Ransomware has become a household name in the security world, and it’s no wonder it’s top of mind for SecOps – in our most recent Ransomware Defense Report, 81% of surveyed organizations reported being affected by ransomware at least once in the past 12 months.
The ransomware threat is so prevalent that it’s now the top cyber exposure concern among risk professionals globally, according to the annual Allianz Risk Barometer. This ranking speaks volumes, considering that the same risk professionals identify cyber incidents as the biggest overall risk category, ahead of business interruption and natural disasters. So in another survey we conducted with CISOs, it wasn’t surprising to learn that ransomware was the threat that concerned them the most, too.
However, there appears to be a disconnect between organizations caring about and prioritizing ransomware prevention, and actually having the right countermeasures in place to properly defend against next-gen tactics that lead to attacks. In our 2023 Ransomware Defense Report, fresh research shows that more than a fifth of known ransomware events were preceded by an infostealer malware infection in 2023 – but only 19% of surveyed organizations are prioritizing improved visibility and remediation of exposed credentials and malware-exfiltrated data.
The Costs of Ransomware, Including the Less-Obvious
The material damages of ransomware attacks by themselves can be tremendous. The average ransom alone was $1.54 million last year, while the average cost of recovery was $1.82 million, according to Sophos data. IBM’s annual Cost of a Data Breach Report shows an even higher price tag of a ransomware attack: $5.13 million on average, not counting the ransom (surpassing the $4.45 million average cost of a data breach). Mitigation is not the only cost, either – 84% of private sector organizations report losing revenue.
The potential damages inflicted by ransomware, however, don’t stop at financial costs. Unlike data breaches or other attacks that mostly unfold behind the scenes, ransomware is usually a very visible crime. That means brand reputation could take just as big a hit as the bottom line. For example, 46% of organizations experienced damage to their reputation and brand resulting from a cybersecurity incident.
While reputational damage is difficult to measure, business leaders understand that brand reputation impacts the bottom line. On average, executives across the globe attribute 63% of their company’s market value to the company’s overall brand reputation. So it makes sense that damage to brand reputation was ranked by SpyCloud survey respondents as the second greatest impact of a ransomware attack on their organization. And these concerns are not unfounded: more than 60% of ransomware victims say they’ve lost a customer, and 38% say they’ve lost multiple clients as a result of reputational damage.
Another area of the business that companies may not think about is personnel. Being in the middle of a ransomware attack is a stressful experience for everyone, and even employees not directly involved with mitigation are impacted, with 52% reporting trouble sleeping and other mental health issues. Additionally, 71% of employees say their productivity has been impacted while dealing with ransomware recovery.
These kinds of negative experiences contribute to job dissatisfaction. Whether dissatisfied employees leave the business or simply lose the enthusiasm for their job, the company’s bottom line will suffer in the long term.
Impact of Ransomware on SOC Personnel
While all employees feel the ripple effects of a ransomware attack, security operations center (SOC) personnel are the ones who take the biggest hit during the crisis and long after. Many organizations lack the tools that incident responders need to gain complete visibility across their entire ecosystem, and trying to find the answers in the middle of the crisis quickly becomes overwhelming. Two out of nine IT directors report that employees responding to a ransomware attack have become so jaded during the first week of ransomware response that they had to be sent home.
Remediating ransomware takes weeks and potentially months, which means SOC analysts and incident responders have to pull double duty (regular security operations and additional ransomware cleanup) for some time. By the end of the first month of response, 57% of employees directly involved in remediation experience tiredness while 25% report feelings of anger and sadness. Consequently, almost one-fifth consider leaving the job as a result of their ransomware attack experience. Given the cybersecurity talent shortage – currently estimated at 3.4 million globally – this kind of turnover puts organizations at high risk, leaving them exposed to cyber threats without adequate staffing to defend against them.
How to Improve Ransomware Prevention and Response? Better Visibility, Automation
One of the main reasons why organizations struggle with ransomware is simply because of the gaps in their ransomware prevention strategies. Malware-infected devices are one of the most commonly overlooked, hidden ransomware threats. Many security teams don’t have full visibility into their risks, especially those stemming from malware-infected devices, which create open doors to corporate networks. As we found in our latest ransomware report, in 2023:
Specific infostealer infections – Raccoon, Vidar, and Redline – increase the probability that a company will experience a ransomware event.
Companies with Raccoon, Vidar, and Redline infostealers experienced a ransomware event within an average of 16 weeks post-infection.
Without the understanding of the complete scope of the threat – due to lack of visibility into all infected devices, users, and exposed applications – the SOC team simply cannot mitigate the long-term risks of ransomware. The fresh data that infostealer malware siphons off an infected device gives ransomware operators easy entry into the network. As long as this information – including the credentials and session cookies for critical workforce applications, including SSO – remains active, it can be used to target the organization.
As a result of incomplete post-infection remediation steps, organizations remain at risk of ransomware for months and possibly longer. Fortunately, 98% of our ransomware survey respondents agree that better visibility into malware-exfiltrated data and automated remediation workflows would improve their overall security posture. A large number of these organizations are also prioritizing adding or upgrading workflows to remediate compromised session cookies/tokens and to remediate exposed passwords in the coming year.
Automated insights that provide evidence of compromise, not simply alerts, can help ransomware responders take quick remediation steps on the specific data that’s been siphoned from infected devices, rather than scrambling for hours to find a root cause and resolution.
The bottom line is, ransomware threats are a business risk. And this risk will not decrease any time soon, since cybercriminals see ransomware as a highly lucrative gig. Ensuring protection from hard-to-detect malware infections that serve as ransomware attack precursors, along with implementing comprehensive post-infection remediation, are actionable steps that any organization should consider as part of its ransomware prevention program.
Close the gaps in your ransomware prevention strategies to avoid the many impacts an attack can have on your organizatio.
