While the military strategist and philosopher Sun Tzu never had to grapple with a ransomware attack, he knew something about conflict: "If you know the enemy and know yourself, you need not fear the result of a hundred battles."
This applies as closely to digital battles as it does to kinetic battles. After all, if security teams fully understand their environments and ransomware gang tactics, they can be much more confident in the state of their defenses. Consider a new report from Sophos, the State of Ransomware 2024, which provides insights into how ransomware gangs currently target enterprise environments. Interestingly, 99% of organizations hit by ransomware were able to identify the root cause of the attack.
The report provides several key takeaways:
Exploited vulnerabilities are a primary vector of attack. Exploited vulnerabilities were the most commonly identified root cause of ransomware attacks for the second year. Vulnerabilities were cited as the root cause by 32% of surveyed organizations that also reported being hit by ransomware. That is down a bit from 36% in the prior year.
Email communications remain a commonly attempted point of entry. Successful attacks were initiated through email 34% of the time. Such attacks include general phishing attacks, targeted spear phishing attacks, and emails with malicious content.
Compromised credentials. Attacks on identity are always prominent in such surveys as this, as attackers find success with brute-force credential attacks, phishing login credentials from staffers, or using username and password combinations found on the web. A little less than one-third of attacks involve compromised credentials.
How attackers gain entry appears to impact outcomes
While correlation isn't causation, there appears to be a relationship between how attackers manage to break in and the ultimate ransomware attack outcomes. For instance, there is a much more significant impact on cost and operations when ransomware attackers successfully exploit vulnerabilities in the beginning stages of an attack. For example, when exploited vulnerabilities are part of the root cause, there are:
- 75% success rates in compromising backups, compared to a 54% success rate for compromised credentials
- 67% data encryption rates, compared to 43% for compromised credentials
- 71% ransom payment rates, compared to 45% for compromised credentials
- 4x higher recovery costs, specifically $3 million vs $750,000 for compromised credentials
- 45% took over a month to recover, whereas 37% took over a month for compromised credentials
Of course, ransomware threat actors ultimately seek a way to extort their targets. The more they can put the squeeze on, the more they will likely be able to extort. This may include stealing and threatening to release data publicly unless victims pay up, encrypting company data, and demanding payment for the decryption key.
Another way to put the squeeze on their victims is to compromise system and data backups with ransomware. This way, when the business goes to restore during the ransomware attack, they can't. The targeted company is truly against the wall if the backups are successfully compromised.
Backup compromise rises with exploited vulnerabilities
Sophos's survey found that respondents who suffered an exploited vulnerability were worse for backup compromise, data encryption, and ransom payment. For instance, nowadays, ransomware attackers always try to compromise backups during nearly every attack. Still, when the attack was initiated through an exploited vulnerability, attackers successfully compromised backups in 75% of the cases, compared to "just" 54% of attempts being successful when the attack was initiated with compromised credentials.
With organizations that were initially breached through exploited vulnerabilities experiencing a much higher rate of compromised backups, it's no surprise that these organizations were also more likely to pay the ransom:
- 71% of organizations that had data encrypted paid the ransom when the attack started with an exploited vulnerability
- 45% of organizations that had data encrypted paid the ransom when the attack began with compromised credentials
Without backups to recover from, the pressure on ransomware victims to access the
decryption key increases, likely driving organizations to work with the attackers to
restore data and reduce their ability to negotiate.
Additionally, those organizations that were initially breached through a vulnerability were more than 50% more likely to have their data encrypted than attacks that began with compromised credentials.
Finally, insurance carriers were less likely to honor claims when the attack was initiated through an exploited vulnerability. According to the survey results, 25% of claims denied by those organizations compromised through vulnerability were rejected because they lacked the cybersecurity defenses required by their policy. This was true for 12% of the claims whose underlying incident was initiated through compromised credentials.
The relationship here is unknown. Sophos speculates it may be because adversaries who leverage unpatched vulnerabilities are more skilled or because organizations with an exposed attack surface broadly have weaker security defenses. The survey does seem to point to organizations with exploitable vulnerabilities within the attack surface having a tougher time mitigating the damage associated with ransomware attacks.
