Four in every five organisations that pay up to regain access to their IT systems will suffer a second ransomware attack, new research shows. And 46% of those subsequent attacks are believed to be carried out by the same threat actor that conducted the initial attack.

The report was conducted by Censuswide in collaboration with Cybereason. 1,263 cyber professionals around the world were polled, with 44% of them working in the technology industry. Other significant findings of the report include:

  • 66% of organisations suffered significant revenue loss from the ransomware attack
  • 46% had their data corrupted after retrieving it
  • 3% didn’t regain access to their information at all, despite paying the ransom

The Australian Government officially recommends against organisations paying threat actors when hit by a ransomware attack, stating:

“We recommend you do not pay the ransom. There is no guarantee paying the ransom will fix your devices. It can also make you vulnerable to future attacks. Instead, restore your files from backup and seek advice.”

For a more complete discussion on whether you should pay, head to our blog post here.


The growing threat of ransomware

The report notes that the average ransom sum demanded by cyber criminals has risen nearly 30x within two years — from $8,000 in 2018 to approximately $238,000 in 2020 ($6,000 USD to $178,000 USD). Ransomware attacks are expected to cost organisations around the world $26.67 billion ($20 billion USD) this year alone.

Beyond the bottom-line damages, a ransomware attack caused 25% of organisations to shut down, either temporarily or permanently, and 29% of them made staff layoffs. 32% of those organisations made staff restructures at the very top, with their C-level executives either resigning or being dismissed.

Add to that how ransomware attacks are a permanent blemish on organisational reputation and often to future revenue flow, and it’s no surprise that 81% of organisations reported being highly concerned or very concerned about the risk of ransomware.

Unfortunately, ransom attacks are only rising, as remote and hybrid workforces create a wider attack vector for threat actors to target. The report estimates that organisations will suffer one ransomware attack every 11 seconds in 2021.


How to defend yourself from ransomware

Organisations that have been breached must take important steps to defend themselves against the initial vulnerabilities that enabled the attack. The most popular solutions added after a ransomware attack, in order, were security awareness training (implemented by 48% of organisations), a Security Operations Centre or SOC (48%), endpoint protection (44%), data backup and recovery (43%), and email scanning (41%).

Other advanced and modern solutions can also improve your cyber posture. Modern vulnerability management tools, for example, let you detect and resolve weaknesses in your organisation before you’ve been breached. Meanwhile, a SIEM platform can aid visibility by offering real-time tracking for your analysts to see all cyber activities in your IT environment.

Ultimately, by far the most cost-effective strategy to deal with ransomware threats is to prevent them in the first place. While detection, response and recovery solutions are critical to ensuring business resilience and uptime, building effective prevention strategies can cut off the weakness before it’s exploited, ensuring there is nothing to attack. Effective prevention also avoids the enormous costs of organisational downtime, reputational damage, and recovery time.


How can CT help?

CT Cyber has an Endpoint Detection and Response (EDR) solution designed to protect organisations against ransomware. CT EDR is a Fabric Agent that that delivers protection, compliance, and secure access in a single, modular lightweight client. The agent runs on an endpoint, such as a laptop or mobile device, that communicates with the CT Security Fabric to provide information, visibility, and control that enables secure, remote connectivity to the Security Fabric.

The Fabric Agent can:

  • Report to the Security Fabric on the status of a device, including applications running and firmware version
  • Send any suspicious files to a Fabric Sandbox
  • Enforce application control, USB control, URL filtering, and firmware upgrade policies
  • Provide malware protection and application firewall service
  • Enable the device to connect securely to the Security Fabric over either VPN (SSL or IPsec) or Zero Trust Network Access (ZTNA) tunnels, both encrypted. The connection to the Security Fabric can either be a Next-Generation Firewall or SASE service

If you’ve been breached or are looking to implement proactive defences against ransomware, visit our cyber security page for more information on how we can help protect your organisation.