.st0{fill:#FFFFFF;}

Podcast

4 Ransomware Stats For Planning – Ep 362 

 July 1, 2022

By  Donna Grindle

Share0
Tweet0
Share0

ransomwareRansomware tactics are constantly changing. Understanding the protections we use today will not be enough down the road is key. We must constantly adjust and adapt our security protections to protect against these attacks. Today, we are going to discuss ransomware stats and key points from two recent reports that can help you create a response plan for ransomware attacks.

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

4 Ransomware Stats For Planning – Ep 362

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

The Privacy and Security Boot Camp

3.5 day In Person Event

Sep 12, 13, 14 and 15

PriSecBootCamp.com

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

HIPAA Say What!?!

[01:47] Windows 8 EOL date is Jan 10, 2023. So, now is the time to start looking at your inventory to see whether you have any Windows 8 machines and make a plan to replace or upgrade them. Oh and by the way, quietly passing away recently was Internet Explorer. Are you still using that browser or do you have applications that require Internet Explorer? It’s dead now so you need to figure that out.

HIPAA does require that you have procedures regarding detecting and reporting malicious software, and vulnerabilities in end of life software would prevent you from guarding against those attacks.

eCFR :: 45 CFR Part 164 Subpart C — Security Standards for the Protection of Electronic Protected Health Information

Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software.

405(d) Tip of the Week

[04:03] Practice #9: Medical Device Security is one area that is often overlooked when discussing security controls. While the practice specifically mentions Medical Devices it is best to look at all connected devices that aren’t computers and mobile devices. We need to make sure someone is paying attention to all devices that are connected, such as copiers/printers/scanners as well as digital assistants (like Alexa) even if there are no medical devices connected to the network.

Medical devices are in their own class, though. Most of them must be managed carefully by specialists, not general IT professionals. Most MSPs, and even IT professionals, will say I don’t touch those devices. For years, they didn’t get any attention, but as time has gone by, we are seeing more and more opportunities for them to be the source of attacks or being used as the core element of an attack.

For Organizations of All Sizes:

  • Establish Endpoint Protection Controls. As with other endpoints, medical devices should follow similar protocols such as installing local firewalls, providing routine patching, network segmentation, and changing default passwords
  • Implement Identity and Access Management Policies. Just like endpoints, medical devices security should include authentication measures and remote access controls like multifactor authentication
  • Institute Asset Management procedures. It is important to follow your asset management procedures for medical devices just as you would for endpoints. Keep an updated list of inventory and software updates to ensure your devices are accounted for and are up to date.
  • Create a Vulnerability Management Program that can consume Medical Device Management disclosures and always respond accordingly when received.
  • Add security terms to Medical Device Management contracts that enable you to hold device manufacturers accountable.

4 Ransomware Stats for Planning

[11:24] Imagine getting a notice that all of the MRI devices in a network of freestanding MRI clinics have been potentially altered. You don’t know which ones nor what specifically has been altered, but the ransomware gang can show some sort of proof of concept by displaying something on a screen somewhere.

Ransomware tactics continue to change and evolve. The better we get at blocking or preparing for them the better they get at attacking and using new methods for extracting money.

Two reports from sources we always follow provide some points we should all understand when doing our planning and implementations. Your policies like incident response, see last week’s practice #8, will especially need you to monitor this kind of information.

So, here are some top points from two reports we’ve been looking at recently that we are including in our planning and discussions with clients.

PaloAlto 2022 Unit 42 Ransomware Threat Report

To generate their report, Unit 42 included info from actual cases they consulted with as well as details from leak sites, underground forums and more inside the guts of ransomware trends.

Sophos The State of Ransomware 2022

They did a global review, but we are going to discuss just the US summary that comes from an independent, vendor-agnostic survey of 500 IT professionals in mid-sized organizations.

