Getty Images/iStockphoto

Ransomware, Phishing Attacks Compromised Half US Orgs in 2019

Ransomware and phishing attacks successfully compromised more than half of US organizations last year, with hackers increasing the sophistication of their social engineering attempts.

More than half of US organizations faced a successful phishing and or ransomware attack in 2019, as hackers leveraged a high frequency of social engineering attempts through business email compromise, phishing attempts, social media attacks, and other threat methods, according to Proofpoint.

The 2020 State of the Phish report highlights user phishing awareness, vulnerability, and resilience trends across the globe, by analyzing 9 million suspicious emails and 50 million simulated phishing attacks sent by Proofpoint customers over the last year, as well as a survey of 600 IT security leaders and 3,500 employees.

The researchers found that 90 percent of global organizations were targeted by business email compromise and spear phishing attacks in 2019, which reflected hackers’ continued attempts to compromise end users. In the healthcare sector, insiders are behind the majority of data breaches.

Notably, 60 percent of respondents said they faced fewer or about the same number of phishing attacks in 2019 as they did the previous year. Researchers noted that it highlights a growing trend of hackers focusing on quality of phishing attacks over quantity.

Specifically, 55 percent of these organizations experienced at least one successful phishing attack in the last year. As a result of those attacks, more than half of respondents said they lost data, while nearly 50 percent faced credential or account compromise, or a ransomware attack.

While many reports have focused on the cost of ransomware and outages, Proofpoint examined the costs of successful phishing attacks. They found more than half of phishing victims faced downtime hours and remediation time for infosec teams.

Nearly half saw damage to their reputations and about 35 percent saw direct business impacts due to a loss of intellectual property.

Last year also saw a resurgence in phishing-driven ransomware infections in 2019.

“GandCrab, a ransomware-as-a-service offering, plagued many organizations last year,” researchers wrote. “Many recent high-profile ransomware attacks appear to be secondary infections in organizations already compromised with other malware.”

“The advantage of a successful ransomware infection—from the viewpoint of the attacker—is the sense of urgency it creates,” they added. “Healthcare organizations and state and local government entities were hit particularly hard in 2019.

Given ransomware’s ability to immobilize critical infrastructure – as seen with many providers facing EHR downtime as a result of ransomware attacks last year, 33 percent of these organizations ended up paying the ransom to release their data.

However, the researchers found that just 69 percent of those ransomware victims who paid actually regained access to their data and systems after a payment to the hackers. But 7 percent faced additional ransom demands and did not regain access to their data.

And 22 percent never regained access to their data after paying the ransom.

It’s important to note that the FBI, tech leaders, and others all recommended not paying the ransom for a host of reasons. Proofpoint did find that 32 percent of respondents who faced a ransomware infection did not pay the ransom.

On a positive note, 95 percent of all respondents said their organization provides its employees with phishing awareness training. And 78 percent reported their security awareness training activities in measurable reductions in phishing susceptibility. The findings mirror a recent study published in JAMA.

However, 30 percent of respondents said only a portion of is employees receive that training. Just 43 percent allocate between one to two hours of training each year, with 30 percent only spend between 30 minutes to just under an hour.

Thirty-eight percent provided training each month, but for 6 percent of respondents security training occurred just once a year.

“This approach puts cybersecurity on the back burner for those who aren’t trained,” researchers wrote. “Targeted training is a critical part of cybersecurity education. But it works best when combined with a program that promotes organization-wide attention to best practices.”

“Raising awareness and instilling good security practices are different things,” they added. “Just 60 percent of organizations provide formal cybersecurity education to their users. That’s alarmingly low. The lack of formal training, and an apparent lack of focus on end-user email reporting, undermines organizations’ security postures.”

To Joe Ferrara, senior vice president and general manager of Proofpoint's Security Awareness Training, effective security awareness training focuses on the issues and behaviors that matter most to organizations.

Security leaders should take a people-centric approach, while blending organization-wide awareness training initiatives with more targeted, threat-driven education.

"The goal is to empower users to recognize and report attacks,” Ferrara said.

Next Steps

Dig Deeper on Cybersecurity strategies