Sophos has released its annual “State of Ransomware 2023” report, which found that the rate of ransomware attacks on Singaporean organisations increased considerably in 2022 with 84 per cent of organisations surveyed saying they were a victim of ransom, which compares to 65 per cent the year before.
This increase meant that Singapore reported the highest rate of ransomware attacks of all countries surveyed this year.
In 61 per cent of attacks on surveyed organisations, adversaries succeeded in encrypting data with 53% of those who had data encrypted paying the ransom to get their data back. This is up from 48 per cent last year and higher than the global average of 47 per cent.
On a global scale, the survey also shows that when organisations paid a ransom to get their data decrypted, they ended up additionally doubling their recovery costs (US$750,000 in recovery costs versus US$375,000 for organisation that used backups to get data back).
Moreover, paying the ransom usually meant longer recovery times, with 45 per cent of those organisations that used backups recovering within a week, compared to 39 per cent of those that paid the ransom.
“Rates of encryption are very high, which is certainly concerning. Ransomware crews have been refining their methodologies of attack and accelerating their attacks to reduce the time for defenders to disrupt their schemes,” said Chester Wisniewski, field CTO, Sophos.
“Incident costs rise significantly when ransoms are paid. Most victims will not be able to recover all their files by simply buying the encryption keys; they must rebuild and recover from backups as well. Paying ransoms not only enriches criminals, but it also slows incident response and adds cost to an already devastatingly expensive situation,” said Wisniewski.
When analyzing the root cause of ransomware attacks, the most common was an exploited vulnerability (involved in 43 per cent of cases), followed by compromised credentials (involved in 26 per cent of cases). This is in line with recent, in-the-field incident response findings from Sophos’ 2023 Active Adversary Report for Business Leaders.
Additional key global findings from the report include:
- In 30% of cases where data was encrypted, data was also stolen, suggesting this “double dip” method (data encryption and data exfiltration) is becoming commonplace
- The education sector reported the highest level of ransomware attacks, with 79% of higher education organisations surveyed and 80% of lower education organisations surveyed reporting that they were victims of ransomware
- Overall, 46% of organisations surveyed that had their data encrypted paid the ransom. However, larger organisations were far more likely to pay. In fact, more than half of businesses with revenue of $500 million or more paid the ransom, with the highest rate reported by those with revenue over $5 billion. This could partially be due to the fact that larger companies are more likely to have a standalone cyber insurance policy that covers ransom payments
“With more Singaporean organisations reporting that they have been victimised by ransomware criminals than the year before, organisations need to work to aggressively lower both time to detect and time to respond,” said Wisniewski.
“Human-led threat hunting is very effective at stopping these criminals in their tracks, but alerts must be investigated, and criminals evicted from systems in hours and days, not weeks and months. Experienced analysts can recognise the patterns of an active intrusion in minutes and spring into action. This is likely the difference between the minority who stay safe and the majority who do not. Organisations must be on alert 24×7 to mount an effective defense these days.”
Sophos recommends the following best practices to help defend against ransomware and other cyberattacks:
- Strengthen defensive shields with:
- Security tools that defend against the most common attack vectors, including endpoint protection with strong anti-exploit capabilities to prevent exploitation of vulnerabilities, and Zero Trust Network Access (ZTNA) to thwart the abuse of compromised credentials
- Adaptive technologies that respond automatically to attacks, disrupting adversaries and buying defenders time to respond
- 24/7 threat detection, investigation and response, whether delivered in-house or by a specialist Managed Detection and Response (MDR) provider
- Optimise attack preparation, including making regular backups, practicing recovering data from backups and maintaining an up-to-date incident response plan
- Maintain good security hygiene, including timely patching and regularly reviewing security tool configurations.