You’ve dealt with the ransomware, how come it’s back?
In May 2020, Australian transportation company Toll Group was hit with ransomware. It was the second successful ransomware attack to hit the company in three months. Further, the attacks were perpetrated by two different ransomware gangs. This is not an isolated example, and it’s not a thing of the past – even today, more Australian companies than you might imagine are falling prey to repeat ransomware attacks. New research shows that in 2022, 33% of Australian ransomware victims were hit more than once. Understanding how this can happen is important for cybersecurity.
Ransomware is a prevalent and prolific threat facing Australian businesses of all sizes and in all industries. The tools to launch a ransomware attack are increasingly within reach of many cybercriminals, with the widespread availability of low-cost, accessible attack tools through ransomware-as-a-service offerings.
A single successful ransomware attack can cripple day-to-day operations, causing chaos and financial losses, and damaging brand reputations and customer relationships. A repeat attack that strikes when a victim has yet to recover fully from the effects of a previous incident can further exacerbate these impacts.
To help organizations better defend themselves against repeat attacks, it is worth exploring what could be putting Australian companies at risk in the first place. The research findings suggest it is likely to be a combination of several factors, including ineffective security and incident response measures, and a willingness to pay the ransom, either by choice or because there seems to be no alternative.
Risk factors that could leave organizations exposed to repeat attacks
1. Inadequate security measures: The research shows that for 69% of Australian organizations affected by ransomware, the attack started with a malicious email, such as a phishing email designed to steal credentials that would allow the attackers to breach the network. Web applications and web traffic are the second most widely seen starting point and represent an area of growing risk as part of an ever-expanding threat surface. Organizations need to have these bases covered.
2. Inadequate incident response and neutralization during and after the attack: The fact that multiple successful attacks are possible suggests that security gaps are not fully addressed after the first incident. There may be several reasons for this. For example, a lack of security controls, incident response, and investigation capabilities, coupled with growing attacker sophistication and stealth, could mean that implanted backdoors or other persistence tools left by attackers are not identified and removed. Access points might be left open and account passwords not reset so that stolen credentials can be abused again. Fully neutralizing an attack is made harder because the attackers often misuse legitimate IT admin tools that are also used by IT teams for benign, everyday business purposes, so their appearance in the network may not immediately arouse suspicion.
3. Paying a ransom: The research found that Australian organizations that were hit multiple times were more likely to say they’d paid the ransom to recover encrypted data — 30% of those affected twice or more paid the ransom to restore encrypted data, compared to 23% of those hit just once. Repeat victims were also less likely to use a data backup system to help them recover. There is a risk that once it is known that an organization is willing to pay a ransom, other attackers will target the same victim.
4. Having cyber insurance in place: The research found that across all the countries surveyed, 77% of organizations with cyber insurance were hit with at least one successful ransomware attack, compared to 65% without cyber insurance. This could mean cybercriminals are more likely to target organizations with insurance, in the belief that the insurers will be willing to cover the ransom cost to speed up recovery. Organizations affected by two or more ransomware attacks were also more likely to have cyber insurance in place (70%).
Defending against ransomware
Many organizations may underestimate how exposed they are. The findings show that only 27% of the Australian organizations surveyed felt underprepared to tackle a ransomware attack.
The security industry has an essential role to play in helping organizations address the challenges of ransomware through deep, multilayered security technologies, including AI-powered email protection and Zero Trust access measures, application security, threat hunting, extended detection and response (XDR) capabilities, and effective incident response to spot intruders and close gaps so that attackers cannot easily find their way in.
If this seems like a daunting list, it needn’t be. There are expert professionals, including managed service providers and security vendors, who can support you not just with advanced security tools but with XDR, 24/7 Security Operations Centres-as-a-Service and more. It’s why we’re here. Let’s talk if you want to learn more and email us at ANZSales_Team@barracuda.com.