Canada leads the countries surveyed in both the average ransom paid to ransomware creators and the amount of money lost to downtime from ransomware, which is hardly ideal, and something that Canadian MSPs need to work smarter to prevent.
Today, Datto is releasing its global survey on ransomware, which includes a dedicated Canadian State of the Channel Ransomware Report. Datto, the market leader in business continuity services provided through MSPs, has a significant presence in Canada, with about 1100 partners of their approximately 14,000 global partners. 250 of those Canadian partners were surveyed in the preparation of the study.
Some of the report’s conclusions are reaffirmations of trends about which most in the industry – and certainly most MSPs – should already be well aware. For instance, the report found that ransomware remains a major threat to SMBs. Over the two-year period between Q2 2016 and Q2 2018, 83 per cent of Canadian MSPs surveyed report ransomware attacks against customers. 55 per cent said they had clients attacked in the first six months of 2018. 55% report ransomware attacks against clients. Worse still, the problem is likely much worse than that, as the MSP survey indicated that only an average of 21 per cent of attacks are reported to the authorities. MSPs reported four of these attacks within their client base per year, with 37 per cent saying clients had experienced multiple attacks in a single day in the first half of 2018, up from 31 per cent in 2017. CryptoLocker (71%), WannaCry (52%) and CryptWall (42%) were the most common ransomware attacks. None of the others were over 20 per cent.
Interestingly, fewer ransomware attacks are actually reported to authorities in Canada, compared to number reported overall in the global study.
“It’s not a huge difference, but it does exist,” said Ryan Weeks, Datto’s CISO. “The global number is 1 in 4 attacks are reported, compared to 1 in 5 in Canada.” Why so few attacks in Canada are reported wasn’t asked, although other studies provide some hints.
“Another study, not done by Datto, found that a majority of people who pay ransoms are employees of business who are afraid of getting fired if they reveal they caused the mistake,” Weeks said. “Paying it and keeping it a secret is more harmful, but we know that it’s common.”
There was also a significant disconnect reported between Canadian MSP and end customer attitudes towards ransomware. Nearly 90 per cent of MSPs said they were “highly concerned” about the ransomware threat, while only 33 per cent said their SMB clients had the same level of concern. 92 per cent of the Canadian MSPs believe that the number of ransomware attacks will continue at the same or higher rates of increase.
Another curious element in the Canadian data is that the amount of ransomware attacks that come through phishing was very high, at 80 per cent.
“That’s much higher than we see globally, and it raises the question of whether Canadian MSPs are doing everything they can to protect the email vector as much as possible,” Weeks noted. Other factors like lack of end user security training (29%), weak passwords (29%) clickbaiting (25%) and malicious websites (23%) were significantly lower.
A final – and particularly significant element distinct to Canada, is that the costs of ransomware were the highest of the countries surveyed. The average ransom paid by SMBs was $CDN 8,764 – $2300 more than the global average. While it’s tempting to conclude the criminals are simply adjusting their demands to reflect the low value today of the Canadian dollar, Datto doesn’t really see it that way.
“We see the higher ransom as making the market more lucrative to an attacker,” Weeks said.
In addition, the survey calculated the average cost of downtime related to a ransomware attack as $65,724 CAD – also the highest globally – and which also had the consequences of making Canadian SMBs more willing to pay.
“MSPs and their customers need to understand they are dealing with adversary that views security like a market,” Weeks stated. “They moved to into bitcoin and cryptojacking because it had a perceived long term trend of being more valuable than the dollar, although for SMBs, bitcoin mining was less of an issue because they tend not to have the compute resources to make it attractive there. However, when the value of bitcoin fell to 10 per cent of its peak in 2018, the attackers moved to other tactics.”
Weeks said that backing up to a protected cloud environment like Datto provides eliminates some of the risk, and 87 per cent of MSPs said that Datto let clients fully recover from a ransomware attack in 24 hours, or less. Still, ransomware infections in the cloud are increasing, with Office 365 being a particular target. The MSP needs to have a more holistic defense strategy,
“To begin with, the MSP needs to be using the backup technology the correct way,” he said. “They need to be replicating backups to both the cloud and a secondary site replication. We have service replications that allow you to have three copies of the data – but not every MSP configures it that way for their customers. They also need to think of ransomware like their adversaries do as one element of their strategy. They install ransomware, but they also seek to delete backups, because backups are the largest threat to them getting paid. They WILL seek ways to destroy backups and the MSP needs to plan for that.”
Weeks also said that in his discussions with MSPs, he was told that 85 per cent of afflicted customers had anti-virus installed, and 69 per cent had anti-spam filters, and they wanted to know why they were successfully attacked if they had best of breed defenses.
“They need to emphasize that ransomware isn’t a regular trojan, but is part of a focused strategy,” he said. “Those defenses depend on having seen the attack before, so they aren’t very effective. They need to have proper patching and configuration management, as well as tools that help them identify behavior. We also emphasize to MSPs that for themselves, it’s not just about buying a new security application to protect themselves. Are they consistently patching systems, browsers , and plug-ins in browsers? Once they have their IT systems in place, they can then do more advanced steps like training, and providing next-gen endpoint technology like EDR. We caution them not just to buy the next shiny thing until they have their own house in order.”
Windows systems remained the overwhelming target of ransomware attacks in 2018, as attackers go where the most users are. However, while MacOS (11%) Android (5% and iOS (4%) were all much lower in terms of the number of MSPs who saw them attacked, all were up. Mac attacks in particular increased, with the 11 per cent number up from 3 per cent in 2017.