Businesses are getting better at beating ransomware extortionists and more victims are refusing to pay to unlock their systems, according to a new report.
The ratio of ransoms that the cyber criminals demand to ransoms actually paid fell to just 12% in the third quarter of 2021, compared to 44% in the same period in the year prior, according to the report by Corvus Insurance out of Boston.
The report said that businesses have become better prepared in handling ransomware attacks by improving their backup systems, better protecting internal backups as well as off-site backups that serve as a failsafe in case the main systems are compromised.
“Despite efforts by criminals to double-extort victims or find other ways to increase leverage, organizations have generally become better prepared to handle ransomware,” the report states.
The improvement comes as some ransomware gangs have started double-extorting their targets by first demanding a ransom to unencrypt their system, and then demanding a second ransom payment under the threat of leaking or selling a company’s trade secrets or other sensitive data.
Sometimes if a ransom demand for unencrypting a company’s systems fails to bear fruit because it had strong backup protocols in place, the criminals may fall back on threatening to expose the company’s sensitive data.
Reasons for improvements
The report said ransomware’s frequency had dropped by 50% in the second quarter of 2021 from the first three months, and was sustained through the third quarter. This was likely linked to the shutdown of two ransomware groups, but there were other factors affecting the drop in both ransomware frequency as well as the percentage of ransoms that are eventually paid.
Better backups — Companies are implementing more robust backup strategies, that include better-protected internal backups and off-site backups that act as a failsafe. According to the publication Computer Weekly, the best practice for backup is the 3-2-1 rule:
- Make three copies of data,
- Store the data across two different forms of media, and
- Keep one copy off-site.
To protect against ransomware, the off-site backup should be isolated from the business network, such as being housed on the cloud through a reputable cloud storage provider. That can be the off-site copy of the data, but keeping another dataset on tape, and keeping those tapes strictly offline, is the most reliable way to “air gap” data from a ransomware attack.
E-mail security systems — There are a number of tools that can make e-mail communication safer while avoiding a costly hardware installation. These cloud-based tools scan and filter incoming messages to anyone in the organization.
The Corvus study found a 158% increase in the adoption of e-mail security tools in the third quarter compared to the same period in 2020.
The vendors update their scanning tools regularly to keep up with the latest phishing threats (phishing is often how a system is compromised and which can allow ransomware into your database).
Some e-mail service providers have started building into their systems scanning and filtering tools. But these tools are often not as strong as stand-alone ones.
Remote desktop protocols waning in use — Fewer companies are using accessible remote desktop protocols (RDPs), which flourished during the lockdowns early in the COVID-19 pandemic. The use of these protocols has dropped nearly 50% in the last year.
These protocols allow a user to access their computer or servers from another computer when off-site.
However, such systems are extremely vulnerable to credential compromise and hackers use something called a “brute force” attack where they exploit weaknesses in the system. For companies that use RDP, Cisomag.com, an online computer publication, recommends:
- Using a secure VPN connection instead of RDP to access desktops remotely.
- Enforcing the use of strong passwords, and password changes every 60 to 90 days.
- Setting a threshold for password tries. The system should lock out the user after three failed login attempts (failed passwords).
- Changing the default name of your administrator account.
- Checking your group policies frequently.
- Installing all server patches and paying attention to Microsoft Patch Tuesday (Update Tuesday) announcements and similar advisories.