In 2016, Trend Micro partnered with ISMG to conduct a survey of financial, healthcare, and government organizations to better understand the challenges they are facing with ransomware. Some of the results surprised us while others were somewhat expected based on what we’ve saw throughout 2016.
We all know ransomware has been a major pain for many organizations and have seen a number of high-profile attacks occur in 2016. Trend Micro saw a 748 percent increase in the number of new ransomware families year over year (29 in 2015, 246 in 2016), which shows us that this particular threat has taken the threat actors by storm. Most actors today use ransomware in their attacks and we’re also seeing nearly all exploit kits serve up ransomware now. So we know ransomware is a major threat affecting organizations, and as such, we wanted to gain a better understanding of how this threat affects US-based commercial organizations and US government agencies. Let’s dive into some of the more revealing results we found from these organizations.
First, more than half (53 percent) of the organizations have been victims of a ransomware attack in the past year. But we also found 15 percent did not know if they had been a victim or not. If we break this down a bit by the industries, we see financial organizations appear to be a bit more protected as they stated only 33 percent were victims but the US government responders showed 67 percent had been victims. This doesn’t surprise me as we know financial organizations typically spend more on IT security than government agencies. Seventy-five percent of responders indicated that ransomware attacks had increased slightly or significantly in the past year. This is in-line with our research and what we’ve seen among our customers and confirms that threat actors are using this threat more actively now.
The second response that was particularly interesting was the number of attacks responders stated. One in five organizations are dealing with more than 50 attacks every month, while 42 percent are dealing with more than five attacks per month. This shows the challenges many organizations have to deal with – they have to detect and block every attack while the threat actors only have to be successful once. This has been the challenge organizations are having with targeted attacks, which we’re now seeing threat actors incorporate similar tactics in their day-to-day operations.
Third, 65 percent of respondents indicated they were infected when users visited a compromised or bogus site while only 26 percent said they were infected by a spam email attachment. This is probably the most controversial result we had as most of our research has shown email as the No. 1 infection vector. If we look a bit further into this result we may find a challenge with the way the survey question was asked. We did not ask about emails with embedded URLs which would potentially show up as part of the 65 percent result. But we are seeing more use of malicious URLs whether through the embedded email link or through compromised websites or the use of malvertising (which showed up as 44 percent of the infection vectors in the survey) sites. The fact of the matter is that nearly all ransomware will come from the Internet either via email or URLs. This gives a clue to where organizations should focus their efforts on blocking this threat and review their existing gateway and email security solutions.
The last area I want to discuss is the challenge respondents had with their end-users. Sixty percent say their biggest vulnerability is the susceptibility of their employees falling for phishing schemes when it comes to the risk of ransomware attacks. The good news is 71 percent say they will invest in user education in 2017 to help with ransomware, but the challenge I see with this is that threat actors are becoming very clever in their development of phishing emails and their use of legitimate, compromised sites in infecting a user. Education is great and should be done, but many organizations should also invest in anti-ransomware security solutions.
There are many other interesting areas covered in the survey like ransom specific questions and more information on how this threat is affecting these organizations, so I suggest you check out the full report. Finally, the report provides the following conclusions based on the results:
I hope you find the data within the report helpful and if you aren’t in one of the three industries we focused on, know that the results are likely typical for yours too. If you want more information on ransomware, Trend Micro provides many resources for you to educate yourself.
If you have questions, feel free to leave a comment and I’ll do my best to get you an answer.