Survey: Ransomware victims forever changed

A global survey conducted by Sophos, titled ‘Cybersecurity: the Human Challenge’ has revealed that organisations are never the same after being hit by ransomware.

The confidence of IT managers and their approach to battling cyber attacks differs depending on whether or not their organisation has been attacked.

IT managers at organisations hit by ransomware are nearly three times as likely to feel “significantly behind” when it comes to understanding cyber threats, compared to their peers in organisations that were unaffected (17% versus 6%).

According to the survey, 35% of ransomware victims said that recruiting and retaining skilled IT security professionals was their biggest challenge when it comes to cybersecurity, compared to 19% of those who hadn’t been hit.

Victims also spent proportionally less time on threat prevention (42.6%) and more time on response (27%) compared to those who haven’t been hit (49% and 22% respectively), diverting resources towards dealing with incidents rather than stopping them.

Chester Wisniewski, principal research scientist at Sophos, said the difference in resource priorities could indicate that ransomware victims have more incidents to deal with overall. It could also indicate that they are more alert to the complex, multi-stage nature of advanced attacks and therefore dedicate more resources to detecting and responding to signs that an attack is imminent.

SophosLabs Uncut published an article, titled ‘Inside a New Ryuk Ransomware Attack’, which deconstructed a recent attack involving Ryuk ransomware. The article revealed that ransomware attackers are contributing to pressure on IT security teams, as they evolve their tactics, techniques and procedures (TTPs).

Sophos incident responders found that the Ryuk attackers used updated versions of widely available and legitimate tools to compromise a targeted network and deploy ransomware.

The attack moved quickly; within three and a half hours of an employee opening a malicious phishing email attachment, the attackers were conducting network reconnaissance. Within 24 hours, the attackers had access to a domain controller and were preparing to launch Ryuk.

“Our investigation of the recent Ryuk ransomware attack highlights what defenders are up against. IT security teams need to be on full alert 24 hours a day, seven days a week and have a full grasp of the latest threat intelligence on attacker tools and behaviours,” Wisniewski said.

The survey findings reveal the impact of these demands; those hit by ransomware were found to have severely undermined confidence in their cyber threat awareness.

However, their ransomware experiences gave them a greater appreciation of the importance of skilled cybersecurity professionals, as well as the importance of introducing human-led threat hunting to better understand and identify the latest attacker behaviour.

“Whatever the reasons, it is clear that when it comes to security, an organisation is never the same again after being hit by ransomware,” Wisniewski said.

Image credit: ©stock.adobe.com/au/zephyr_p