Asset 4: Understanding the Depth of the Global Ransomware Problem Understanding the Depth of the Global Ransomware Problem related issues on which we queried survey respondents. While ransomware is the fourth highest security-related concern about which we queried in the survey of U.S. organizations, the level of concern about ransomware is higher in the U.S. than in the other nations we surveyed. For example, 50 percent of organizations in the United Kingdom are concerned or extremely concerned about ransomware, but this figure drops to 32 percent in Canada and a mere 12 percent in Germany. • U.S. organizations are the most likely to make “addressing the ransomware issue” a high or very high priority at 59 percent, while German organizations give this issue the lowest priority (19 percent). U.S. organizations are also more likely to place a high or very high priority on investing in education and training about ransomware for their end users; and for investing in resources, technology, and funding to address the ransomware problem. Somewhat ironically, however, U.S. organizations are also the least likely to have implemented any sort of ransomware training for their end users, and are among the most likely to offer only minimal training when they actually do so. • From a physical platform perspective, ransomware is most likely to enter an organization through a desktop computer and least likely through a smartphone or tablet. German organizations, in particular, had the highest penetration of ransomware infection through desktop computers, while organizations in the U.S. and the United Kingdom had the lowest penetration through desktops. • Email was the most likely attack vector for ransomware, either via email attachments or malicious links in email messages. Interestingly, a large proportion of the organizations surveyed did not know how the ransomware they encountered had entered – this ranged from a low of nine percent of U.S. organizations that could not identify the source of the ransomware infiltration to a high of 35 percent in Germany. • Organizations in the U.S. experienced the lowest rate of ransomware infiltration after the initial attack occurred – 58 percent of organizations in the U.S. were able to limit the spread to fewer than one percent of the endpoints. At the other end of the spectrum, 10 percent of the organizations we surveyed in the United Kingdom experienced ransomware spreading to every endpoint on the network. • A wide variety of corporate roles were impacted by ransomware attacks and this varied widely within the nations we surveyed. For example, ransomware impacted 71 percent of lower level staff members in U.S. organizations, 43 percent of middle managers, and 25 percent of C-level or senior executives. The impact on various roles in other nations was less severe, but generally followed the same pattern. It is important to note, however, that mid-level managers and senior executives are disproportionately affected by ransomware given their substantially smaller numbers. For example, if we assume that in the typical organization only five percent of the employees are senior executives, then the fact these individuals represent 25 percent of the victims of ransomware means that they are impacted far more often than lower level staff members. • Ransomware demands from cybercriminals who successfully infiltrated corporate networks varied widely. In the U.S., nearly one-third of those victimized by ransomware have faced demands of “only” $500 or less. These are often the result of massive, spam-type attacks seeking quantity over quality. However, almost 20 percent of ransomware victims have seen demands exceed $10,000, which often are the result of more targeted attacks. Interestingly, low level ransomware demands (those demanding ransom of up to $500) are most common in the U.S. and much less common in the other nations surveyed, where between four percent and 19 percent of ransom demands are this low. By contrast, more expensive ransomware demands are more common outside of the U.S. For example, ransom demands in excess of $10,000 are most common in Germany (48 percent), but much less common in the United Kingdom (22 percent), the United States (18 percent), and Canada (14 percent)1. Please note that we converted U.S. currencies to the appropriate non-U.S. currency when conducting the survey so that respondents could answer these questions in their national currency. Currency conversion rates were those in effect as of mid-June 2016. 1 ©2016 Osterman Research, Inc. 2 • The majority of ransomware victims surveyed have chosen not to pay the ransom demanded by the cybercriminals that infected their machines. On average, 37 percent of organizations pay the ransom demanded after they are infected. Organizations in the United States were far less likely to pay the ransom demanded once their endpoints are infected with ransomware. For example, 22 percent of German organizations paid the ransom, as did 58 percent of organizations in the United Kingdom and 75 percent of Canadian organizations, but only three percent of U.S. organizations chose to do so. • Among organizations that chose not to pay the ransom after becoming infected with ransomware, more than one-quarter of U.S. organizations lost files because they did not pay. However, this varied widely by nation surveyed: 82 percent of Canadian organizations that opted not to pay ransom lost files as a result, whereas this decision impacted “only” 11 percent of German organizations. Understanding the Depth of the Global Ransomware Problem The fact that files were lost after a decision not to pay a cyber criminal’s ransom demands is not surprising. Because there is rarely a way to decrypt files without the key provided by the ransomware author, the likelihood of being able to thwart the ransomware encryption is nil. Moreover, while most organizations back up their endpoints, these backups are typically performed overnight, and so data created since the last backup can be lost if an endpoint needs to be reimaged in the wake of a ransomware exploit. In short, organizations that choose not to pay ransomware can count on losing at least some of their files as a result. • U.S. organizations that must recover from ransomware attacks generally spend less IT staff time doing so than their Canadian, German, or UK counterparts. For example, while 56 percent of U.S. organizations spend no more than eight hours recovering from a significant ransomware attack, these figures range from only 20 percent to 30 percent in the other nations surveyed. Osterman Research believes that much of this difference is attributable to the fact that ransomware infiltrations in U.S. organizations spread to fewer endpoints than they do in the other nations surveyed. • Defeating ransomware is a balance between training to help users understand how to reduce their likelihood of becoming infected and technology-based solutions that can Please complete the form to gain access to this content Access Now Related Resources Emotet Emergency Toolkit Why automation is essential for cyber resilience How to become cyber resilient: a digital enterprise guide Malwarebytes cut potential downtime to a matter of hours rather than weeks Malwarebytes hat einen potenziell wochenlangen Ausfall auf nur Stunden verkürzt La résilience des terminaux pour les RSSI en 5 étapes In 5 Schritten zur Cyber-Widerstandsfähigkeit für Endpunkte, die jede Geschäftsführung überzeugt Pourquoi l'automatisation est-elle essentielle à la cyber-résilience ? Weshalb Automation für die Cyber-Widerstandsfähigkeit von entscheidender Bedeutung ist Bei der PAPSTAR GmbH stört Schadsoftware nicht mehr die Party Les presses de La Sentinelle ne craignent plus les ransomwares Ransomware can't stop the presses at La Sentinelle Lattes, lunch, and VPNs: securing remote workers the right way Fayolle devance les cyberattaques et les menaces persistantes Fayolle preempts cyberattacks and persistent threats How to create a successful cybersecurity plan Chart Industries pulvérise les ransomwares et malwares Chart Industries macht Ransomware und Schadsoftware den Garaus Chart Industries vaporizes ransomware and malware COMMENT DEVENIR CYBER-RÉSILIENT
Understanding the Depth of the Global Ransomware Problem related issues on which we queried survey respondents. While ransomware is the fourth highest security-related concern about which we queried in the survey of U.S. organizations, the level of concern about ransomware is higher in the U.S. than in the other nations we surveyed. For example, 50 percent of organizations in the United Kingdom are concerned or extremely concerned about ransomware, but this figure drops to 32 percent in Canada and a mere 12 percent in Germany. • U.S. organizations are the most likely to make “addressing the ransomware issue” a high or very high priority at 59 percent, while German organizations give this issue the lowest priority (19 percent). U.S. organizations are also more likely to place a high or very high priority on investing in education and training about ransomware for their end users; and for investing in resources, technology, and funding to address the ransomware problem. Somewhat ironically, however, U.S. organizations are also the least likely to have implemented any sort of ransomware training for their end users, and are among the most likely to offer only minimal training when they actually do so. • From a physical platform perspective, ransomware is most likely to enter an organization through a desktop computer and least likely through a smartphone or tablet. German organizations, in particular, had the highest penetration of ransomware infection through desktop computers, while organizations in the U.S. and the United Kingdom had the lowest penetration through desktops. • Email was the most likely attack vector for ransomware, either via email attachments or malicious links in email messages. Interestingly, a large proportion of the organizations surveyed did not know how the ransomware they encountered had entered – this ranged from a low of nine percent of U.S. organizations that could not identify the source of the ransomware infiltration to a high of 35 percent in Germany. • Organizations in the U.S. experienced the lowest rate of ransomware infiltration after the initial attack occurred – 58 percent of organizations in the U.S. were able to limit the spread to fewer than one percent of the endpoints. At the other end of the spectrum, 10 percent of the organizations we surveyed in the United Kingdom experienced ransomware spreading to every endpoint on the network. • A wide variety of corporate roles were impacted by ransomware attacks and this varied widely within the nations we surveyed. For example, ransomware impacted 71 percent of lower level staff members in U.S. organizations, 43 percent of middle managers, and 25 percent of C-level or senior executives. The impact on various roles in other nations was less severe, but generally followed the same pattern. It is important to note, however, that mid-level managers and senior executives are disproportionately affected by ransomware given their substantially smaller numbers. For example, if we assume that in the typical organization only five percent of the employees are senior executives, then the fact these individuals represent 25 percent of the victims of ransomware means that they are impacted far more often than lower level staff members. • Ransomware demands from cybercriminals who successfully infiltrated corporate networks varied widely. In the U.S., nearly one-third of those victimized by ransomware have faced demands of “only” $500 or less. These are often the result of massive, spam-type attacks seeking quantity over quality. However, almost 20 percent of ransomware victims have seen demands exceed $10,000, which often are the result of more targeted attacks. Interestingly, low level ransomware demands (those demanding ransom of up to $500) are most common in the U.S. and much less common in the other nations surveyed, where between four percent and 19 percent of ransom demands are this low. By contrast, more expensive ransomware demands are more common outside of the U.S. For example, ransom demands in excess of $10,000 are most common in Germany (48 percent), but much less common in the United Kingdom (22 percent), the United States (18 percent), and Canada (14 percent)1. Please note that we converted U.S. currencies to the appropriate non-U.S. currency when conducting the survey so that respondents could answer these questions in their national currency. Currency conversion rates were those in effect as of mid-June 2016. 1 ©2016 Osterman Research, Inc. 2 • The majority of ransomware victims surveyed have chosen not to pay the ransom demanded by the cybercriminals that infected their machines. On average, 37 percent of organizations pay the ransom demanded after they are infected. Organizations in the United States were far less likely to pay the ransom demanded once their endpoints are infected with ransomware. For example, 22 percent of German organizations paid the ransom, as did 58 percent of organizations in the United Kingdom and 75 percent of Canadian organizations, but only three percent of U.S. organizations chose to do so. • Among organizations that chose not to pay the ransom after becoming infected with ransomware, more than one-quarter of U.S. organizations lost files because they did not pay. However, this varied widely by nation surveyed: 82 percent of Canadian organizations that opted not to pay ransom lost files as a result, whereas this decision impacted “only” 11 percent of German organizations. Understanding the Depth of the Global Ransomware Problem The fact that files were lost after a decision not to pay a cyber criminal’s ransom demands is not surprising. Because there is rarely a way to decrypt files without the key provided by the ransomware author, the likelihood of being able to thwart the ransomware encryption is nil. Moreover, while most organizations back up their endpoints, these backups are typically performed overnight, and so data created since the last backup can be lost if an endpoint needs to be reimaged in the wake of a ransomware exploit. In short, organizations that choose not to pay ransomware can count on losing at least some of their files as a result. • U.S. organizations that must recover from ransomware attacks generally spend less IT staff time doing so than their Canadian, German, or UK counterparts. For example, while 56 percent of U.S. organizations spend no more than eight hours recovering from a significant ransomware attack, these figures range from only 20 percent to 30 percent in the other nations surveyed. Osterman Research believes that much of this difference is attributable to the fact that ransomware infiltrations in U.S. organizations spread to fewer endpoints than they do in the other nations surveyed. • Defeating ransomware is a balance between training to help users understand how to reduce their likelihood of becoming infected and technology-based solutions that can
