Secureworks has cautioned against complacency despite a 57% decline in ransomware incident response engagements in 2022, as highlighted in its recent Incident Response Report.
The report reveals that while fewer organisations are seeking assistance with ransomware attacks, this may be due to criminals targeting smaller companies that are less likely to seek outside help. The number of victims listed on ransomware leak sites monitored by CTU researchers did not significantly decrease from 2021 to 2022.
Ransomware is a type of dangerous malware, Secureworks cautions. The Australian Cyber Security Centres (ACSC) Annual Cyber Threat Report for July 2021 to June 2022 reported that the ACSC received 447 ransomware cybercrime reports via ReportCyber. This was a 10% decrease compared with the 2020/21 financial year, but it is also likely that ransomware remains significantly underreported, especially by victims who choose to pay a ransom.
According to the Secureworks report, the decline in ransomware attacks could be attributed to both shifts in attacker tactics and increased law enforcement efforts in response to high-profile attacks such as Colonial Pipeline and Kaseya. However, it is crucial not to overlook the fact that attackers have adapted their strategies and ransomware continues to be a significant risk for businesses, the company states.
One notable shift in ransomware tactics is the broad adoption of a "name-and-shame" strategy, where threat actors threaten to publicly disclose stolen information unless a ransom is paid.
This approach has put immense pressure on targeted organisations, leading some to pay the ransom to avoid reputational damage, even if they would not have considered doing so in the past, the company states. Some criminal groups forego encrypting systems and instead focus on using data theft and the threat of disclosure to extort a ransom payment.
Alex Tilley, Head of Threat Intelligence, Asia Pacific and Japan for Secureworks, says, "Cyber criminals are exploiting vulnerabilities in internet-facing systems as a prominent entry point. Approximately one-third of incidents involve exploiting publicly disclosed vulnerabilities, such as ProxyLogon, ProxyShell and Log4Shell, to target unpatched machines. These vulnerabilities are often not zero-day, making it crucial for organisations to prioritise timely patching and proactive cybersecurity measures."
Tilley says, "The decline in large ransomware incidents is a positive sign, but it is essential to stay vigilant and not let our guard down. The ransomware threat is far from over and attackers are constantly evolving their tactics. Organisations must continue to invest in preventive security measures, employee education, and proactive threat detection to stay ahead of cyber criminals."
The true cost of ransomware incidents goes beyond the ransom itself as the recovery process involves substantial expenses, including business downtime, lost sales, operational costs, legal fees, and potential reputational damage, Secureworks states.
Ransom payments also do not guarantee a quick and painless recovery, as restoring compromised systems and ensuring their integrity can be complex and uncertain.
Despite the pressure to pay ransoms, the public advice from the New Zealand and Australian Governments is that organisations should refrain from paying ransom demands. Instead, they advise companies to focus on proactive cybersecurity strategies, such as implementing layered security controls, regular review of ransomware groups' tactics, and comprehensive employee education on detecting and handling suspicious emails.
Tilley says, "Preventing ransomware requires a multi-pronged approach. Organisations should prioritise cyber hygiene, rigorous disaster recovery testing, and regular updates and patching. By proactively seeking threats and staying one step ahead of motivated threat actors, businesses can effectively respond to and recover from ransomware incidents."