Broader investment in cybersecurity beginning to pay dividends

Improved defenses give organizations more room to negotiate but won't protect from lawsuits, says law firm

An increased willingness on the part of enterprises to invest in cybersecurity may finally be starting to make a difference, according to US law giant BakerHostetler.

While ransomware was involved in 37 percent of 1,270 incidents the firm handled during 2021, up 10 percent on 2020, today's Data Security Incident Response Report [PDF] suggests that growing uptake of mitigation techniques like multifactor authentication (MFA) and backups are driving the price of ransoms down.

"Of the ransomware matters we helped manage in 2021, the average ransom demand paid was around $511,957, roughly two-thirds the average amount paid in 2020," the report said.

The company noted that the median time between demand and payment had lengthened from five days in 2020 to eight. "This is likely a driving factor in the decrease in the average ransom demand paid," according to the report.

"More organizations have invested in improving their data backup capabilities and are able to continue at least partial operations after a ransomware incident, which puts them in a better position to negotiate for a longer period of time and reach a greater discount for the ransom demand, if the need to pay arises," the firm claimed.

"Also, if a decryptor tool is not needed and an organization is only paying to prevent further disclosure of their data, they can often take more time to negotiate the demand, which can lead to a deeper discount."

The numbers are stark. BakerHostetler said that the largest ransom demand made to a client in 2021 was more than $60 million, compared to $65 million the year before. But the largest ransom paid out was just $5.5 million.

The report also highlighted an average time from demand to payment of 11.1 days, 9.8 for payments over $1 million, 13 for payments ranging from $200,000 to $1 million, and 12.2 days from encryption to restoration.

The broader embrace of cybersecurity tools and measures means companies have also become more capable of identifying breaches. BakerHostetler adds that the median number of days between intrusion and detection in 2021 was nearly half what it was in 2020.

"Organizations are detecting intrusions more quickly and many threat actors are no longer lingering in systems before accomplishing their objectives. Criminals don't want to be detected and kicked out, so they are shortening their own dwell times.

"Additionally, the notification timeline is trending down due in part because threat actors are more quickly providing information about the data they stole. This then informs the forensic investigation, which can focus on the systems from which the data came, giving a better and earlier understanding about the data involved, thus enabling earlier notification timelines."

This also applied to thwarting fraudulent fund transfers via phished email addresses. "Our clients were able to identify fraudulent fund schemes before transferring funds more frequently in 2021 than in 2020. In fact, in 2021, 40 percent of clients identified fraudulent fund transfer schemes before any loss of funds, as compared to just 30 percent in 2020.

Confessions of a ransomware negotiator: Well, somebody's got to talk to the criminals holding data hostage


"This trend likely results from more employee education and training on direct deposit, wire transfer, and ACH payment protocols, and on identifying potential fraudulent fund transfer schemes before losses occur."

However, the law firm noted that although organizations are improving their response to security incidents, this did not protect them from the risk of legal action from clients.

From 23 incidents BakerHostetler handled, more than 58 lawsuits were filed. Breaking that down, eight incidents had more than one (but less than five) lawsuits filed, four incidents had five or more, and 43 suits were against a healthcare organization.

Official advice in the Anglosphere is not to cave to ransomware demands because it only serves to affirm the attack method as a viable business model for criminals. However, if the conclusions in the report are to be believed, investing in security and training is having a similar if subtle effect.

You can read The Reg's special feature on what to do when you're hit by ransomware – including advice on your interaction with insurers and cyberexperts you might hire afterwards – here; our special on corporate ransomware-as-aservice gangs here; and our conversation with an ex-cop who works as a ransomware negotiator here. ®

Other stories you might like

  • 'Prolific' NetWalker extortionist pleads guilty to ransomware charges
    Canadian stole $21.5m from dozens of companies worldwide

    A former Canadian government employee has pleaded guilty in a US court to several charges related to his involvement with the NetWalker ransomware gang.

    On Tuesday, 34-year-old Sebastien Vachon-Desjardins admitted he conspired to commit computer and wire fraud, intentionally damaged a protected computer, and transmitted a demand in relation to damaging a protected computer. 

    He will also forfeit $21.5 million and 21 laptops, mobile phones, gaming consoles, and other devices, according to his plea agreement [PDF], which described Vachon-Desjardins as "one of the most prolific NetWalker Ransomware affiliates" responsible for extorting said millions of dollars from dozens of companies worldwide.

    Continue reading
  • Zscaler bulks up AI, cloud, IoT in its zero-trust systems
    Focus emerges on workload security during its Zenith 2022 shindig

    Zscaler is growing the machine-learning capabilities of its zero-trust platform and expanding it into the public cloud and network edge, CEO Jay Chaudhry told devotees at a conference in Las Vegas today.

    Along with the AI advancements, Zscaler at its Zenith 2022 show in Sin City also announced greater integration of its technologies with Amazon Web Services, and a security management offering designed to enable infosec teams and developers to better detect risks in cloud-native applications.

    In addition, the biz also is putting a focus on the Internet of Things (IoT) and operational technology (OT) control systems as it addresses the security side of the network edge. Zscaler, for those not aware, makes products that securely connect devices, networks, and backend systems together, and provides the monitoring, controls, and cloud services an organization might need to manage all that.

    Continue reading
  • Beijing-backed attackers use ransomware as a decoy while they conduct espionage
    They're not lying when they say 'We stole your data' – the lie is about which data they lifted

    A state-sponsored Chinese threat actor has used ransomware as a distraction to help it conduct electronic espionage, according to security software vendor Secureworks.

    The China-backed group, which Secureworks labels Bronze Starlight, has been active since mid-2021. It uses an HUI loader to install ransomware, such as LockFile, AtomSilo, Rook, Night Sky and Pandora. But cybersecurity firm Secureworks asserts that ransomware is probably just a distraction from the true intent: cyber espionage.

    "The ransomware could distract incident responders from identifying the threat actors' true intent and reduce the likelihood of attributing the malicious activity to a government-sponsored Chinese threat group," the company argues.

    Continue reading
  • Info on 1.5m people stolen from US bank in cyberattack
    Time to rethink that cybersecurity strategy?

    A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

    In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

    "Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • OpenSea phishing threat after rogue insider leaks customer email addresses
    Worse, imagine someone finding out you bought one of its NFTs

    The choppy waters continue at OpenSea, whose security boss this week disclosed the NFT marketplace suffered an insider attack that could lead to hundreds of thousands of people fending off phishing attempts.

    An employee of OpenSea's email delivery vendor "misused" their access to download and share OpenSea users' and newsletter subscribers' email addresses "with an unauthorized external party," Head of Security Cory Hardman warned on Wednesday. 

    "If you have shared your email with OpenSea in the past, you should assume you were impacted," Hardman continued. 

    Continue reading

Biting the hand that feeds IT © 1998–2022