A November 2021 international report from cybersecurity research and marketing consultancy CyberEdge found that 68.2 percent of surveyed government organizations were compromised by one or more cyber attacks within the past 12 months. Fifty-four percent believed such an event was “more likely to occur than not” within the coming year.
A survey of 353 IT professionals at government agencies and educational institutions, provided to GovTech by data management solutions company Veeam, also found at least half of respondents suffering from cyber attacks. It reported that ransomware caused “outages” at 52 percent of public-sector organizations. That study captured responses from 28 countries between October 2021 and December 2021.
More important than the sheer number of successful attacks an organization suffers may be how much damage these attacks deal, said Minnesota CISO Rohit Tandon.
Strong cyber protections enable an organization to limit the impacts of incidents. Layered defenses, for example, mean that if a cyber attack breaches one security measure, others may still mitigate it.
“While we all might be experiencing the attack — or many might be … it’s about how we respond to that. An organization with a mature cyber program can quickly respond and contain the attack to minimize loss of data or maintain visibility of critical technology services,” Tandon told GovTech.
THE RANSOMWARE SCENE
Ransomware continues to strike all sectors, with CyberEdge finding that 71 percent of the organizations it surveyed had fallen to such an attack within the past 12 months — a 2.5 percent uptick over the prior year. Government agencies were hit at a lower rate than other sectors, with 45.8 percent impacted.
Many victims also reported paying ransom and getting their data back. CyberEdge said this may reflect criminals’ desire to follow through on their promises to encourage cooperation from future victims, helping ensure the attacks remain profitable. This is a growing trend: 2019 saw 45 percent of ransomware victims paying, a figure that jumped up to 62.9 percent in 2022. Similarly, 61.2 percent of 2019 targets recovered their data, as did 72.2 percent of 2022 victims.
But full data recovery isn’t assured.
Even when cyber criminals give data back, there’s no guarantee that all of it remains usable.
“Some data is corrupted or too damaged in the locking process to be able to restore,” Tandon said. “There is likely going to be some loss of data even if the ransom is paid.”
There’s also no guarantee that decryption keys will work, said Cybersecurity and Infrastructure Security Agency (CISA) former director Chris Krebs during a recent e.Republic* webinar.
Public-sector agencies were able to recover an average of 60 percent of their data following a ransomware attack, according to Veeam. A larger, cross-sector survey from Veeam questioned 1,376 organizations and found that they could recover 64 percent of their data on average after such an attack.
These kinds of risks offer additional motivations for organizations to focus on hardening defenses and preparing to restore systems on their own. Tandon advised frequently testing data backup and recovery approaches.
IT teams may need to realign their backup and data protection strategies, too, with Veeam finding that 90 percent of government and education respondents reported a mismatch between how much data these organizations “can afford to lose after an outage” and how often they backed it up.
Sixty percent of public-sector respondents said that they could endure losing an “hour or less” worth of “high priority” data and 54 percent cited a similar data loss tolerance for “normal” data.
SHIFTING TRENDS?
CyberEdge’s report sounded a note of hope in the ransomware scene — although one that cyber experts may not be echoing yet.
“The ransomware industry may have peaked, or at least be approaching its peak,” as governments and law enforcement train more efforts on combatting, disrupting and defending against it, CyberEdge’s report states. “We think there is good reason to believe that the growth curve of the ransomware industry will start to turn down in 2022, or at least 2023.”
2021 and 2022 have seen new efforts to push back on the crime, including states seeking to ban ransomware payments, new ransomware and incident reporting requirements signed into law, and the FBI reclaiming much of the extortion paid by Colonial Pipeline.
Russia, a major safe haven for ransomware actors, also arrested members of the REvil group in January 2022, CyberEdge notes. But some doubted the impact: the arrests may have been Russia’s way of warning other countries that it can control the skilled hackers within its borders, including to suppress or mobilize them, said Stanford University’s Center for International Security and Cooperation senior research scholar Herb Lin during a February 2022 Aspen Institute panel.
Currently, at least, hackers seem to continue to find profit in ransomware as victims continue to pay, Krebs said during the webinar. Cyber extortion has served as a valuable moneymaking approach for countries facing difficulties raising funds legally, and recent economic sanctions against Russia might prompt more to resort to the method.
“In North Korea, they funded their entire nuclear program using cyber crime,” Krebs said. “Depending on how long these sanctions continue to hit Russia, and even in Belarus, you may see more and more actors have to resort to cyber crime.”
One way of assessing trends is to look to cyber insurance providers, which price their premiums based on data from their impacted customers, Tandon said. So far, insurers do not seem to be betting on a ransomware reduction.
“If we look at cyber insurance providers, they continue to see a significant rise in ransomware claims and, as a result, they’ve increased premiums and are reducing coverage limits for ransomware as part of the cyber insurance portfolio,” Tandon said. “[Such] proxy indicators kind of give you a sense that the trend hasn’t stopped yet.”
Turning the tide requires continuing to press forward on a variety of angles, Tandon said. That includes increased efforts to eliminate safe havens out of which ransomware perpetrators can operate. Further government efforts to disrupt extortion payments made through cryptocurrency will also reduce the crime’s profitability, and public and private organizations need to continue to bolster their defenses to present fewer opportunities for victimization.
Tandon said he sees “progress” on all three fronts and that efforts like cyber hygiene advice and threat intelligence sharing from ISACs are helping boost collective cyber awareness.
PERSISTENT CHALLENGES
As agencies look to improve their security against cyber threats, similar challenges rear their heads: end-user training and workforce shortages.
Veeam’s cross-sector survey found that, in 42 percent of instances, ransomware attackers got access to organizations after users made mistakes like clicking on malicious links. This puts a spotlight on efforts like cyber awareness campaigns.
Nearly 82 percent of 49 government respondents reported a shortage of IT security talent, per CyberEdge. The firm also said that workforce shortfalls can constrain an IT team’s ability to adopt new technologies, because they may lack the people to implement them.
Ben Miller contributed to this report.
*e.Republic is the parent company of Government Technology.
