The 2019 Crowdstrike Global Security Attitude Survey said that the total number of organizations around the world paying the ransom after falling victim to a supply chain attack almost tripled from 14% to 39%.
In the UK, the number of organizations that have experienced a ransomware attack and then paid the ransom doubled from 14% to 28%.
The ransoms, which often range in the 6 to 7 figure range (~ $500,000) are motivating the hackers to ramp up the attacks.
Here in Colorado we saw one attack that compromised a managed service provider and compromised over a hundred dental practices. Each of those practices had to either pay the ransom or figure out another way to get their data back.
So why are these attacks continuing to be successful?
First of all, organizations of all sizes are not taking the necessary measures to protect their organizations. Patching, not-reusing passwords and two-factor authentication are among the basic measures that many organizations are not doing across the board.
Next comes good backups. We often see that backups are online (because that is more convenient) and the backups get encrypted as well. Offline or write once backups are an important part of the backup strategy.
Finally, how long will it take you to recover. After the Atlanta ransomware incident, the city spent 3 months recovering their systems. For many companies, if they were down for three months, they would be out of business.
Given that ransomware attacks are, for the most part, attacks of opportunity, no one, big or small, has a get out of jail free card to use. That means that everyone needs to be prepared to deal with a ransomware event and you want to be ready before it happens.
This is where disaster recovery, business continuity and computer forensics come in.
A Business Continuity program manages the process of making sure that critical business services continue to work in case of an attack.
A Disaster Recovery program manages the recovery process. If you cannot rebuild your systems from backups within a time window that the business needs, you may be left with the very unpalatable option of paying the ransom.
If you do pay the ransom, you should assume that the attackers still have access to your system or have the ability to reinfect your systems after they come back online. You need to understand how they got in there in the first place and that is where the third leg of the stool comes in – incident forensics.
While none of this cheap, having a program in place and your team trained could be the difference between responding to an incident and going out of business.