Businesses aren’t telling anyone when they’ve been hit with ransomware
There may be more businesses dealing with ransomware than the private sector community cares to talk about.
Half of American businesses suffered a ransomware attack in the last year, according to new research from the security firm SentinelOne. The standard business response to the attacks —hackers encrypt a target’s data and demand payment to get it back — is to spend more money, lose faith and feel helpless on cybersecurity, the survey shows. Then, in many cases, they try to keep the entire incident under wraps as best they can.
While laws and regulations vary across states and countries, staying silent can be illegal. The specifics depend on a variety of factors including what kind of data was exposed, how it happened and where the breach took place. What stays the same is the perception that disclosure may be more trouble than it’s worth.
“Ransomware is an incredibly simple business model, highly lucrative, and often leverages the current malware infrastructure with minimal new investment required,” Jeremiah Grossman, Chief of Security Strategy at SentinelOne security firm told CyberScoop. In October, one particular ransomware variant, Locky, could be found in over 14 million malicious emails in a single week.
The new survey was conducted by research firm Vanson Bourn and commissioned by SentinelOne, a security firm that specializes in endpoint security. The figures match up with other research, as well as information from law enforcement.
Ransomware is now a major focus for the FBI. Director James Comey has urged businesses to report breaches. In many cases, hacked businesses prefer to keep the whole incident under wraps.
The survey found that just 61 percent of cybersecurity professionals notified the CEO or board of their company when they suffered an attack. Just 54 percent did or would notify law enforcement and lawyers. If you’re out of that exclusive circle, the numbers plummet further. Only 38 percent of cybersecurity professionals say they did or would notify customers if they suffered a ransomware attack.
Security teams often keep malware infections quiet from company leadership unless it’s highly disruptive. They won’t go to law enforcement unless they need help or want to capture the extortionist.
“If the cyber-extortionist willingly takes a ‘reasonable’ ransom demand and turns over the encryption key to allow access to the data, the business will simply recover as best they can and quietly move on,” Grossman said. Customers often won’t be notified unless regulations require them to do so or unless customers noticed a problem. If not, “they’ll quietly take care of the matter and move on.”
That silence doesn’t leave the feds too pleased.
“We have discovered that the majority of our private partners do not turn to law enforcement when they face an intrusion. And that is a very big problem,” Comey said in August. “It is fine to turn to one of the many excellent private sector entities that will help with attribution and with remediation—that’s good. But we have to get to a place where it is routine for people who are victimized to turn to us for assistance.”
Eighty-five percent of American businesses surveyed said they’d been hit three or more times with ransomware in the last year.
“The situation is likely to get far worse, as some of the ill-gotten gains will be invested into research and development designed to improve encryption strength and utilize new delivery methods, as witnessed with Locky,” Grossman explained.
“These criminals have evolved over time and now bypass the need for an individual to click on a link,” FBI Cyber Division Assistant Director James Trainor said earlier this year. “They do this by seeding legitimate websites with malicious code, taking advantage of unpatched software on end-user computers.”
The vast majority of infections are still phishing via email and social media. But malicious websites and unpatched software account have been seen at least once by most businesses surveyed.
After the attack, the money starts flowing into preventative and reactive measures. Patching software, disabling macros, and reviewing anti-malware becomes a renewed focus.
“For reactive, it’s all about backups,” Grossman said. “Having backups that are both immutable and stored offline can save you big time.”
Millions of dollars are being poured into the fight from all sides—the defenders, the hackers, and the victims who pay them off—but it’s a war that’s been kept mostly quiet so far.