What are the true costs of ransomware?
Attackers’ demands are growing along with an increase in ransomware attacks, with the average ransom coming in at a hefty $84 thousand. However, in addition to this obvious expense, companies also need to consider other hidden costs, such as productivity loss, that can result from a successful attack.
In today’s fast-evolving environments, most security professionals expect it’s only a matter of time before perimeter security is compromised. However, one solution to this seeming inevitability is to dramatically limit the impact of a successful breach with an approach that includes network segmentation. What is network segmentation’s value in a ransomware defense strategy? If implemented successfully, it can prevent ransomware from spreading beyond its landing point and successfully encrypting other assets.
The consequences of losing access to data
Increasingly, bad actors employing this kind of malware use public-key encryption techniques that are unlikely to be cracked by any recovery team. With backups often targeted, many companies may find themselves without access to critical data while they debate paying up or waiting for a response from the attackers. This can mean different things for different industries, from shutting down production lines in manufacturing to services suddenly unavailable from technology companies or even patients unable to receive care in a healthcare setting.
In addition to disrupting operations, this can also impact the bottom line. In March 2021, CompuCom, a managed technology service provider, confirmed that it expected to lose up to $8 million in revenue due to disruption from ransomware in addition to an anticipated total spend of $20 million to completely restore services and address other issues caused by the attack.
With the average ransomware incident lasting 16.2 days, building a defense strategy that prevents lateral movement early in an attack can help an organization avoid widespread data loss, high costs and downtime if the worst should happen.
Permanent loss of data
Some organizations pay the ransom fees in full, only never to receive the means to decrypt their data. Alternatively, in rare cases, files may have become corrupted during the encryption process. Months or even years of important project work or files can vanish in the wake of a successful attack. In these cases, an organization can expect to spend significant time and money to recreate or rebuild what was lost.
Companies of all sizes and in all industries are at risk of losing access to data both temporarily or permanently. Since the goal is to wreak havoc on as much of an environment as possible, the consequences and potential for data loss are widespread.
Reputation and liability
Additionally, in some cases, the inability to access encrypted assets isn’t the only issue. Some attackers may exfiltrate sensitive materials to sell or leverage them further.
Once proprietary company data is leaked or compromised, damage to a brand and loss of customer loyalty are often close behind. According to a 2020 survey, 80% of data breaches included customer PII; intellectual property was compromised in 32% of breaches; anonymized customer data was compromised in 24% of breaches.
In some cases, consumers and regulators may take additional action that increases the impact and total cost of the incident. In early 2021 patients of US Fertility (USF) sued the third-party vendor after a ransomware incident compromised both healthcare, financial and other PII data.
Collateral damage of lateral movement
A ransomware campaign often begins with an initial incident. Phishing emails that compromise an employee endpoint are popular choices with attackers. However, to be successful once they have access, the goal of most attackers using ransomware is to encrypt as many assets as possible, and ideally, any backups. This action is dependent on lateral movement.
If an organization can prevent lateral movement, it can effectively limit malware propagation in its environment. Techniques for preventing unauthorized east-west activity include:
- Limiting server communications with the internet.
- Practicing ring-fencing to reduce the attack surface between applications.
- Strong protection policies for critical backups
It’s also important to note that lateral movement between peers is a common propagation path for many strains of malware that traditional firewall rules can’t address. Teams should consider solutions that prevent this when building out a ransomware defense strategy.
Assess the risk
Planning a ransomware defense and mitigation strategy should begin long before an organization receives its first ransom note. Understanding the real-time and historical trends of a network’s communication patterns is key to deciding what may be most vulnerable. Mapping what can communicate with critical assets, data and backups will allow security teams to create informed segmentation policies that an organization can use for prevention and attack surface reduction.
By using network segmentation policies, organizations can block common ransomware propagation techniques. Using zero-trust micro-perimeters around critical applications, backups, file servers and databases, IT security teams can also create segmentation policies that restrict traffic between users, applications and devices, which will also drastically reduce the attack surface.
Curious about how ransomware might impact your critical applications? Check your attack surface with our free tool today.