British cybersecurity company Sophos released its State of Ransomware 2022 report, revealing that 51% of South African organisations surveyed in its study were hit with ransomware in 2021.
Of the companies hit with ransomware, 49% of them ended up paying the ransom to retrieve their data, regardless of whether they had other means of recovery.
According to Sophos principal research scientist Chester Wisniewski, the number of victims paying ransoms is increasing.
“The survey shows that, globally, the proportion of victims paying the ransom continues to increase, even when they may have other options available,” Wisniewski said.
“There could be several reasons for this, including incomplete backups or the desire to prevent stolen data from appearing on a public leak site.”
He explained that there is often pressure on the organisation to return to normality as rapidly as possible in the aftermath of a ransomware attack, hence the willingness to pay ransoms.
“Restoring encrypted data using backups can be a difficult and time-consuming process, so it can be tempting to think that paying a ransom for a decryption key is a faster option. It’s also an option fraught with risk,” Wisniewski said.
“Organisations don’t know what the attackers might have done, such as adding backdoors, copying passwords and more.”
Wisniewski emphasised the need for organisations that have had their systems encrypted to clean up the recovered data.
“If organisations don’t thoroughly clean up the recovered data, they’ll end up with all that potentially toxic material in their network and potentially exposed to a repeat attack,” he said.
The main findings for South Africa in the State of Ransomware 2022 global survey include:
A substantial proportion (49%) of organisations are paying ransom remands
The after-effects of a ransomware attack can be vast, with the cost to recover from the most recent attack in 2021 being $710,000 (R11.5 million)
77% of organisations rely on cyber insurance that covers ransomware attacks. In 99% of incidents, the insurer paid all or some of the costs.
“The findings suggest we may have reached a peak in the evolutionary journey of ransomware, where attackers’ greed for ever higher ransom payments is colliding head-on with a hardening of the cyber insurance market as insurers increasingly seek to reduce their ransomware risk and exposure,” Wisniewski said.
He expects even higher ransom demands in the future as cyber insurers cover a range of recovery costs, and it becomes increasingly easy for cybercriminals to deploy ransomware.
“However, the results indicate that cyber insurance is getting tougher and in the future ransomware victims may become less willing or less able to pay sky-high ransoms,” Wisniewski added.
He also stated that this was unlikely to reduce the overall risk of ransomware attacks.
Sophos provided some best practice recommendations to protect organisations against cyber attacks and ransomware:
Maintain high-quality defences across all points in the organisation. Review security controls regularly to ensure they continue to meet the organisation’s needs.
Hunt for threats proactively to identify and stop actors before they execute their attack. If an organisation doesn’t have the capacity to do so, it can outsource to a managed detection and response specialist.
Search for and close key security gaps, including unpatched devices, unprotected machines, open Remote Desktop Protocol ports, etc.
Prepare for the worst. Know what to do if a cyber incident occurs and keep the plan updated.
Make backups, and practice restoring data from them so that the organisation can return to services as quickly as possible.