Why Some Organizations Become Victims of Repeat Ransomware Attacks
It’s not a matter of if, but when an organization falls victim to a cyberattack. Despite increased awareness of ransomware’s risks and despite organizations’ efforts to increase security measures, attackers seem to always stay one step ahead. New research shows that last year, almost 75% of organizations experienced at least one successful ransomware attack, and almost 40% of organizations experienced multiple attacks.
Attackers often seek out targets that have large impacts on society when taken down. As such, energy, oil/gas and utility organizations are particularly attractive targets. A full 85% of organizations in these sectors experienced at least one ransomware attack in 2022 and 53% reported two or more successful attacks.
While it’s true that many attackers specifically target larger organizations, it’s also worth noting small and mid-sized businesses (SMBs) are also at risk. In fact, many attackers pursue these organizations because they typically have fewer resources to manage their IT infrastructure and may have less robust security measures, making them an easier target for attackers. This can also be a relatively quick and lucrative way for attackers to achieve their goals.
Let’s take a closer look at the key factors that can put organizations at risk of falling victim to a ransomware attack.
Risk factors
Lack of Visibility: Without a clear understanding of the hardware, software, and assets both on-prem and in the cloud, being used by the organization, it can be difficult to properly assess and manage security risks. This is particularly challenging to organizations with multiple departments, as different teams may be using different technologies without proper coordination or oversight.
Lack of Talent: The cybersecurity talent gap has become a challenge for many organizations. The 2022 (ISC)2 Cybersecurity Workforce Study highlighted that as of 2022, over 3.4 million cybersecurity jobs remained unfilled. This lack of skilled professionals can leave organizations vulnerable to attacks and slow down incident response time.
Weak Security Measures: 69% of ransomware attacks start with a malicious email designed to steal credentials, using social engineering techniques like phishing to trick employees into clicking malicious links or downloading infected attachments. Another common entry point is vulnerabilities in web applications or web traffic on an organization’s site. Attackers can exploit these weaknesses to gain access to sensitive data or install malware. Firewalls and cloud applications are also not immune to ransomware attacks. Recent studies have revealed authentication bypass and remote code execution (RCE) vulnerabilities in these systems, allowing attackers to bypass security measures and gain unauthorized access to data.
Inadequate Incident Response: The fact that many organizations were hit multiple times suggests that security gaps were not addressed after the first attack. Perhaps during the first attack, the attackers implanted backdoors that were not identified and removed. Maybe passwords were not reset immediately following the attack and were leveraged again in subsequent attacks.
Willingness to pay Ransom: Research suggests that organizations hit multiple times paid the initial ransom to recover their data. 42% of victims that were hit by three or more attacks paid the requested ransom, compared to 34% affected twice and 31% of organizations that were ‘lucky’ to be successfully targeted once. If an organization is known to cooperate with its attacker and pay the ransom, the chances of other attackers going after the same organization increase.
How to be Proactive and Better Prepared
Establishing protected assets and building concentric rings of security around them is essential to protect organizations from attacks. This involves creating multiple layers of security that strengthen as they get closer to the most critical assets.
One key element of a multi-layered approach is deploying and configuring an endpoint detection and response (EDR) solution, focused on protecting laptops, desktops and servers both on-prem and in the cloud. EDR solutions are designed to detect and respond to potential ransomware attacks in real-time, providing organizations with the necessary information to contain threats and minimize impact. Deploying an EDR solution alone is not enough – it’s crucial to properly configure solutions to ensure optimization for the organization’s unique needs.
Organizations should also focus on preventing attacks by deploying anti-phishing capabilities in emails, providing employee training and awareness programs, and investing in multi-factor authentication (MFA) and zero-trust access. To secure business applications outside of MFA, IT professionals should deploy web application security to all of their software-as-a-service (SaaS) applications and infrastructure access points.
Given the evolving and complex nature of today’s cyberthreat landscape, it’s essential for organizations to utilize advanced solutions like extended detection and response (XDR). XDR solutions provide end-to-end visibility across an organization’s full tech stack, enabling them to detect potential attacks and respond before a breach occurs. With XDR, organizations gain actionable insights and threat intelligence to stay ahead of threats.
