Almost Three-quarters of Ransomware Victims Hit Multiple Times
A recent study conducted by the cybersecurity firm Semperis has revealed that companies are often targeted by ransomware groups multiple times, with almost three-quarters (74%) of companies that experienced a ransomware attack saying they had been attacked multiple times. These attacks caused disruption at 87% of attacked companies, 37% reported suffering data loss and 33% of companies said they had to take all of their systems offline. In healthcare, 40% suffered data loss and 29% had to take all of their systems offline.
Companies in the United States and the United Kingdom were most likely to have experienced a ransomware attack, with 85% of surveyed companies in those countries suffering at least one ransomware attack in the past 12 months. The industries with the highest number of attacks were finance and healthcare, with 88% and 85% of respondents in those sectors saying they had experienced a ransomware attack in the past 12 months. Initial attacks were most successful in education and healthcare, with healthcare organizations the most likely to suffer multiple simultaneous attacks. 35% of healthcare organizations said they were attacked simultaneously by multiple threat groups.
The survey was conducted by Censuswide on behalf of Semperis on 900 IT and security executives in the United States, United Kingdom, France, and Germany. 78% of companies that suffered an attack said they paid a ransom (66% in healthcare), and overall, 32% said they paid a ransom 4 or more times in the past 12 months. Multiple ransomware payments were most common in Germany, where almost half of German companies paid 4 or more ransoms, with one-fifth of U.S. firms paying ransoms 4 or more times in the past 12 months. Semperis reports that cybercriminals often insert malware or backdoors into systems before using ransomware to encrypt files, which allows further attacks to be conducted when the company has recovered.
In the US and UK, 75% of attacked companies that paid a ransom said they did so to regain access to their data, and 10% of those companies paid more than $600,000. The survey showed many companies see little alternative other than paying a ransom; however, paying a ransom does not guarantee a full recovery. According to the survey, 35% of companies that paid the ransom said they did not receive the decryption keys or were unable to recover their files and assets as the decryption keys were corrupted.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Semperis, a provider of Active Directory protection and recovery solutions, probed companies on the defenses they had in place to protect their identity systems. While 70% of companies said they had an identity recovery plan that could be initiated following a ransomware attack, 61% of respondents said they do not have a dedicated backup system for Active Directory (AD) or Entra ID. Only 27% of the surveyed companies maintained dedicated systems for recovering AD, Entra ID, and identity controls.
AD is used to manage access for almost all users, groups, applications, and resources, and it is a key target for ransomware groups. “It’s not surprising to me that the majority of ransomware targets the identity system,” said Simon Hodgkinson, Strategic Advisor, Semperis. “If an attacker wants to create the maximum impact to extort money, they want to take control of your environment — and they will absolutely want to own Active Directory. Once Active Directory is compromised, the threat actors hold the keys to your kingdom.”
Sean Deuby Principal Technologist (North America), Semperis, explained that it is common for companies to focus their effort and resources on endpoint protection; however, all too often, threat actors are able to get past endpoints and compromise the network. “Once they’re inside the network, they go through the whole identity system. What defense do you have when that happens? Because once they own your identity system, they have all the power. If your identity system goes down, none of your other solutions will work,” said Deuby.
