There is growing evidence that ransomware gangs are rapidly evolving into full-scale protection rackets. Ransomware gangs are increasingly returning to fleece their victims multiple times, even after the ransom has been paid.
“Despite most victims agreeing to pay the ransom, less than half who did get their systems and data back uncorrupted. And most were breached again within a year,” says security company Cybereason’s report Ransomware: the true cost to business 2024.
All of the 1008 enterprise IT professionals surveyed had been breached at least once in the past 24 months. While 84 percent paid the ‘ransom’, only 47 percent got their data and services back intact. But this new generation of ransomware attacks frequently do not stop – even once the ransom is paid. An astonishing 78 percent were breached again and 63 percent were asked to pay more the second time. In 36 percent of the cases, the second attack was carried out by the same gang that conducted the first.
This makes these ongoing attacks more threatening than one-off ransomware attacks. They are the 21st-century equivalent of the Viking raiders whose victims, it has been said, paid the danelgeld but never got rid of the Dane, who kept returning for more loot. Similar TTPs were used by gangsters running protection rackets in early Twentieth Century Chicago. Once a ransomware gang has infiltrated an organization, they are often there to stay, seeing the targeted company as a cash cow for the foreseeable future.
“Low-and-slow” attacks sit on a system undetected
According to the report, attackers are evolving more complex “low-and-slow” attacks designed to sit unobserved on the target organization’s system. These attacks can compromise as much of the targeted network as possible before they are detected. Over half, 56 percent of the enterprise IT professionals surveyed, said that their organization did not detect a breach for three to twelve months.
Law enforcement agencies such as the US Federal Bureau of Investigation (FBI) instruct companies not to pay cybercriminals the ransom, but there is evidence that many organizations have been paying up, regardless of the fact that there is no guarantee that the stolen data will be returned or that the cybercriminals will relinquish control of the company’s network.
The reasons given for paying the criminals are generally a response to the pressure ransomware gangs routinely put on their victims. “We feared the loss of business…It was a matter of life and death…It seemed to be the fastest solution…We didn’t have back-up files,” are typical reasons given for paying the ransom, according to Cybereason.
The report recommends that organizations install cybersecurity that covers both online and offline networks and looks for ransomware-specific solutions that protect at every stage of an attack including a roll-back for any impacted files as a last line of defense.
