SpyCloud Report: Despite Increased Spend on Ransomware Mitigation, 90% of Companies Affected in the Last Year

SpyCloud, the leader in account takeover and fraud prevention, today released its 2022 Ransomware Defense Report, an annual analysis of how IT security leaders view the threat of ransomware and their organizations' cyber readiness.

SpyCloud surveyed over 300 individuals in active IT security roles at US, UK and Canadian organizations with at least 500 employees. The survey revealed that despite increased investment in tools to fight ransomware, 90% were affected by ransomware in some capacity over the past 12 months, a striking uptick from last year's 72.5%.

Respondents ranked the risk of attack through third-party vendors as the main factor driving allocation of security budgets, followed by the rise in frequency and sophistication of ransomware attacks. As a result, organizations' ransomware mitigation solutions focus increasingly on the risk of account takeover as a precursor to this form of cyber attack. The number of organizations that implemented or plan to implement multi-factor authentication jumped 71%, from 56% the previous year to 96%. Monitoring for compromised employee credentials also increased from 44% to 73%.

As organizations strengthen their password hygiene and invest in tools like MFA, criminals have doubled down and expanded traditional tactics to circumvent their defenses. For example, deploying malware to personal devices to access corporate applications or pivoting to session hijacking using compromised cookies can allow criminals to bypass the authentication process altogether.

These recent tactics by criminals ultimately led to no decrease in overall cyber incidents. In fact, the survey revealed organizations are not only still falling victim but are increasingly likely to be hit more than once: 50% were hit at least twice, 20.3% were hit between 6 and 10 times and 7.4% were attacked more than 10 times.

"Organizations are right to be concerned about unwitting insider threats ? their cybersecurity measures are failing to close gaps that are leading to ransomware attacks," said SpyCloud CEO and Co-founder Ted Ross. "Organizations may not be aware that undetected malware infections on personal devices represent the riskiest of those gaps. This report shows organizations are spending time and money on solutions that leave sensitive data exposed. Even if security teams retrieve their organizations' data, once it's circulated on the dark web, criminals can use it for more destructive activities ? including their next attack."

Malware infections are more widespread than many organizations realize. Through analysis of botnet logs recaptured this year alone, SpyCloud researchers identified over 6 million malware-infected devices with application credentials siphoned.

Cybercriminals deploy malware to steal data including credentials to workforce applications, browser fingerprints, and device or web session cookies, enabling them to impersonate an employee and access and encrypt data while bypassing MFA and other security controls.

On average, in 2022, SpyCloud researchers found 16 to 26 unique affected applications or domains per infected device, which translates to 96 to 156 million siphoned application login credentials. While wiping an infected device may prevent criminals from accessing more data, it does not remedy the exposure of the broader identity or prevent future enterprise access. Robust post-infection remediation is critical because reimaging an infected device without remediating applications leaves a wide gap in the enterprise's security posture.

According to 87% of respondents, reports of credential-stealing malware such as RedLine Stealer have elevated their organization's concern of unmonitored personal devices as a potential entry point for ransomware. Unmanaged devices pose a great concern because security teams are unable to monitor them for threats such as malware and third-party application exposures. As a result, cyber defenders lack visibility into their full attack surface and therefore often underestimate their malware-related risks.

"Effective ransomware prevention strategies must focus on the entry points security teams can't see ? the cloaked attack surface that includes third-party applications and unmanaged machines outside their standard monitoring purview," said Ross. "A single malware-infected device can compromise hundreds of corporate applications. Even after the malware is removed, the damage is done unless all of those applications are properly remediated post-infection ? otherwise doors remain open for ransomware and other critical threats to the enterprise."

To learn more about how SpyCloud helps organizations defend against malware and ransomware, visit https://spycloud.com/ransomware/.

About SpyCloud
SpyCloud transforms recaptured data to protect businesses from cyberattacks. Its products leverage a proprietary engine that collects, curates, enriches and analyzes data from the criminal underground, driving action so enterprises can proactively prevent account takeover and ransomware, and protect their business and consumers from online fraud. Its unique data from breaches, malware-infected devices, and other underground sources also powers many popular dark web monitoring and identity theft protection offerings. SpyCloud customers include half of the ten largest global enterprises, mid-size companies, and government agencies around the world. Headquartered in Austin, TX, SpyCloud is home to over 150 cybersecurity experts who aim to make the internet a safer place.