Driving lesson

Investing in cybersecurity reduces ransomware demands • The Register

Increased corporate willingness to invest in cybersecurity could finally start to make a difference, according to US legal giant BakerHostetler.

While ransomware was involved in 37% of the 1,270 incidents the company handled in 2021, up 10% from 2020, today’s Data Security Incident Response Report [PDF] suggests that the increasing adoption of mitigation techniques such as multi-factor authentication (MFA) and safeguards is driving down the price of ransoms.

“Among the ransomware issues we helped handle in 2021, the average ransom demand paid was approximately $511,957, or about two-thirds of the average amount paid in 2020,” the report said.

The company noted that the median time from request to payment has dropped from five days in 2020 to eight. “This is likely a driving factor in the decrease in the average ransom demand paid,” according to the report.

“More organizations have invested in improving their data backup capabilities and are able to continue at least partial operations after a ransomware incident, putting them in a better position to negotiate for a longer period. and get a bigger discount for the ransom demand, if the need to pay arises,” the company said.

“Additionally, if a decryption tool is not required and an organization is only paying to prevent further disclosure of their data, they can often take longer to negotiate the request, which can result in a higher discount. important.”

The numbers are raw. BakerHostetler said the largest ransom demand made against a customer in 2021 was over $60 million, up from $65 million the previous year. But the largest ransom paid was only $5.5 million.

The report also highlighted an average time from request to payment of 11.1 days, 9.8 for payments over $1 million, 13 for payments between $200,000 and $1 million, and 12 .2 days between encryption and restoration.

Wider adoption of cybersecurity tools and measures means companies have also become more capable of identifying breaches. BakerHostetler adds that the median number of days between intrusion and detection in 2021 was almost half of what it was in 2020.

“Organizations detect intrusions faster, and many threat actors no longer linger in systems until they’ve achieved their goals. Criminals don’t want to be detected and kicked out, so they shorten their own dwell time.

“Additionally, notification time tends to drop in part because threat actors provide information more quickly about the data they have stolen. This then informs forensic investigation, which can focus on the systems where the data comes from, giving a better and earlier understanding of the data involved, thus enabling earlier reporting times.”

This also applied to the fight against fraudulent funds transfers via phishing email addresses. “Our customers were able to identify fraudulent funds transfer schemes before transferring funds more frequently in 2021 than in 2020. In fact, in 2021, 40% of customers identified fraudulent funds transfer schemes before any funds were lost, against only 30% in 2020. .

Confessions of a ransomware negotiator: Well, someone needs to talk to the criminals who are holding data hostage


“This trend is likely the result of increased employee education and training on direct deposit, wire transfer and ACH payment protocols, and identifying potential fraudulent funds transfer schemes before losses occur. occur.”

However, the law firm noted that while organizations are improving their response to security incidents, this does not protect them from the risk of legal action from customers.

Of 23 incidents handled by BakerHostetler, more than 58 lawsuits were filed. Breaking this down, eight incidents had more than one (but less than five) lawsuits, four incidents had five or more, and 43 lawsuits were against a healthcare organization.

The official advice in the Anglosphere is not to give in to ransomware demands as this only serves to assert the attack method as a viable business model for criminals. However, according to the report’s findings, investing in safety and training has a similar, albeit subtle, effect.

You can read The Reg‘s special article on what to do when you’re hit by ransomware – including advice on your interaction with insurers and cyber experts you might hire later – here; our Special on Ransomware Gangs as an Enterprise Service here; and our conversation with an ex-cop who works here as a ransomware negotiator. ®