Despite urgings from the RCMP and the Canadian Anti-Fraud Centre to not give in to ransomware, Canadian organizations seem more likely to surrender to blackmail than those in three other countries surveyed, a report released today suggests.
The survey, paid for by security vendor Malwarebytes, showed 75 per cent of the Canadian respondents who said their organizations were hit during the 12 months ending in June paid ransoms to get their computers unlocked. By comparison only three per cent of U.S. victim organizations paid, 22 per cent in Germany and 58 per cent in the U.K.
“That means most likely they (the Canadians) did not have backups, or the backups were too old” to use, Jerome Segura, a British Columbia-based principal security analyst for Malwarebytes said in an interview on the results.
“The organizations surveyed were not prepared to deal with this kind of business disruption.”
Interestingly, the report adds, respondents in all countries said paying up didn’t always mean getting back control of locked files. In fact Canadian organizations were the most likely to pay ransomware demands and the most likely to lose files if they chose not to pay. “The relative proportion in Canada that lost files is a bit perplexing,” says the report, but it notes that most backups are typically performed overnight so data can be lost depending on the time of a ransomware exploit.
At the very least, the report notes, organizations that choose not to pay ransomware can count on losing at least some files even if they do backups.
(And for those of you who think there’s honor among thieves, last week a managed security services provider called NTT Security released a threat report with a second on ransomware that noted in May a Kansas hospital paid a ransom but didn’t get decryption keys.
That report notes that among its clients healthcare is overwhelmingly the industry most victimized, Hospitals are targeted, Solutionary speculates, because they are more willing to pay to get control back of vital patient records.)
The most recent publicly-known example of a Canadian organization being victimized by ransomware is the University of Calgary, which paid the equivalent of $20,000 in Bitcoin to buy encryption keys in June after some of its systems were attacked.
The Malwarebytes survey also found that of those Canadian organizations victimized, 25 per cent temporarily couldn’t do business, and 43 per cent lost revenue. Eleven per cent agreed “lives were at stake” as a result of the attack. Segura suspects these might have been health care facilities.
The report also suggests Canadians have a false sense of security about ransomware, perhaps because it is seen here less than in other countries (see below). Of those surveyed here 51 per cent said they were fairly confident in their ability to stop ransomware, with another 16 per cent very confident. That’s a total of 67 per cent. By comparison only 37 per cent of respondents in the U.S. were very or fairly confident, 66 per cent in Germany and 58 per cent in the United Kingdom.
And there’s a warning to those who think cleaning up after a ransomware attack will be easy: The proportion of Canadian organisations that spent more than 100 hours on dealing with ransomware cleanup was the highest among the four countries surveyed. On average 36 per cent of all those who had been victimized said their firms spent between nine and 16 hours on remediation, while 25 per cent said their organizations spent up to 24 hours.
Resuslts of the Malwarebytes survey, conducted by Osterman Research, have to be taken cautiously because of the 540 respondents, which included CIOs, IT managers/director, CISOs or those in related roles, only 125 were from Canadian organizations. Ottawa says there are 1.17 million businesses in the country, 21,415 of which are medium sized, while another 2,930 are large (more than 500 employees).
As other research has reported, the Malwarebytes survey suggests other countries are hit by ransomware more than Canada – in this case 54 per cent of U.K. respondents said their organizations were victimized, 47 per cent of American and 35 per cent of Canadian respondents. (Don’t take that to mean ransomware is worse in Britain, the report adds. The sample population may have skewed the results, it says, as well as the fact that there was a higher proportion of financial services and related firms in the United Kingdom sample.
In another interesting finding by Malwarebytes, Canadian organizations were the most likely among those surveyed to find that ransomware had entered their organization through a smartphone or tablet. The average for the four countries surveyed was desktop computers (59 per cent), unknown source (16 per cent), laptop (14 per cent), server ( seven per cent) and smart phone or tablet (five per cent.)
In its report NTT Security reminds CISOs that using a combination of full and differential or incremental backup solutions is crucial to meet the challenge of ransomware. And since ransomware targets shared drives, backups should be stored both off-site (at least offline) and locally, providing minimal recovery time objective if possible.
Also, it is vital to to test backup solutions and ensure they are planned and executed consistently, the company adds.
That goes along with employee awareness training and up to date endpoint anti-virus/malware for detection.