Ransomware has developed into an extremely lucrative business model with little risk involved for the threat actors. Couple this with the willingness of most victim organizations to pay the ransom demand under the assumption it will return business operations to normal–ultimately encouraging more attacks–and we have a big problem with no easy remedies.
Back in 2021, Cybereason published a report titled Ransomware Attacks and the True Cost to Business where we revealed the various costs that organizations face after falling victim to a ransomware attack. Here are some of the most significant findings that stood out to us in our study:
- Two-thirds of ransomware victims said that they endured a significant loss of revenue following the attack
- More than half (53%) of organizations suffered damage to their brand and reputation after a ransomware infection
- A third of those who fell to ransomware lost C-level talent in the attack’s aftermath
- Three in 10 organizations had no choice but to lay off employees due to the financial pressures resulting from a ransomware incident
- A quarter of ransomware victims said that they needed to suspend operations
These losses are due not only to an increase in the volume of ransomware attacks, but also to the growing sophistication of some ransomware operators in general. Gone are the days when most ransomware actors used “spray and pray” tactics to target single victims with small ransom demands after tricking them into clicking on a malicious link or opening a weaponized document.
These more sophisticated ransomware operations, or RansomOps, are highly targeted, complex attacks that are more akin to an APT operation where an attacker wants to get access to as much of the network as possible before detonating the ransomware payload. They do this to maximize the effect of their attack—and to demand higher ransom demands.
Cybereason more recently published a white paper on the subject titled RansomOps: Inside Complex RansomOps and the Ransomware Economy, where we documented how ransomware operations have transformed dramatically over the last few years from a small cottage industry conducting largely nuisance attacks to a highly complex business model that is extremely efficient and specialized with an increasing level of innovation and technical sophistication.
The paper examined how ransomware operators are moving away from high-volume attacks with low ransom demands in favor of more focused, custom attacks aimed at individual organizations selected for the ability to pay multi-million dollar ransom demands.
Ransomeware Impact On Stocks Fleeting
After reviewing the damages discussed above, one might be inclined to think that a successful RansomOp would affect the average victim organization’s stock prices over the long term. But that’s actually not the case–not according to several studies that have examined this issue.
Back in September 2021, for instance, Comparitech released its analysis revealing that a ransomware victim’s shares fell 22.9% in the 24 hours after publicly disclosing a ransomware attack, but that dip didn’t last long. The study observed that share prices recovered almost immediately the following day and in most cases even performed better ten days after the attack. Fast forward to six months after the attack, and the average share price was actually 11.9% higher than it was before the ransomware attack.
A similar story emerged in a study announced by Magnify Money in October 2021. For that analysis, researchers examined trade volume across ten publicly traded companies that announced a ransomware attack between 2018 and 2021. The researchers observed that trade volume increased by an average of 118% on the day of the ransomware announcement for those companies. Three companies witnessed even greater growth in trading volume, with one seeing activity jump 733%.
As for the stock prices themselves, victims on average experienced a drop of just 3% on the day that they announced the attacks. But just a week later, prices rebounded to an average change of only 1%, which signifies that the ransomware attacks didn’t meaningfully undermine victims’ trading volume or their stock prices over time.
An Important Caveat
Ransomware attacks might not directly weaken an organizations’ performance in financial markets, but that’s not to say that ransomware actors aren’t potentially weakening that standing in other ways. Indeed, some ransomware gangs are using double extortion tactics in which they threaten to provide a victim’s stolen data to competitors or investors to short their stock.
This tactic highlights the extent to which ransomware defense needs to change. There’s too much focus on the tail end of the attacks—namely, the ransomware payload—while there’s very little attention paid to the weeks/months of potentially detectable activity on the network that comes first.
Organizations need to develop the capacity to detect the initial ingress, lateral movement, compromise of user credentials, privilege escalation, command and control, data exfiltration, and other key indicators of a RansomOps attack in process if they are to end the attack before the ransomware payload disrupts operations. They need to be able to detect the earliest stages of the attack and/or at multiple stages of the kill chain to prevent the theft of their data so it cannot be leveraged for double extortion.
Defending Against RansomOps
The only way organizations can successfully defend against RansomOps is to be able to detect them early and end them before any data exfiltration or encryption of critical files and systems can take place. Clearly, there is a lot more to detect when it comes to ransomware attacks than just when the final malware payload displays its ransom note.
The issue is that organizations can’t necessarily achieve visibility over the early stages of a highly-targeted RansomOps attack using backwards-looking Indicators of Compromise (IOCs) derived from attacks in other environments, as the tools and techniques are likely unique to the individual target environment.
Hence the need for organizations to embrace an operation-centric approach which enables organizations to understand the attack from root cause and across every single affected device and account. It does so by drawing on both IOCs and Indicators of Behavior (IOBs), subtle signs of compromise that help to identify potential security incidents based upon chaining of behaviors that produce circumstances that are either extremely rare or present a distinct advantage to an attacker–even when those behaviors in isolation are common or expected in the network environment.
IOBs can thus provide insight into attack chains that are novel or have never been detected previously. Organizations need the visibility afforded by tracking both IOCs and IOBs if they are to successfully defend against a RansomOps attack.
The application of AI is not a silver bullet, and for the foreseeable future, there will undoubtedly need to be a blend of humans and AI working together. Still, AI will enhance the efficiency of every member of the security team and amplify the efficacy of the entire security stack.
Cybereason is dedicated to teaming with Defenders to end ransomware attacks on the endpoint, across the enterprise, to everywhere the battle is taking place. Learn more about Cybereason AI-driven EDR here, browse our ransomware defense resources, or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.