Sophos, a global player in next-generation cybersecurity, recently announced the findings of “The State of Ransomware 2021,” its survey in 30 countries, which reveals Philippine organizations spent an average of US$820,000 or more than Php 40 million to recover from ransomware attacks. This amount includes ransom paid, downtime, people, device, and network costs.
In the Philippines, 42% of organizations surveyed reported that they were hit by ransomware last year (up from 30% the previous year), with 76% suffering data encryption, which is higher than the global average of 54%.
While organizations in the Philippines are less able to stop attackers from encrypting data than the global average, they are better able to deal with ransomware attacks when these do hit, as they are much more able to restore data from backups (88%) than the global average (57%). The propensity of Philippines organizations to pay the ransom (4%) is way lower than the worldwide average (32%).
While overall recovery costs in the Philippines are high (US$820,000), they are considerably lower than the global average of US$1.85 million. It may be because the Philippines is the most prepared to recover from such incidents. 83% of respondents have a ‘full and detailed’ business continuity plan/disaster recovery plan that includes plans to recover from a significant malware incident – the highest of all countries surveyed.
The main findings of the State of Ransomware 2021 global survey include:
- The global average cost of remediating a ransomware attack more than doubled in the last 12 months. Remediation costs, including business downtime, lost orders, operational costs, and more, grew from an average of US$761,106 in 2020 to US$1.85 million in 2021. It means that the global average cost of recovering from a ransomware attack is now ten times the size of the ransom payment, on average.
- The global average ransom paid was US$170,404. Globally, while US$3.2 million was the highest paid out of those surveyed, the most common payment was $10,000. Ten organizations paid ransoms of $1 million or more.
- The number of organizations globally that paid the ransom increased from 26% in 2020 to 32% in 2021, although fewer than one in 10 (8%) managed to retrieve all their data. In the Philippines, 4% paid the ransom to get their data back, while 88% got their data back through backups.
- More than half (54%) of respondents globally and more than three-quarters (76% in the Philippines) believe cyberattacks are now too advanced for their IT teams to handle on their own.
- Extortion without encryption is on the rise. A small but significant 7% said their data was not encrypted but were still held ransom, possibly because the attackers had managed to steal their information. In 2020, this figure was 3%.
“Recovering from a ransomware attack can take years and is about so much more than just decrypting and restoring data,” said Chester Wisniewski, principal research scientist, Sophos. “Whole systems need to be rebuilt from the ground up. Then there is the operational downtime and customer impact to consider, and much more. Further, the definition of what constitutes a ‘ransomware’ attack is evolving. For a small but significant minority of respondents, the attacks involved payment demands without data encryption. It could be because they had anti-ransomware technologies to block the encryption stage or because the attackers simply chose not to encrypt the data. The attackers were likely demanding payment in return for not leaking stolen information online. A recent example of this approach involved the Clop ransomware gang and a known financially motivated threat actor hitting around a dozen alleged victims with extortion-only attacks.
“In short, it is more important than ever to protect against adversaries at the door before they get a chance to take hold and deploy their increasingly multi-faceted attacks. Fortunately, if organizations are compromised, they don’t have to face this challenge alone. Support is available 24/7 in the form of external security operations centers, human-led threat hunting, and incident response services.”
Sophos recommends the following six best practices to defend against ransomware and related cyberattacks:
- Assume you will be hit. Ransomware remains highly prevalent. No sector, country, or organization is immune from the risk. It’s better to be prepared but not hit rather than the other way around.
- Make backups and keep a copy offline. Backups are the primary method organizations surveyed used to recover their data after an attack. Opt for the industry-standard approach of 3:2:1 (three sets of backups, using two different media, one of which is kept offline).
- Deploy layered protection. As more ransomware attacks involve extortion, it is more important than ever to keep adversaries out in the first place. Use layered security to block attackers at as many points as possible across an estate.
- Combine human experts and anti-ransomware technology. The key to stopping ransomware is defense in depth that combines dedicated anti-ransomware technology and human-led threat hunting. Technology provides the scale and automation an organization needs. Simultaneously, human experts can best detect the tell-tale tactics, techniques, and procedures that indicate an attacker is attempting to get into the environment. If you don’t have the skills in-house, look at enlisting the support of a specialist cybersecurity company – Security Operation Centers (SOCs) are now realistic options for organizations of all sizes.
- Don’t pay the ransom. Easy to say, but far less easy to do when an organization has ground to a halt due to a ransomware attack. Independent of any ethical considerations, paying the ransom is an ineffective way to get data back. If you do decide to pay, bear in mind that the adversaries will restore, on average, only two-thirds of your files.
- Have a malware recovery plan. The best way to stop a cyberattack from turning into a complete breach is to prepare in advance. Organizations that fall victim to an attack often realize they could have avoided significant financial loss and disruption if they had an incident response plan in place.