1-Methods

[15:05] The Unit42 report really understands what is happening out there because they are in the middle of so many different cases. Right up front, they discuss the increasing sophistication of the attackers methods like:

  • Multi-extortion techniques where attackers not only encrypt the files
  • Extremely prolific ransomware-as-a-service (RaaS) business models, which offer “startup kits” and “support services” to would-be cybercriminals
  • Rapid weaponization of vulnerabilities.

The ability to adjust and adapt quickly is showing when they went from just encryption, then to threatening leaks and now they add in the threat of DDoS attacks on your networks to get you to the negotiation table. That means you need to add the potential to deal with one of those attacks while you are dealing with recovering from ransomware encryption because you have a backup and plans to restore now.

When everyone started having backups, the ransomware gangs started attacking the backups. Now, those are secured better and offline so they added leaks. Now, they will just make it impossible to get back up and running until we have a solution to address DDoS quickly. You see a pattern here?

Good news on the leaks though! Healthcare was not the number 1 industry on the leaked sites. It was number 4 behind Professional and Legal Services then Construction and third is Wholesale and Retail. None of the top 3 industries have had regulations that required them to be secure nor have they been regular targets until now. It won’t be long before they improve and some other industries will move to the top.

In the Unit42 discussion about the methods the following quote really stands out. What you did last year won’t protect you today, and guess what, their point below means about next year.

Given the amount of valuable data in the cloud, it is only a matter of time before we see ransomware groups target cloud environments. However, to launch ransomware attacks in cloud environments, threat actors will likely use new TTPs, which means organizations will need to be prepared to adjust their defensive approaches in turn.

2-Costs

[25:46] When it comes to costs for the ransoms themselves they keep rising – both demands and payments actually made. The initial demand amount for 2021 represents about a 144% increase from the average demand Unit42 saw in 2020. The average payment in cases worked by Unit 42 consultants also went up 78% higher than the previous year.

One good news point on those huge demands you get up front: They will usually negotiate from the initial ransom demand to a significantly lower number. Unit42 had some translations of the conversations in one of the Conti ransomware group cases. We found them pretty interesting.

______________

More on the Sophos numbers from the U.S. organizations. According to their survey those that paid the ransom got back 59% of their data on average vs 61% of data was restored by those that paid the ransom globally.

The survey included 87 respondents from the U.S. that paid the ransom and shared the exact amount they paid. The average payment coming in the US was around $130,000. Only 23% paid between $100,000 and $500,000, while 10% paid more than $500,000. The global numbers were much higher for the averaging over $800k.

3-Recovery

[32:09] The average bill incurred by U.S. organizations to recover from a ransomware attack in 2021 was $1.08M. The good news is that is a considerable decrease from the $2.09M from 2020.

We found this one stat sort of odd. Only 89% said the ransomware attack impacted their ability to operate. Maybe they just tossed out the encrypted devices and kept going?

U.S. organizations took, on average, one month to recover from the attack. For those of you that think you will be back up and running in an hour after an attack, you are probably missing some of the recovery requirements and things like forensics investigations and breach notification evaluations.

4-Cyber Coverage

[34:29] 78% of U.S. organizations have cyber insurance that covers them if hit by ransomware. Globally this figure stands at 83%.

The cyber insurance paid out in 96% of U.S. ransomware claims. The coverage for different elements of the attack costs did vary, but one thing was very clear. After they had the attack it wasn’t so easy to just count on that insurance to be there the next time.

93% reported that it got harder to get cyber insurance cover in the last year. 52% say the level of cybersecurity controls within their business that was needed to qualify for insurance is higher in the last year. 44% say cybersecurity policies are more complex, 33% say the process takes longer and 37% report it is more expensive. We know from experience that the renewals that went out at the end of the year were much higher than the ones at the beginning of 2021. Some folks may be getting much longer applications and higher fees that they didn’t see last year.

Go to top

Don’t just keep doing what you are doing today. Either you are way behind or you need to keep up. Make sure you have people who worry about these trends and help you prepare for them as things change. Your protections and incident response plans need to be updated along with your ability to maintain operations while you recover from a potential attack. Hopefully, you won’t need them at all, but without them, you will likely be in real trouble in the coming months.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: