Ransomware Survey 2022 – like the Curate’s Egg, “good in parts”
Credit to Author: Paul Ducklin| Date: Wed, 27 Apr 2022 15:22:43 +0000
Even if you’re not a native speaker of English, you’ve probably heard the curious saying, “It’s a bit of a Curate’s Egg”, referring to something about which you’re determined to keep a positive public attitude, even if your immediate private reaction was to be disappointed.
The saying has certainly stood the test of time, coming as it does from a British satiricial cartoon from the late 1800s, in which a young curate has been invited to breakfast with the bishop.
(A curate is an Anglican church minister in their first job, right at the bottom of the clerical hierarchy, while a bishop is in the uppermost levels of church staff.)
Loosely speaking, the cartoon depicts the modern business equivalent of an intern who finds themelves in the midst of a lunch meeting of senior VPs: a promising but vaguely intimidating situation, with the very real danger of not getting a second chance to make a good first impression.
The British, of course, are well-known for eating boiled eggs at breakfast time, and in the Victorian era, there were no food labelling regulations to tell you how long your eggs had been in the supply chain, so stale eggs were a much common problem than they are today.
And a boiled egg, still being in its shell when it’s served, doesn’t reveal that it’s gone off until you open it up to eat it…
…whereupon it rapidly reports its rancidity to the rest of the room by releasing a rancorous reek. (It’s a sulfurous smell, but we’d already decided to alliterate with R, so there was no space for a stench soubriquet starting with S in that sentence.)
Anyway, in the now-famous cartoon, the bishop is seen apologising to the junior cleric for serving him a bad egg, saying, “Dear me, I’m afraid your egg’s not good!”
The timid curate, for whom both the Ninth Commandment and the aforementioned rancourous reek preclude an outright lie, but for whom politeness and social discretion is the better sort of valour, gamely but absurdly replies, “Some parts of it are very good.”
Which is a long way of warning you how you might react to the news delivered by the Sophos Ransomware Survey 2022, which we published today:
No leading questions
As usual, we didn’t conduct the survey ourselves, to avoid the problem that a cybersecurity company asking respondents cybersecurity questions might be considered “leading the witnesses”.
Surveys overtly connected with vendors often result in answers, like the curate’s remark about the egg, that the respondents thought the experts might like to hear, rather than the bald facts of what really happened.
We also made an effort to keep our sample size high, and to talk to a broad and representative cross-section of the global business community.
We therefore used a survey company to conduct the process, and they asked numerous cybersecurity questions to more than 5500 randomly-chosen respondents from a wide range of businesses of varying sizes in more than 30 countries across the globe.
As with the Curate’s Egg, you’ll find that some parts of the report are indeed very good, but it’s hard to sugar-coat the headline statistic of this year’s survey, which is disappointing.
In our Ransomware 2020 survey, 1/2 of our respondents said that they’d actually had a ransomware infection in the past year (2019).
In our Survey 2021, we were pleased to report that figure was down to about 1/3, with a creditable 63% of respondents saying they’d avoided ransomware altogether during 2020.
But in the Ransomware 2022 survey, the figure has gone up again, with 2/3 of our respondents admitting to a ransomware infection during 2021.
In other words, the underlying prevalence of ransomware attacks has doubled since our previous report, which implies that the size, scale and skills (if we may use that word in this context) of the cybercriminal underworld have increased correspondingly, too.
Not everyone needed to pay up
The upside to that figure is that 1/3 of those who did get hit nevertheless managed to prevent the usual disastrous denoument by heading off the cybercriminals before they were able to unleash the final data-scrambling part of the attack.
In other words, even though all of those who suffered a ransomware intrusion faced an extensive malware cleanup exercise and a possible data breach disclosure to their local regulator, defence-in-depth meant that 33% of them were spared the total derailment of their business that typically happens after a file-encrypting ransomware attack.
Also, just over 1/2 (54%) of those who did get hit, and were faced with the choice of paying up, didn’t hand money to the crooks, but found other ways to recover instead.
Sadly, however, the proportion of victims who refused to pay up is one statistic that has deteriorated over the past three years.
In 2020, just 1/4 of victims said they paid up; in 2021, that was up to 1/3; but in 2022, as we just said, the figure was close to 1/2.
What to do?
Our Top Tips are:
- Ensure high-quality defences at all points in your environment. Review your security controls and make sure they continue to meet your needs. As the ever-increasing success of ransomware criminals reminds us, cybersecurity is a journey, not a destination. The security precautions you picked back in 2019 aren’t necessarily the right ones for today, because “set-and-forget” just doesn’t work in the cybersecurity game.
- Proactively hunt for threats so you can stop adversaries before they can execute their attack. If you don’t have the time or skills in-house, look for a Managed Detection and Response (MDR) specialist to help you out. The file-scrambling part of a ransomware incident may unfold within a few hours, or even in a matter of minutes, with the criminals deliberately scheduling the coup de grace for a specific, and usually inconvenient, time of day (or night). But when our own Managed Threat Reponse (MTR) experts are called in to investigate attacks after they’ve occurred, they frequently find tell-tale signs going back days, or even weeks, that could have been used as a tip-off to close down the attack and eject the criminals in time.
- Harden your environment by searching for and closing down security gaps such as unpatched devices, unprotected computers, insecure remote access servers, and more. Cybersecurity products with Extended Detection and Response (XDR) features are ideal for this purpose, because they allow you to close the gap between your cybersecurity policy (see Tip 1) and your cybersecurity practice (see Tip 2). If you don’t search for exploitable holes in your network, you can be sure that the crooks will!
- Prepare for the worst. Know what to do if a cyberattack occurs, and whom you need to contact, especially if your local laws require formal and speedy data breach disclosures. Preparing for a cyberattack is not an admission that you expect to fail. Indeed, regular and purposeful practice can help you improve your resilience by exposing places where you haven’t followed Tip 1, Tip 2 and Tip 3 as robustly as you thought.
- Make backups, and practise restoring from them. A backup that you can’t reliably and rapidly restore doesn’t count, so you might as well not bother making backups in the first place if they aren’t going to be any use. Your goal is to get back up and running quickly, with minimum disruption, and without being forced to pay blackmail money to the crimnals.
Remember that although the Ransomware Survey 2022 reports that 2/3 of respondents were ransomware victims, more than 1/2 of them recovered without paying up, suggesting that they not only had backups handy, but were able to restore them in a timely way.
As we like to say on Sophos Naked Security:
The only backup you will ever regret is the one you didn’t make.
Time to act!
If you don’t have the experience or the time to maintain ongoing threat response by yourself, consider partnering with a service like Sophos Managed Threat Response. We help you take care of the activities you’re struggling to keep up with because of all all the other daily demands that IT dumps on your plate.
Not enough time or staff? Learn more about Sophos Managed Threat Response:
Sophos MTR – Expert Led Response ▶
24/7 threat hunting, detection, and response ▶