In this paper we show how ransomware attacks can be a threat to organisations. We analyse a novel dataset of ransomware victim companies and extract statistics about ransom demands and payments, sector, country of origin and business.
We also show which controls would be best for each company using the CIS Top 20 control taxonomy as an indicator. On the ransomware side, we distil a ranking of the most pervasive ransomware variants in terms of both frequency and ransom payments.
The research is intended to support Chief Information Security Officers (CISOs), Chief Research Officers (CROs), and Risk Managers in assessing and managing the threats posed by ransomware.
Overview
The Cambridge Centre for Risk Studies and Kivu Consulting formed a partnership in early 2021 to address a gap in cyber security controls research. We have compiled a novel dataset to pioneer an academic study with real world event data in terms of the ransom demand, payment, effective control strategies and company attributes. The analysis highlights how ransomware attacks can be a threat to private business. The originality of the dataset is in offering an aggregate view of 423 attacks carried out on 416 organisations that entered an incident response phase.
In this paper, we show statistics for ransom attacks that were able to at least partially penetrate or compromise relevant networks and thus triggered the use of ransomware negotiation and recovery service. These events are then connected to those CIS Top 20 controls that were identified as most likely to have prevented and/or limited the impact of the specific event. This connection of an individual ransom event back to the top three preventative controls was completed by incident response analysts with direct experience of the event.
Key takeaways
- Industrials is the most impacted sector in the dataset, driven by a large number of events targeting capital goods manufacturing firms and professional services firms such as architects and lawyers.
- The originality of the dataset is in offering an aggregate, real world view of 423 attacks carried out on 416 organisations.
- Eighty four per cent of the ransom events occurred in Americas.
- For 72% of the events in the Aggregate Dataset a ransom was paid while in 28% a ransom was not paid.
- Eighty seven per cent of the ransomware variants accept negotiation on their pricing, with RaaS group structures making up 42% of the event landscapes.
- Controls 8 (Malware Defenses), Control 4 (Controlled Use of Administrative Privileges) and Control 6 (Maintenance, Monitoring and Analysis of Audit Logs) are the best combination for reducing frequency of events, while Control 19 (Incident Response and Management), Control 3 (Continuous Vulnerability Management) and Control 6 have the highest cost savings potential.