71% of Ransomware Attack Victims Refuse to Pay the Ransom

Posted by Steve Alder

The latest data from the ransomware remediation firm, Coveware, shows the number of victims of ransomware attacks choosing to pay the ransom has fallen to a record low. At the start of 2019, 85% of victims of ransomware attacks paid a ransom following an attack, by the middle of 2021 the percentage had fallen to 46%, and in Q4, 2023, only 29% of victims paid the ransom. In 2019, ransomware groups started engaging in double extortion tactics, where access is gained to victims’ networks and data is exfiltrated before file encryption. Ransom payments are required to obtain the keys to decrypt files and to prevent stolen data from being leaked or sold. For many victims, the main reason for paying the ransom was to prevent a data leak rather than to obtain the keys to decrypt files. Coveware reports that in ransomware attacks involving data theft, in Q3, 2023, only 26% of victims paid the ransom.

There are many reasons behind the steady decline in ransom payments. One of the main factors is better preparedness, such as ensuring that a backup is made of all sensitive data and the backup is stored securely in an air-gapped system where it cannot be encrypted in an attack. In attacks where there is data theft, paying the ransom could prevent a data leak or the sale of the data; however, ransomware groups are not trusted to delete the stolen data. There have been attacks where payment of the ransom has not prevented a data leak, and paying up has led to further extortion attempts and attacks. There has also been a law enforcement crackdown and in some regions, paying a ransom is now illegal.

Prohibiting ransomware payments is one of the measures being considered by governments to curb attacks. If paying a ransom to a ransomware group is prohibited, ransomware groups would, in theory, stop conducting attacks in that country. Coveware suggests the reality would be different. The attacks would likely continue and companies would stop reporting attacks and seeking assistance from law enforcement. It would become much harder to track ransomware attacks and law enforcement investigations of ransomware groups would be severely hampered. All the good work by law enforcement to encourage victims to report attacks would be undone and as soon as a ban is implemented, a large illegal market would be created.

In the United States, several states have imposed partial bans on ransom payments, such as prohibiting state agencies and organizations from paying ransoms yet these bans do not appear to be having the desired effect, as ransomware attacks in those states have not reduced. Coveware believes that banning ransom payments amounts to capitulation. “A ban would signal that as a country, we are admitting that we are incapable of defending ourselves. That we are helpless against the threat of cyber extortion.”

Coveware’s data shows the efforts made by companies to prepare for ransomware attacks have paid off. Enterprises are no longer being crippled by file encryption and can recover their data without paying the ransom, and the efforts of law enforcement to disrupt and dismantle ransomware groups have produced meaningful results. “This fight will not be won overnight. It will take years, but the fight IS winnable,” said Coveware.

With revenues from ransomware attacks falling, ransomware groups need to conduct more attacks or increase their ransom demands, but Coveware’s data shows that ransom payments have reduced. In Q4, 2023, the average ransom payment was $568,705, down 33% from Q3, 2023. The median payment in Q4, 2023 was unchanged from the previous quarter and remained at $200,000.

In Q3, 2023 there was little change in the most active ransomware groups, with Akira retaining the top spot with 17% of attacks, followed by Blackcat with 10%, LockBit with 8%, and Play Ransomware with 6%; however, there has been an increase in activity by smaller ransomware groups and non-affiliated lone wolf actors. In around one-third of attacks, the method used to gain initial access to victims’ networks was unknown. Out of the other attacks, RDP compromise was the most common and has been increasing since Q3, 2022. Email phishing was the second most common initial access vector, although the popularity of this method declined over the same period. The exploitation of software vulnerabilities was the third most common initial access vector, with the Cisco ASA vulnerability (CVE-2023-20269) one of the most commonly exploited vulnerabilities.

Between Q2, 2022, and Q2, 2023, ransomware gangs favored attacks on large companies but the average size of victim companies has been falling with medium-sized companies seen as the sweet spot. Attacks are easier to conduct as investment in cybersecurity is lower than at large firms and mid-sized companies have sufficiently large revenues to allow large ransom demands to be issued. In Q4, 2023, the average size of a victim company was 231 employees, down 32% from Q3, 2023. In Q4, 2023, 22.2% of attacks were on companies in the professional services sector, with healthcare the second most attacked industry with 16% of attacks, followed by the public sector with 11.1% of attacks.

The post 71% of Ransomware Attack Victims Refuse to Pay the Ransom appeared first on HIPAA Journal.

Keenan & Associates Data Breach Affects More Than 1.5 Million Individuals

Posted by Steve Alder

The Torrance, CA-based insurance broker Keenan & Associates has recently reported a cybersecurity incident to the Maine Attorney General that has affected 1,509,616 individuals. Keenan & Associates is part of AssuredPartners NL, one of the largest brokerage firms in the United States. The company has clients across a variety of industries, including healthcare, education, and the public sector.

The cybersecurity incident was detected on Sunday, August 27, 2023, when some of its network servers were disrupted. Action was immediately taken to contain the attack and isolate the affected network servers and third-party cybersecurity experts were engaged to investigate to determine the nature and scope of the unauthorized activity. The forensic investigation confirmed that there had been unauthorized access to its internal systems at various points between August 21, 2023, and August 27, 2023, and during that time, certain files were exfiltrated from its systems. Some of those files contained personal data provided by its clients along with some employee data. The review of those files confirmed they contained names in combination with one or more of the following: date of birth, Social Security number, passport number, driver’s license number, health insurance information, and general health information.

Keenan & Associates said additional security protocols have been implemented to enhance network, data, and system security, and its security measures will continue to be evaluated to determine if further steps need to be taken to harden cybersecurity defenses. The incident has also been reported to the Federal Bureau of Investigation (FBI) and Keenan & Associates has been assisting the FBI with its investigation.

While data theft was confirmed, Keenan & Associates is unaware of any actual or attempted misuse of the stolen data. As a precaution, affected individuals have been offered complimentary credit monitoring, identity theft protection, and identity theft resolution services. Keenan & Associates did not publicly disclose the names of the affected clients, so it is unclear at this stage whether the breach is reportable under the Health Insurance Portability and Accountability Act.

The post Keenan & Associates Data Breach Affects More Than 1.5 Million Individuals appeared first on HIPAA Journal.