Ransomware is a growing cybersecurity threat, with over 4,000 ransomware attacks daily according to the FBI. Average ransomware payments are estimated to exceed $200,000 and additional costs associated with business interruption and recovery can more than double the total cost incurred by the targeted business.
The Investigations & Analysis (I&A) team at SecurityScorecard recently analyzed publicly available information (including on the dark web) to collect a list of recent ransomware victims. SecurityScorecard’s Data Science team subsequently performed a statistical analysis to identify cybersecurity vulnerabilities that are more prominent among recent ransomware victims compared to other organizations not attacked by ransomware.
Two cohorts were compared in this analysis. The ransomware cohort included 126 organizations that had experienced a ransomware attack in early 2021. The non-ransomware cohort comprised 140,000 organizations whose scorecards are monitored by at least two other companies on the SecurityScorecard platform.
Comparison of factor scores
The distributions of factor scores for the ransomware and non-ransomware cohorts are presented in the box-and-whiskers plot below. The scores were averaged over the six-month period prior to March 2021 to obtain representative scores ahead of the ransomware attacks.
Based on the graphical analysis above, on average, ransomware victims have lower scores for several cyber risk factors, principally DNS Health, Endpoint Security, Network Security, Patching Cadence, and Social Engineering.
Endpoint security is a particularly important factor as the point of entry into a target organization is often through phishing campaigns or malware directed at the employee base. Deficiencies in Network Security may facilitate penetration or movement of ransomware within an organization, targeting high-value assets.
Prominent cybersecurity vulnerabilities
Cybersecurity risk profiles of companies afflicted with ransomware are different from other companies in statistically meaningful ways. SecurityScorecard identified cybersecurity findings that are statistically more prevalent among ransomware victims compared to other organizations.
For this study, a right-tailed test comparing two population means was used to compare the average prevalence of issue types in the two cohorts. We determined the proportion of companies in the ransomware cohort with given issue types was greater than the non-ransomware cohort to a level of statistical significance.
For each issue type, the z-score was calculated using the following standard test statistic:
where:
- pr = proportion of companies in ransomware cohort with given issue type
- pnr = proportion of companies in non-ransomware cohort with given issue type
- nr = number of companies in ransomware cohort
- nnr = number of companies in non-ransomware cohort
A threshold z-score ≥ 2.6 was used for the one-sided test corresponding to a significance level exceeding 99%, meaning that the chance of a fluke finding is less than 1%. In most cases, the z-score was substantially higher, indicating the chance of a statistical fluke to be less than .001%.
Discussion
The following charts and graphic below demonstrate that the ransomware cohort was much more likely to have a range of cybersecurity defects compared to the cohort of organizations without ransomware.
The issue types shown were found to be statistically more prevalent in the ransomware cohort
Cyber Risk Factor | Technical Finding | Prevalence | Prevalence Ransomware Cohort |
leaked information | leaked_credentials | 44% | 71% |
network security | tls_weak_cipher | 36% | 66% |
social engineering | exposed_personal_information | 25% | 64% |
network security | tlscert_no_revocation | 20% | 49% |
endpoint security | outdated_os | 24% | 48% |
endpoint security | outdated_browser | 26% | 48% |
network security | tlscert_expired | 20% | 45% |
network security | tls_weak_protocol | 18% | 41% |
network security | tlscert_self_signed | 14% | 40% |
ip reputation | suspicious_traffic | 18% | 36% |
network security | tlscert_excessive_expiration | 12% | 35% |
network security | tlscert_weak_signature | 9% | 27% |
ip reputation | attack_detected | 5% | 16% |
network security | tlscert_revoked | 1% | 7% |
While each of these particular vulnerabilities may or may not have been exploited in the actual ransomware attacks, they serve as indications that, on average, the organizations in the ransomware cohort were less diligent in maintaining good cybersecurity hygiene. Organizations that use weak ciphers or protocols, or don’t keep end-users’ browsers and operating systems up-to-date, are likely not adhering to other good cybersecurity practices in critical areas. The less likely they are following best practices, the more likely they are susceptible to attack.
The strong statistical correlation of higher prevalence of these cybersecurity findings with ransomware attacks clearly points to the importance of maintaining a good cybersecurity posture. Organizations with more diligent cybersecurity practices are less likely to fall victim to costly ransomware attacks.
