Despite Washington’s recent attempts to expand cybersecurity rules and disrupt hacking gangs, ransomware continues to proliferate and executives report unease about their companies’ ability to ward off the threat.
The number of ransomware attacks against U.S. businesses has continued to increase this year, cybersecurity experts say, while some lawmakers warn the government has limited visibility of such hacks. Companies that rapidly digitized their operations during the pandemic are spending more time and effort navigating a fast-changing and treacherous ransomware landscape.
About 19% of cyber risk executives are highly confident in their organization’s ability to understand and respond to cyber threats, according to a more than 660-person survey published Thursday by Marsh & McLennan Co.’s insurance broking business and Microsoft Corp.
“It reflects that, despite the significant amount of time and energy and resource that organizations are spending on cyber, the risk environment continues to evolve and expand such that it’s difficult to get ahead of it or get on top of it,” said Thomas Reagan, cyber risk practice leader for the U.S. and Canada at Marsh.
Verizon Communications Inc.’s annual Data Breach Investigations Report, published last week, found that ransomware’s involvement in data breaches rose by 13% over the course of the past year, more than the increase in the previous five years combined.
Many attacks remained relatively unsophisticated and largely relied on human error rather than technology prowess, said Sowmyanarayan Sampath, chief revenue officer at Verizon.
“It’s not James Bond stuff,” he said.
The pandemic pushed many companies to reorient their security postures to protect employees working remotely and outside traditional corporate cyber defenses. That shift, coupled with the growth in criminal operations using ransomware, contributed to a sharp increase in such attacks during the pandemic.
Criminal groups demanded ransoms as high as tens of millions of dollars to unlock some companies’ data, disrupting critical infrastructure operators such as Colonial Pipeline Co. and meatpacker JBS Foods SA last spring. The spate of incidents led Federal Bureau of Investigation Director Christopher Wray last year to compare the challenge posed by ransomware to that of the Sept. 11, 2001, terrorist attacks.
Researchers at security firm Sophos Inc. say as ransomware has grown more common, hackers increasingly are specializing in specific tasks, such as accessing computer systems or deploying malware, to work more efficiently.
The upshot is that corporate security teams are “facing more attacks that develop at an accelerated pace,” leading to employee burnout and resignations, said Patrick Gaul, executive director of the National Technology Security Coalition, an advocacy group for chief information security officers.
Washington has tried to meet the threat by collaborating more with corporate security teams and unveiling a menu of more aggressive standards for the public and private sectors.
Regulators issued first-of-their-kind cyber rules for oil-and-gas pipelines, lawmakers passed new rules for critical-infrastructure firms to report breaches, and the Justice Department and other agencies have stepped up their attempts to disrupt criminal groups abroad. The Cybersecurity and Infrastructure Security Agency, or CISA, announced last week that it is setting up a task force on ransomware.
The government likely knows about just one-quarter of such incidents due to underreporting by companies and disclosures spread across different federal agencies, according to a report last week by the Senate Homeland Security Committee.
The lack of visibility blunts efforts to assist victims and obscures the full economic impact of ransomware attacks, the report found.
Victims sent at least $692 million in cryptocurrency to virtual wallets affiliated with such hackers in 2020, according to Chainalysis Inc. The data-analytics firm, which tracks illicit payments across public ledgers known as blockchains, said in a February report that the 2021 total—$602 million—will likely surpass 2020’s sum as more digital ransoms are traced over time.
A top cybersecurity official in the Biden administration has said the onslaught has slowed in recent months during Russia’s invasion of Ukraine.
Speaking at the Cyber Initiatives Group’s spring summit this month, Rob Joyce, cybersecurity director at the National Security Agency, said repeated warnings by CISA helped businesses shore up their defenses against potential hacks. Sanctions imposed on Russia, where researchers believe many ransomware gangs operate, may have made it harder for criminals to cash out from successful attacks, he said.
But cybersecurity experts don’t see this as a time to be any less alert.
“If anyone thinks that ransomware attacks are decreasing or going away, I’d say that notion is absurd,” said Errol Weis, chief security officer of the Health Information Sharing and Analysis Center, a nonprofit that coordinates security among healthcare organizations.
The NSA declined to comment. CISA didn’t respond to requests for comment.
Write to James Rundle at james.rundle@wsj.com, David Uberti at david.uberti@wsj.com and Catherine Stupp at Catherine.Stupp@wsj.com
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8