenance to ensure it’s up-to-date and secure.
While implementing internal ransomware protection strategies is important, many organizations don’t consider protection against third-party ransomware risk. Our 2023 Third Party Breach Report found that ransomware accounted for 27% of all third-party breaches in the last year.
As businesses grow more interconnected, it’s critical to consider your company’s ransomware security posture and the security posture of your entire cyber ecosystem, including any third- and fourth-party vendors you’re working with.
The Cost of Ransomware
The first cost that comes to mind with ransomware is the actual ransom. In the past year, we’ve seen an increase in ransom amounts demanded by threat actors, including the largest ransom yet in February of 2023.
Prominent ransomware group LockBit demanded $80 million from Royal Mail, the UK’s leading mail delivery service. Here are a few examples of other large ransoms demanded in the past year:
- July 2022: The Conti ransomware group gained entry to the Costa Rican government’s files, stole and encrypted data, and demanded a ransom of $20 million.
- August 2022: Ransomware group LockBit targeted a regional hospital system outside of Paris, CHSF Hospital Essonnes, stole data and demanded a ransom of $10 million.
- October 2022: German automotive parts producer Continental received a ransom request of $50 million after ransomware group LockBit stole 40 terabytes of internal company data.
While ransom amounts are on the rise, most people fail to consider the other serious effects of these attacks, which include:
- Business disruption: When an organization cannot access files, it can dramatically impact the company’s ability to function. If the disruption is in an industry with time-sensitive work like healthcare, a patient’s health outcome could be affected.
- Reputation damage: Many ransomware attacks go unreported. Some companies consider it easier to pay the ransom, retrieve the files, and resume normal operations. Why? Announcing a ransomware attack can seriously impact an organization’s financial standing or potential partnerships and alter customer perception. This is especially true of high-trust industries like financial services.
- Clean-up costs: Even if a victim pays the ransom, there are other costs to consider before the organization can return to normal. Often, associated costs include rising cyber insurance premiums, attorney and litigation fees, public relations fees, and fines if the organization fails to comply with regulatory bodies when the attack occurs.
Want to learn more about the costs of ransomware attacks and other cyber incidents? Check out our eBook “Understanding the True Magnitude of a Cyber Incident.”
How To Protect Your Organization from Ransomware
Campaigns from government and private-sector organizations are driving awareness around the growth of ransomware and helping organizations consider how best to protect themselves against the threat of ransomware attacks. In early 2023, The U.S. released its National Cybersecurity Strategy and classified ransomware as a national security threat.
Non-profit platform KnowBe4 sponsors National Ransomware Awareness Month in July and promotes security awareness by providing free ransomware resources. Collaboration in the security community also increases knowledge about known ransomware gangs and their attack methods, helping organizations avoid potential attacks.
Ideally, an organization’s ransomware strategy should address risk in two key areas: internal risk and vendor risk. While most organizations are working toward boosting their cybersecurity posture to protect against ransomware attacks, a significant amount still neglect vendor ransomware risk assessment and protection.
Internal Ransomware Risk Assessment and Protection
In addition to educating employees, using anti-malware tools, and patching system software to improve your organization’s ransomware protection, here are a few other steps you can take to boost your company’s ransomware security posture:
- Monitor your ransomware indicators. Applying active ransomware risk assessment to your organization’s infrastructure can help catch vulnerabilities before threat actors exploit them. Indicators to track include:
- Open critical ports.
- Leaked credentials.
- Email security configurations.
- Phishing/fraudulent domains.
- Create an incident response plan. Developing and maintaining a comprehensive incident response plan to address potential ransomware attacks can help your organization maintain business operations and reduce the negative impacts of an attack.
Vendor Ransomware Risk Assessment and Protection
In addition to internal security changes and monitoring your organization’s infrastructure, you’ll need to assess the ransomware risk levels of your company’s vendors and partners.
To mitigate the risk of ransomware attacks due to third-party vendors, your organization should implement the following:
- Perform a ransomware risk assessment on each vendor prior to partnership. Thoroughly vetting potential vendors’ level of ransomware risk can help your organization determine if additional security qualifications are needed to ensure your data is secure or if there’s an acceptable level of risk.
- Require third-party vendors to adhere to industry best practices. Ideally, vendors should follow recommended cybersecurity standards in their own organization, meet applicable industry compliance regulations, and provide transparent documentation around how they handle shared data.
- Perform regular audits of your third-party vendors’ security practices. Over time, your vendors’ security positions may change for better or worse. It’s important to constantly assess each vendor’s security posture to ensure they’re maintaining or improving security measures.
- Build a culture of collaboration and information sharing. Ransomware risk protection is a community effort — organizations must partner together to share information on attacks and evolving security efforts. Sharing attack information helps protect other organizations and aids in the speedy development of patches and security fixes.
Our Ransomware Knowledge Starter Pack
Looking to expand your knowledge on ransomware risk assessment and protection, but still trying to figure out where to start?Check out our starter pack of ransomware essentials:
The History of Ransomware: Where It’s Been And Where It’s Going
In this blog, we cover the history of ransomware, tracking this type of malware through various stages of development, important shifts in methods, the future of ransomware, and how to evolve your organization’s ransomware protection approach.
Beyond Ransomware: The (Non-Ransom) Effects of Ransomware
Most individuals think that ransomware’s negative impact begins and ends with the extortion of money from victims. We examine the non-ransom effects of ransomware and how to mitigate them to protect your organization.
Uncover Your Vendors’ (And Your Own) Ransomware Risk
At Black Kite, we understand that ransomware risk assessment is key to organizations improving their internal security posture and ensuring their third-party risk levels are as low as possible.
To assist, we developed the Ransomware Susceptibility Index®.
The Ransomware Susceptibility Index® helps companies understand which of their vendors are most prone to a ransomware attack by assessing the vendor’s security posture and producing an RSI™ rating within minutes. Our RSI™ ratings use data collected from a variety of OSINT sources and analyzed with machine learning to assess an organization’s vulnerability level in common ransomware indicators:
- Remote code execution.
- Open critical ports.
- Phishing or fraudulent domains.
- Leaked credentials.
- Company size.
- Company industry.
- Stealer logs.
- Endpoint security.
- Email security.
Your organization can use RSI™ ratings to develop an effective course of action for remediating internal system vulnerabilities or as a guidepost to determine whether or not a third-party vendor’s security posture is an acceptable risk.
Don’t Just Take Our Word for It
Our Ransomware Susceptibility Index® has made a difference with countless customers looking to lower their ransomware risk or assess the risk level of third-party vendors.
But don’t take our word for it. See the testimonials for yourself.
I was able to demonstrate and show the VP of IT that Black Kite was the only platform offering both a Ransomware Susceptibility Index™ and quantified risk amount with FAIR™, setting Black Kite far apart from the competition.
― Charles Mendoza, Director of Information Security
Black Kite enabled Scantron to gain a 360-degree view of its supply chain risk by quantifying ransomware risk in third-party vendor partnerships.
The bottom line is that the Black Kite partnership has made Markel’s underwriting process more efficient and data-driven. For every submission we receive, we complete a scan. This gives us the capability to leverage enhanced data at the beginning of the process and allows us to focus on accounts deemed favorable based on RSI™ and cyber rating.
― Lou Botticelli, Senior Director, US Cyber Product Leader at Markel
Markel used Black Kite’s RSI™ ratings to produce guidelines for its policyholders, helping underwriters identify high-risk accounts and build stronger security posture for its insureds.