SpyCloud Report: Despite Increased Spend on Ransomware Mitigation, 90% of Companies Affected in the Last Year

Ransomware attacks continue to plague organizations of all industries and sizes, pointing to critical failures in organizations’ ransomware defense layers.

SpyCloud, the leader in account takeover and fraud prevention, released its 2022 Ransomware Defense Report, an annual analysis of how IT security leaders view the threat of ransomware and their organizations’ cyber readiness.

SpyCloud surveyed over 300 individuals in active IT security roles at US, UK and Canadian organizations with at least 500 employees. The survey revealed that despite increased investment in tools to fight ransomware, 90% were affected by ransomware in some capacity over the past 12 months, a striking uptick from last year’s 72.5%.

Respondents ranked the risk of attack through third-party vendors as the main factor driving allocation of security budgets, followed by the rise in frequency and sophistication of ransomware attacks. As a result, organizations’ ransomware mitigation solutions focus increasingly on the risk of account takeover as a precursor to this form of cyber attack. The number of organizations that implemented or plan to implement multi-factor authentication jumped 71%, from 56% the previous year to 96%. Monitoring for compromised employee credentials also increased from 44% to 73%.

As organizations strengthen their password hygiene and invest in tools like MFA, criminals have doubled down and expanded traditional tactics to circumvent their defenses. For example, deploying malware to personal devices to access corporate applications or pivoting to session hijacking using compromised cookies can allow criminals to bypass the authentication process altogether.

Marketing Technology News: ITV Studios Selects Whip Media’s Solution for Performance Tracking

These recent tactics by criminals ultimately led to no decrease in overall cyber incidents. In fact, the survey revealed organizations are not only still falling victim but are increasingly likely to be hit more than once: 50% were hit at least twice, 20.3% were hit between 6 and 10 times and 7.4% were attacked more than 10 times.

“Organizations are right to be concerned about unwitting insider threats — their cybersecurity measures are failing to close gaps that are leading to ransomware attacks,” said SpyCloud CEO and Co-founder Ted Ross. “Organizations may not be aware that undetected malware infections on personal devices represent the riskiest of those gaps. This report shows organizations are spending time and money on solutions that leave sensitive data exposed. Even if security teams retrieve their organizations’ data, once it’s circulated on the dark web, criminals can use it for more destructive activities – including their next attack.”

Malware infections are more widespread than many organizations realize. Through analysis of botnet logs recaptured this year alone, SpyCloud researchers identified over 6 million malware-infected devices with application credentials siphoned.

Cybercriminals deploy malware to steal data including credentials to workforce applications, browser fingerprints, and device or web session cookies, enabling them to impersonate an employee and access and encrypt data while bypassing MFA and other security controls.

On average, in 2022, SpyCloud researchers found 16 to 26 unique affected applications or domains per infected device, which translates to 96 to 156 million siphoned application login credentials. While wiping an infected device may prevent criminals from accessing more data, it does not remedy the exposure of the broader identity or prevent future enterprise access. Robust post-infection remediation is critical because reimaging an infected device without remediating applications leaves a wide gap in the enterprise’s security posture.

According to 87% of respondents, reports of credential-stealing malware such as RedLine Stealer have elevated their organization’s concern of unmonitored personal devices as a potential entry point for ransomware. Unmanaged devices pose a great concern because security teams are unable to monitor them for threats such as malware and third-party application exposures. As a result, cyber defenders lack visibility into their full attack surface and therefore often underestimate their malware-related risks.

“Effective ransomware prevention strategies must focus on the entry points security teams can’t see – the cloaked attack surface that includes third-party applications and unmanaged machines outside their standard monitoring purview,” said Ross. “A single malware-infected device can compromise hundreds of corporate applications. Even after the malware is removed, the damage is done unless all of those applications are properly remediated post-infection – otherwise doors remain open for ransomware and other critical threats to the enterprise.”

Marketing Technology News: MarTech Interview With Konrad Feldman, CEO at Quantcast