60 percent of Swiss companies affected by extortion malware

IT security service provider Sophos has published its annual "State of Ransomware 2022" study. It provides an overview of the development of ransomware in practice. The report shows that 60% of companies surveyed in Switzerland (globally 66%) were affected by ransomware in 2021, up from 46% in 2020. The average ransom paid by Swiss companies whose data was encrypted in their largest ransomware attack has decreased by around 6%, amounting to CHF 84,052 (CHF 89,147 in the previous year). 35% (globally 46%) of Swiss companies whose data was encrypted paid the ransom to get their data back, even if they had other means of data recovery, such as backups. The report summarizes the impact of ransomware on 5,600 SMBs in 31 countries across Europe, the Americas, Asia-Pacific and Central Asia, the Middle East and Africa, with 965 companies internationally (7 in Switzerland) providing specific details on ransomware payments.

Paying ransom: fast but risky option

"In addition to escalating payments, the survey also shows that the percentage of victims willing to pay continues to rise, even when they have other options available to them," said Chester Wisniewski, principal research scientist at Sophos. "There could be several reasons for this, such as incomplete backups or preventing the publication of stolen data on a public-leaks site. After a ransomware attack, there is often a lot of pressure to restore operations as quickly as possible. Restoring encrypted data using backups can be a difficult and time-consuming process. Therefore, it is seemingly tempting to pay a ransom for data decryption because it appears to be a quick option. However, this approach comes with high risks. Companies do not know what the attackers may have done on the network besides the ransomware attack, such as installing backdoors for future attacks or copying passwords. In a worst-case scenario, if organizations don't thoroughly clean up the recovered data, they still end up with potentially malicious programs on their network and may be exposed to another attack."

Extortion malware causes immense damage

The "State of Ransomware 2022'" survey looks at ransomware incidents and experiences in 2021. The survey was conducted by Vanson Bourne, an independent market research specialist, in January and February 2022. For the global survey, "affected by ransomware" was defined as one or more devices affected by a ransomware attack but not necessarily encrypted. Unless otherwise noted, respondents were asked to report on their most significant attack. The key findings of the study can be summarized as follows:

• Amount of ransom payments: In 2021, none of the Swiss companies reported paying ransoms of $1 million or more, in contrast to 11% from a global perspective. Most Swiss companies (about 72%) paid sums between CHF 47,834 and 239,175 ($50,000 and $250,000).
• More victims pay ransomIn 2021, 35% (46% globally) of Swiss companies whose data was encrypted by an extortion malware attack paid the ransom. From a global perspective, 26% of companies that recovered encrypted data using backups in 2021 also paid the ransom.
• The impact of a ransomware attack can be immense: The average cost of recovery from a ransomware attack in 2021 for Swiss companies was CHF 1,568,986 (globally $1.4 million / CHF 1,339,379). It took an average of one month to repair the damage and business disruption. 93% (globally 90%) of Swiss companies said the attack affected their ability to operate, and 87% of private sector victims said they lost business and/or revenue due to the attack.
• Many businesses rely on cyber insurance to help them recover from a ransomware attack: In Switzerland, 83% (globally 83%) of the companies surveyed had cyber insurance covering them in the event of a ransomware attack. In 100 % of the Swiss incidents, the insurer paid some or all of the costs incurred; only in 38% was the entire ransomware covered).
• Ninety-four percent of those who have purchased cyber insurance said their experience of purchasing it has changed in the last twelve months: This sentiment is expressed primarily through higher cybersecurity requirements, more complex or expensive policies, and fewer companies offering coverage.

Does cyber insurance lead to higher ransomware?

"The findings suggest that we may have reached a peak in the evolution of ransomware, where attackers' greed for ever-higher ransom payments collides head-on with a hardening of the cyberinsurance market. Insurers are increasingly seeking to reduce their ransomware risk and exposure," said Chester Wisniewski. "In recent years, it has become easier and easier for cybercriminals to deploy ransomware because almost everything is available as a service. In addition, many cyber insurance providers have covered a wide range of recovery costs due to ransomware, including the ransom, which has likely contributed to ever-increasing ransom demands. The findings also suggest that cyber insurance providers are getting tougher, and victims of ransomware may be less willing or less able to pay extremely high ransoms in the future. Unfortunately, this is unlikely to reduce the overall risk of a ransomware attack. Ransomware attacks are not as resource intensive as other more crafted cyberattacks. Therefore, any ransomware is a worthwhile payoff, and cybercriminals will continue to seek out the easy targets."

How to protect yourself from extortion malware

Sophos recommends the following best practices to protect against ransomware and similar cyberattacks:

1. Installation and maintenance of high-quality protective measures throughout the company. Regular audits and security checks ensure that the security measures permanently meet the company's requirements.
2. Actively search for threats to identify and stop attackers before they can carry out their attacks. If the IT or security team does not have the resources or knowledge to do this themselves, Managed Detection and Response (MDR) specialists should be engaged.
3. Harden the IT environment by detecting and closing dangerous security vulnerabilities, such as unpatched devices, unprotected machines, or open RDP ports, are identified and eliminated by Extended Detection and Response (XDR) solutions.
4. Be prepared for the worst. Companies should know what to do if a cyber incident occurs and keep the contingency plan up to date.
5. Creating backups and testing recovery so the business can resume operations as quickly as possible with minimal disruption.

Source and further information: Sophos