80% of ransomware victims suffer repeat attacks, new report says

As the list of known ransomware targets continues to expand amid the COVID-19 pandemic, victims run the risk of repeat cyber attacks, according to a new report published by a U.S. cybersecurity firm on Wednesday.

Boston-based Cybereason found 80% of organizations that previously paid ransom demands confirmed they were exposed to a second attack, according to a commissioned survey of 1,263 cybersecurity professionals in varying industries from the U.S., United Kingdom, Spain, Germany, France, United Arab Emirates and Singapore.

“Once you have the ability to hack and the ability to collect anonymized money with Bitcoins — combine them together. You suddenly get a very nice business model that enables you to collect a lot of money, quickly,” Cybereason CEO Lio Div told CBS News.

That quick money transfer has been on full display in recent weeks, following a series of high-profile ransom payouts.

The world’s largest meat processing company, JBS, announced last week it had paid $11 million in ransom after it was forced to halt cattle-slaughtering operations at 13 of its meat processing plants.

DarkSide, the hacker group behind the Colonial Pipeline attack, received $90 million in bitcoin ransom payments over the course of eight months, according to London-based blockchain analytics firm Elliptic.

Last year, ransomware struck Connecticut-based shipping and technology company Pitney Bowes for a second time in less than a year. And Australian logistics company Toll Group faced back-to-back ransomware attacks within three months of each other last spring.

“We’ve seen this kind of pattern of turning cyber criminal action into a business,” said career hacker David “Moose” Wolfpoff, who is the CTO and co-founder of cybersecurity firm Randori. “It’s a way that actors can get money and access, and achieve their objectives.”

Last week, FBI Director Christopher Wray told lawmakers the cyber threat “is increasing almost exponentially.” The FBI director added that the federal government is currently investigating “100 different ransomware variants, and each of those 100 has dozens, if not hundreds of victims.”

According to Cybereason’s new report, 66% of victim organizations have accounted for “significant revenue loss” due to ransomware attacks, with 53% reporting their brand suffered following a ransomware attack.

A quarter of businesses surveyed ultimately shut down their organization, with nearly one in three losing top leadership either by dismissal or resignation and 29% forced to eliminate jobs.

“The problem people don’t understand is that when you pay a ransom, you’re not flipping a switch,” Div told CBS News. “The hackers give you the keys to decrypt your own machines. You need to go one by one to restore them.”

U.S. fundraising firm Heritage Company closed its doors late last year after more than 60 years of business following a crippling ransomware attack. The company let go of roughly 300 employees following an attack that shut down production servers for an extended period.

Appearing before a Senate Homeland Security committee hearing earlier this month, Colonial Pipeline CEO Joseph Blount said that decryption keys provided by DarkSide hackers to the company to regain control of its systems following the ransom payment were “advantageous” but not a perfect fix.

Blount said it took a month after Colonial Pipeline paid DarkSide the ransom to bring its financial systems back online and the efforts to restore the company’s operations are still “ongoing.”

While the ransomware attacks have proven to be expensive for victims, companies are saying that prevention methods can be costly as well, according to a new survey from cybersecurity firm Cobalt.

Nearly six in 10 cybersecurity professionals at companies with more than 500 employees said an important prevention practice known as penetration testing is too expensive. More than 40% said their company does not have the budget for penetration tests.

According to Cobalt’s chief strategy officer Caroline Wong, “pentesting” or simulated hacks to evaluate the security of a system, has historically been a luxury. “Only the richest and the biggest, most established companies in the world have access to quality security talent,” Wong said.

Nearly 90% of respondents in Cobalt’s survey said they have experienced difficulty finding talent with the right skills to conduct simulated hacks of their security system. Cobalt, which conducts pentests for its customers, shared data from more than 1,600 tests it performed last year exclusively with CBS News.

The data reveals that large companies have been struggling with the same vulnerabilities for four years in a row. The main issue for companies continues to be security server misconfigurations.

“As an industry, cybersecurity professionals know how to deal with these issues, we know how to take action that prevents ransomware,” Wong said. She added that time and money prevents companies from protecting their assets.

Wong said one reason companies face insecure configurations is because they don’t make a complete list of all their assets. As a result, security systems are not properly set up, with some companies even failing to change default settings.

Respondents in Cobalt’s survey also said that on average they pentest just over 60% of their application portfolios, meaning that potential gaps in security routinely go unnoticed.

“You’ve got to know your assets, you’ve got to fix your vulnerabilities, and you’ve got to make backups,” Wong said. “If you are proactively testing, then you don’t have to reactively respond when incidents happen,” she added.

As the number of incidents increase, U.S lawmakers and world leaders are taking notice. The White House has said publicly it believes the Russian government has a role to play in preventing ransomware attacks.

“Harboring criminal entities that are intending to do harm, that are doing harm to critical infrastructure in the United States is not acceptable, we’re not going to stand by that,” White House Press Secretary Jen Psaki told reporters earlier this month.

After last week’s G-7 summit, the seven countries issued a statement calling on Russia to “stop its destabilizing behavior and malign activities” and “hold to account those within its borders who conduct ransomware attacks, abuse virtual currency to launder ransoms, and other cybercrimes.”

President Biden will be meeting with Russian President Vladimir Putin Wednesday, and while it’s unclear exactly what they will discuss, Mr. Biden said Monday that there are some areas where the two leaders are expected to cooperate.

“And if he chooses not to cooperate and acts in a way that he has in the past, relative to cybersecurity and some other activities, then we will respond. We will respond in kind,” Mr. Biden said.

More about: