Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security

80% of Orgs That Paid the Ransom Were Hit Again, Report Finds (venturebeat.com) 91

Boston-headquartered security firm Cybereason's study has found that the majority of organizations that chose to pay ransom demands in the past were not immune to subsequent ransomware attacks, often by the same threat actors. From a report: In fact, 80% of organizations that paid the ransom were hit by a second attack, and almost half were hit by the same threat group. This study offers insight into the business impact of ransomware attacks across key industry verticals and reveals data that can be leveraged to improve ransomware defenses. For example, after an organization experienced a ransomware attack, the top two solutions implemented included security awareness training (48%) and security operations (48%). This research underscores that prevention is the best strategy for managing ransomware risk and ensuring your organization does not fall victim to a ransomware attack in the first place.
This discussion has been archived. No new comments can be posted.

80% of Orgs That Paid the Ransom Were Hit Again, Report Finds

Comments Filter:
  • by mark-t ( 151149 ) <{moc.talfdren} {ta} {tkram}> on Friday June 18, 2021 @06:01PM (#61500056) Journal
    Shocked, I say!
  • by theshowmecanuck ( 703852 ) on Friday June 18, 2021 @06:08PM (#61500070) Journal
    Stupid is as stupid does.
  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Friday June 18, 2021 @06:15PM (#61500084)
    Comment removed based on user account deletion
    • Do a simple exercise, figure out how much your organization would be willing to spend on a ransom, then have your organization spend accordingly on prevention and preparation.

      So if you screw up you potentially pay 2x that amount?

      I suspect there's easier ways to convince the CFO in invest in the appropriate risk mitigation.

    • Its the wrong equation, it should be work out how much a ransomware attack could potential cost you. Ransoms are often only in the 100's of thousand or even a few million. For many of these companies they are bleeding more than that per day for an outage and spending that on prevention is not enough.
    • Do a simple exercise, figure out how much your organization would be willing to spend on a ransom, then have your organization spend accordingly on prevention and preparation.

      No. An asteroid impact on the company HQ is expensive. That doesn't mean you should spend that high amount on a giant shield.

      The correct equation is ((Cost of a ransomware attack) * (Probability of a ransomware attack)).

      Less than 1% of companies are hit each year. So if the cost of an attack is less than 100 times the cost of prevention, then it isn't worth it (on average).

      • by bn-7bc ( 909819 )
        I did nor know astroid shields existed, but I might have gotten side tracked by that detail and let the point if your example go straight past me
    • by gweihir ( 88907 )

      Naa, that would be sane and a lot cheaper. Cannot have that. Management has a reputation for utter incompetence to uphold!

    • Spending that money on technology is likely wasted. While zero-day exploits remain a problem far too many of the hijacked systems are hijacked by poor security _practices_ that will not b e helped my adding money or technology to the equation. These include:

      * System administrators or "architects" who refuse to change their passwords
      * Laptops that are put on the same network as production hosts, databases, and storage servers with no firewall or other segregation
      * Secretive security policies, kept secret to

      • by jythie ( 914043 )
        Yeah,.. people keep on hoping that the right combination of backups and technologies will make the problem go away, but at the end of the day it is a systemic pressure issue. These attacks focus on vulnerabilities that come out of people needing to do their jobs. A system that does work, a system that people do work on it, every person who has a job to do can also do damage. Companies that make it harder for their workers to do their jobs tend to lose to ones that make jobs easier.
      • Comment removed based on user account deletion
    • Do a simple exercise, figure out how much your organization would be willing to spend on a ransom, then have your organization spend accordingly on prevention and preparation.

      It's almost as if you think "prevention" has no other benefits apart from this...

    • by jythie ( 914043 )
      Unfortunately, it probably is not a problem you can spend your way out of.
    • by randjh ( 7163909 )
      It's all about costs. Part of buying a house used to be the title search. Your lawyer hired a specialist who examined the chain of title to that property. That can get pretty complicated, what with severances and liens. And how far back do you go? Treaties with indigigenous peoples? Last time I bought a house, they didn't do a title search. I bought a product called Title Insurance, which has slowly been replacing Ttitle Insurance in residential property transfers in Canada. This is some sort of offering
    • by Geekbot ( 641878 )

      They aren't paying. Their insurance companies are. At some point the companies will be uninsurable which will lead to improvements. Things don't get better because someone wants them to. Things get better when the status quo becomes more expensive than change.

  • by theshowmecanuck ( 703852 ) on Friday June 18, 2021 @06:18PM (#61500090) Journal
    They could start with putting people in charge of technology that understand technology, and not MBA types who think a solution is only a silver bullet and a cloud away. And then give them the authority to manage systems correctly instead of having to cave to MBA types who don't want to understand that the technology departments are every bit as important and equal in terms of business units. In fact, in many cases more so. Too many businesses treat the technology units as afterthoughts or inconveniences, and in fact force in technical solutions that vendors talk C level execs into buying, but which are not really a good fit or sometimes even needed. And then they want it in a hurry which kills good design and opens security holes as bad design almost always does.
    • Mod parent up! Few people understand computer technology.

      My comment posted to a previous story: We need in-depth reporting of cyber attacks. [slashdot.org]
      • Mod up seconded. However fools that get duped twice, by law should NOT be insurable against that event. Insurance companies need to blackball incompetent management, and idiot organizations. So insurance companies, why do you not get on the phone today, and cancel/refund policies to these recidivist jerks. Fire HR too, for selecting retarded, spineless CTO's.
    • by fermion ( 181285 )
      Some negative activities are in fact curtailed by consequences. For instance, in Oklahoma it is theoretically legal to run over a protestors but the consequences in insurance rates might keep people from doing so. In the US any bank robbery brings in the FBI. If there is little chance of consequence then the crime is reasonable even if returns are not great.

      20 years ago my friends and relatives outside the US were in real danger because of kidnapping where the victim paid the ransom. They were to various

      • by ArmoredDragon ( 3450605 ) on Friday June 18, 2021 @08:40PM (#61500360)

        Oklahoma it is theoretically legal to run over a protestors

        Only if it isn't deliberate and it's on a thoroughfare that wasn't closed off. This was basically in response to derps darting into traffic just for the sake of being obnoxious and then wondering why they woke up in a hospital. Depending on the state laws, I don't imagine there would be any liability on the part of the driver in such a situation, so I doubt their insurance rates would go up, unless they bent a fender or something, but even then the rates wouldn't go up a whole lot because it isn't a vehicle to vehicle collision.

      • For instance, in Oklahoma it is theoretically legal to run over a protestors

        It's also legal to shoot someone in the face if they try to run you over, because Oklahoma has a stand your ground law.

        That might not stop their car from hitting you, but if I went to a protest in Oklahoma* you can bet your asshole I'd come armed in case it went sideways. And if I'm gonna get hit anyway, and I've got time to draw, you can bet that same orifice that I'm gonna do my level best to perforate the motherfucker behind the wheel.

        * Same for Florida, for the same reasons, and on the same legal basis.

    • > They could start with putting people in charge of technology that understand technology,

      Sadly, many of the people negotiating for technology decisions are excited by very shiny toys. The number of complex anti-virus systems that interfere with ordinary system operation is stunning. But many security departments demand the latest expensive toy rather than insisting on proper backups, especially of the core configuration management hosts.

    • It's the same problem which plagues health insurance, lotteries, nuclear power, and people afraid of flying. People in general are really really bad at assessing the cost or benefit of low-likelihood events. The assessment then becomes based mostly on emotion, rather than logic and reason. e.g. Most people have a neutral-to-positive opinion of state lotteries, but a negative opinion of Las Vegas slot machines. But lotteries on average only pay out about 67% of the money players put into them. Slot machines
  • You have won big expensive vacation in Bahamas Islands!!!! Plus $25,000.00 CASH USA!!! Just click on attachment and open now to collect cash and experience victory!!! Then Follow link and download all files!!!!
  • by quantaman ( 517394 ) on Friday June 18, 2021 @06:32PM (#61500116)

    The world is filled with countless organizations, some that are well defended against a ransomware attack, and some who are not. Who are you going to invest time in trying to attack? Organizations that have proven themselves to be vulnerable.

    Security isn't as simple as turning on a firewall and doing backups. You need to know what systems exist and how to back them up, you need to know what services are supposed to talking to what other services, you need to know what employees need to access what systems.

    I don't think it's possible to secure an organization overnight, meaning that the moment you've proven to be vulnerable to one group all the other groups know that you're vulnerable.

  • by im_thatoneguy ( 819432 ) on Friday June 18, 2021 @06:44PM (#61500154)

    I thought the whole point behind Ransomware was that they always actually unlocked your files. If people didn't actually get relief they would stop paying so there is a financial incentive for attackers to actually have a code-of-conduct and good customer service.

    Hitting the same target again, sounds like a violation.

    "If I pay this, you probably just put a trojan deep deep in my systems and will make me pay it again, so fuck off, we're wiping everything and starting from scratch."

    If this is true this should destroy the game theory on payingout.

    • by dmay34 ( 6770232 )

      If you believed the hackers had any kind of ethical "code", you are really really dumb.

    • by gweihir ( 88907 )

      They probably have trouble excluding those they hit before from getting attacked again. The field of companies with utterly crappy IT security is vast enough that it is easy to hit targets again by accident, because you just did not remember you had hit somebody before.

    • You are ignorant of the ransomware business model against large corporations. The keys aren't the issue at all. It's shame site identification of corporation and posting of sensitive data that causes business loss and lawsuits far greater than the ransomware price.

  • * Animals
    * Hackers
    * Trolls
    * Audrey II

  • by davidwr ( 791652 ) on Friday June 18, 2021 @06:50PM (#61500162) Homepage Journal

    Dane-Geld
    A.D. 980-1016

    It is always a temptation to an armed and agile nation
        To call upon a neighbour and to say: --
    "We invaded you last night--we are quite prepared to fight,
        Unless you pay us cash to go away."

    And that is called asking for Dane-geld,
        And the people who ask it explain
    That you've only to pay 'em the Dane-geld
        And then you'll get rid of the Dane!

    It is always a temptation for a rich and lazy nation,
        To puff and look important and to say: --
    "Though we know we should defeat you, we have not the time to meet you.
        We will therefore pay you cash to go away."

    And that is called paying the Dane-geld;
        But we've proved it again and again,
    That if once you have paid him the Dane-geld
        You never get rid of the Dane.

    It is wrong to put temptation in the path of any nation,
        For fear they should succumb and go astray;
    So when you are requested to pay up or be molested,
        You will find it better policy to say: --

    "We never pay any-one Dane-geld,
        No matter how trifling the cost;
    For the end of that game is oppression and shame,
        And the nation that pays it is lost!"

    -- Rudyard Kipling (1911)

    • Thank you for posting this.

      It should be required reading. The concept is simple, but those who do not study history...

      • Rudyard Kipling did not write history. Rudyard Kipling wrote fiction. The lesson is old, and presented in memorable poetry, but in practical terms refusing extortion from someone who can entirely bankrupt your company by doing nothing further, it's understandable for most to pay the Dane this year and hope to shore up defenses to prevent another invasion next year.

        • Rudyard Kipling did not write history. Rudyard Kipling wrote fiction. The lesson is old, and presented in memorable poetry, but in practical terms refusing extortion from someone who can entirely bankrupt your company by doing nothing further, it's understandable for most to pay the Dane this year and hope to shore up defenses to prevent another invasion next year.

          It's understandable, but this kind of short-term thinking is wrong. Consider that there is no guarantee that you will get the funding to prevent another invasion next year. After all, you didn't get the funding last year, even though that would have prevented the ransomware attack.

          In addition, there is the likelyhood that the threat actors have scattered persistent backdoors throughout your computer systems. No matter how many you find, you can't be sure there isn't another. To be safe you are going to

    • Except the Danegeld actually paid for a navy and protected England against Viking raids from non-Danes (who were already Christian at that time and no longer raiding). Of course when England stopped paying and still hadn't their own navy, the Viking raids resume.. Sometimes using some of the same mercenaries the Danes hired for the Danegeld.

  • Management/Ownership and not IT if it were an IT failure they would have been fired and replaced. And those coming in would have had pretty specific goals to achieve.
  • How hard is this? Just don't download porn or other sketchy crap on your work computer. Ever. That's where these attacks are coming from, people downloading "free porn" on work computers.

    • by gweihir ( 88907 )

      Your fake morality blinds you. If you had done any actual research instead of virtue signalling, you would know that "downloading porn" is not a major attack vector. Instead it is email attachments opened with crappy insecure "Microsoft standard" tools.

      • by dmay34 ( 6770232 )

        I would like you to take a step back and think about this.

        Who is paying for your porn? Porn make up a sizable portion of the internet. There are very large and expensive porn data centers to process and stream all that data. Who do you think is paying for it? Do you pay a subscription?

        As the old adage goes, "If you aren't paying, then you are the product not the customer." Now think about who is paying? What ads have you seen on porn sites? I mean, how many Subaru ads have you seen? Probably none. The only

  • This is one of the reasons why it's incredibly helpful to disclose if you've been hit, etc.. This information is probably extremely helpful in deciding on paying the ransom in the first place, and ensuring it isn't repeated.. (And maybe getting help from the feds.)

    I'd imagine the more disclosure, the more prepared people can be.

  • by SubmergedInTech ( 7710960 ) on Friday June 18, 2021 @07:46PM (#61500274)

    But I just renewed it last week!

  • by EmagGeek ( 574360 ) on Friday June 18, 2021 @08:37PM (#61500348) Journal

    Damn, I never would have seen it coming.. it's almost like, if you reward a certain behavior, that behavior will be repeated..

    My mind is blown.

  • If yo get hit and paid, it means you were badly prepared. That in turn means you need to invest significant effort and time into getting prepared, and, in many cases, you may have to get rid of some incompetents in "leadership" positions. Many companies fail at these steps or are too slow, and so they remain vulnerable. Not being prepared for ransomware is an expensive strategy these days.

  • Any org dumb enough to pay once may be dumb enough to pay twice. And probably they didn't clean up their network properly to scan files, remove backdoors or harden it against further attack.
    • Big corps pay to not have their name and sensitive data posted on shame sites. That causes business loss and lawsuits of greater value than the thugs' demands.

      • by DrXym ( 126579 )
        Yes some might but this is about something else - repeat attacks. I suspect some companies pay the ransom, do some half-assed security fixes and then go about their day as if they're immune from further attack.
  • by ayesnymous ( 3665205 ) on Saturday June 19, 2021 @03:16AM (#61500850)
    They don't attack people/organizations in Russia.
  • Of course they come back, why wouldn't they?
  • It's the First Law of Blackmailers.
    They always come back.

  • I said paying out a ransom lets attackers know you are a cash machine.

    I was "informed" by some dildo that they wouldn't bother because they know you improved security.

    That person (who shall go unnamed because they are unimportant) forgot that security is not a product, it is a process, and the people who fuck it up once are likely to fuck it up twice.

    • You don't fully understand the ransomware issue. Getting keys to decrypt isn't the only thing for sale, they have shame site where they post victim and sensitive stolen data they use for extortion. This causes massive business loss and lawsuits.

      • Even if you pay doesn't mean it still won't get exposed. Better off not paying.

      • You don't fully understand the ransomware issue.

        Says the guy who goes on to prove that he doesn't fully understand the ransomware issue with his comment.

        Getting keys to decrypt isn't the only thing for sale

        Frankly worthless keys, you can't trust that your data is how you left it, so you have to restore from backups anyway.

        they have shame site where they post victim and sensitive stolen data they use for extortion

        Which you can't stop them from doing by paying.

        This causes massive business loss and lawsuits.

        Which can happen whether you pay or not.

        You don't seem to understand that there's no honor among these people, paying them means nothing except they're richer and you're poorer.

  • Millions for defense, but not one cent for tribute.

    Also, did anyone really expect there to be honor amongst thieves?

  • After being hacked/breached, one would expect a major institution to call in a first-class expert team to examine their systems and procedures to prevent recurrences. The fact that 80% of the time these companies are hit again indicates that it is IMPOSSIBLE to prevent hacking! Whether that's due to the CIO refusing to implement the recommended strategies no matter how draconian, or simply that there will always be undiscovered 0-day exploits no matter how may eyes, can't be predicted just from that statist

    • After being hacked/breached, one would expect a major institution to call in a first-class expert team to examine their systems and procedures to prevent recurrences.

      Only if "one" is living in deep denial.

      The fact that 80% of the time these companies are hit again indicates that it is IMPOSSIBLE to prevent hacking!

      No, it certainly does not. It indicates that companies that failed at security once failed again. Say it with me, say it again, say it loud and proud, Security is not a product. You can't simply buy security. You have to change your processes, not just the shape of your network, though network design is also critical.

  • by RitchCraft ( 6454710 ) on Saturday June 19, 2021 @01:55PM (#61501856)
    Do we need another law on the Federal books that makes paying ransoms illegal? The only way ransomware is going to stop is if no ransoms are ever paid. These crooks are looking for money, not the thrill of hacking/cracking a "secure" system. Remove the money and remove the threat. Companies (MBAs?) need to be held accountable for their inadequate IT departments. That potential ransom money would be better spent getting their IT departments in order. Also make it illegal to pass the costs of downtime due to hacks/attacks onto the consumer. Hit these MBAs in the pocket book and watch their IT departments get the people/resources they need in a hurry.
    • Do we need another law on the Federal books that makes paying ransoms illegal?

      Yes. And the fine for doing it should exceed the ransom, and be spent on improving security somehow (though I'm not sure how you could improve security by spending money unless you used it as campaign funds for someone who wanted to reform the NSA.)

  • It seems a bit weird but honestly outlaw that stuff.

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...