Ransomware's Effects Linger Long After Attack, Study Finds

As ransomware attacks spread to more, high profile firms, a new report by the security firm Sophos suggests that the impact of such incidents lingers within organizations long after the malware has been removed.

Ransomware shifts the perceptions of organizations it victimizes, tilting investments towards response rather than prevention and undermining IT managers confidence in their ability to understand cyber threats, Sophos said in its report, Cybersecurity: The Human Challenge (PDF), released on Wednesday.

[ If you want to learn more about how QOMPLX can help your company spot signs that may signal a ransomware attack in the making, contact our Sales team now. ]

Confidence: Shaken and Stirred

The company surveyed 5,000 IT "decision makers" in 26 countries to compile the report. At organizations hit by ransomware, IT administrators were nearly three times as likely to feel “significantly behind” (17%) when it comes to understanding cyberthreats, compared to their peers in organizations that were unaffected (6%).

Hiring was also impacted. More than one third (35%) of ransomware victims identified recruiting and retaining skilled IT security professionals as their single biggest cybersecurity challenge, compared with just 19% of those who hadn’t been hit.

A Shift To Threat Hunting

Most interesting was the shift observed in security focus. The Sophos survey found that ransomware victims spend proportionally less of their time on threat prevention - about 43% - and more of their time on response (27%) compared to IT pros in companies that hadn't had a ransomware infection (49% and 22% respectively).

Of course, diverting resources to response is understandable in a firm hit by disruptive malware. But the shift to response may reflect a paradigm shift within organizations who have become ransomware victims that correlates with a greater emphasis on threat hunting and detection within their environment.

Third Party Ties

There are other interesting revelations in the report as concerns ransomware infections. Among other things, organizations that suffered ransomware attacks were far more exposed to infection from third parties than non-victims. Specifically, 29% of organizations Sophos surveyed who had been hit by ransomware in the prior year allowed "five or more" suppliers to connect directly to their network. Among companies that had not been infected in the prior year, that statistic was just 13%.

Recent incidents underscore the dangers that third parties pose in ransomware outbreaks. A May ransomware attack on the cloud service provider Blackbaud, for example, has resulted in dozens of follow on breaches affecting dozens of organizations in healthcare, education and more. In all, data on more than six million individuals was leaked to cyber criminals as a result of the attack.

Lessons for Security Conscious Firms

Recent months have seen the emergence of so-called human operated ransomware as a major challenge. Attacks on  Konica Minolta, Garmin and others suggest that ransomware groups are dwelling within networks for days, weeks or more as they plan their attack. By the time the trap is sprung, even sophisticated and wealthy firms are finding themselves reduced to sending BitCoin to cyber criminals to get access back.

QOMPLX believes that stopping these attacks requires firms to identify them in their earliest stages: phishing attacks; brute force attacks on RDP and other public facing services. It also requires organizations to prevent credential theft and lateral movement. Spotting attackers in the process of doing reconnaissance, before they have laid their trap, can mean the difference between a fire drill and a multi- million dollar payout.

If you want to learn more about how QOMPLX can help your company spot otherwise surreptitious lateral movement to avoid damaging attacks?Contact our Sales team now.