Ransomware — It’s Getting Serious

Last November, a high-profile attack on the U.S. branch of China’s biggest bank brought to public attention a problem that, largely beneath the radar, has reached startling proportions in the last few years: ransomware.

Although estimates vary, it’s believed that somewhere between 66% and 90% of organizations have been hit by some form of ransomware attack in the past year. The hackers and their methods are evolving fast, and organizations and governments are left playing catch-up.

The ransomware attack on Industrial and Commercial Bank’s (ICBC) U.S. arm disrupted trades in the U.S. Treasury market. According to the Guardian, “Several ransomware experts and analysts said an aggressive cybercrime gang named Lockbit was thought responsible, although the gang’s dark website where it typically posts names of its victims did not mention ICBC as a victim as of Thursday evening.”

The increasingly brazen attacks signal that almost no industry is off limits. What do businesses need to know about ransomware attacks and how can they mitigate the risk of becoming a victim?

How does ransomware work?

Let’s start at the beginning and define ransomware. Cybercriminals use malicious software (malware) to encrypt files and documents on individual computers all the way up to an entire network, essentially holding the system and its data hostage and demanding a ransom. Usually, it starts when someone within the system clicks on a link or download that is infected. Other times, more sophisticated hackers exploit flaws in software, crack passwords, or other weak points like remote desktop logins.

Who's behind it?

In the decade since ransomware first appeared on the cyber crime scene, the technology has undergone significant evolution, from apps disabling a single device to those capable of self- propagation across the IT systems of large organizations.

Similarly the groups behind the attacks have grown and evolved. As detailed in the white paper published by the UK's National Cyber Security Centre, most attacks today emanate from an 'ecosystem' of specialized actors, each carrying out a particular phase of the attack. Some organizations even offer 'ransomware as a service' allowing other criminal groups to carry out an attack without advanced computing skills.

As for the location of these groups, the paper notes that "While cyber crime exists in most countries around the world, the major threat to the UK emanates from the Russian-speaking community that have benefited from ... the forums where these services are traded."

Ransomware by the numbers

According to Varonis, the recent dramatic increase in attacks is due to vulnerabilities created by remote working. As we already mentioned, estimates about the number of ransomware attacks vary. Sophos puts the ratio of companies hit by ransomware attacks in the last year at 66%. The Trend puts a more concrete number on it, saying that there have been 90,945 ransomware detections since January 2023. However, The Record reports, “Ransomware attacks across several key sectors dipped significantly in October, breaking a streak that has gone on for much of 2023.”

Whatever the real number of companies impacted by ransomware may be, these attacks are increasingly expensive. Sophos puts the average ransom in 2023 at $1.54 million, which is almost double the 2022 figure ($812,380) — however, the largest ransomware payout to date was for $40 million, according to Business Insider.

The costs of a ransomware attack, however, far exceed just the ransom itself. Sophos says the mean recovery cost, excluding the ransom, is $1.82 million — and then there’s the cost of lost business. For the lucky few, there is an alternative to paying the ransom.

Alternatives to paying the ransom

Interestingly, not every attempt at ransoming a company’s data is successful. According to Sophos, 76% of attacks result in data actually being encrypted. Furthermore, even if an attack succeeds, paying the ransom isn’t always the only option. Importantly, Cybereason found that 80% of victims who submitted a ransom payment experienced another attack soon after — and even paying was not a guarantee that your data would still be usable. The same survey found that 46% of organizations got access to their data, but most of it was corrupted.

The FBI discourages paying ransoms because as long as ransomware attacks are profitable, bad actors will continue pursuing them. The Associated Press (AP) reports that a “public-private task force including tech companies and U.S., British and Canadian crime agencies says it would be wrong to try to ban ransom payments altogether. That’s largely because “ransomware attackers continue to find sectors and elements of society that are woefully underprepared for this style of attack.”

For companies who choose not to pay the ransom to regain access to their data, there are three main options:

• Restore data from backups — If the attack has not so thoroughly seized your systems that you can access backup data, this can be an option.
• Look for a decryption key — Sometimes, organizations are able to find the decryption key needed to unlock their data.
• Start over — Depending on the data in question, you may even have the option of just walking away and starting over from scratch.

None of these options is entirely desirable, which means prevention is your best bet.

The need for 'cyber hygiene'

As the NCSC paper above notes: "Most ransomware incidents are not due to sophisticated attack techniques, but are usually the result of poor cyber hygiene."

"Poor cyber hygiene can include unpatched devices, poor password protection, or lack of multi-factor authentication (MFA). Remedying these are not silver bullets, but implementing such measures would interrupt the majority of ransomware attacks."

Many attacks are the result of human error so educating staff on how to spot phishing scams and preventing them from using unsecured devices is a good place to start, but there are other things organizations and companies can do to mitigate damage.

Ransomware insurance

Cyber insurance is an increasingly popular option. While it won’t prevent an attack, cyber insurance helps protect organizations from the fallout from cyberattacks. While one of these policies may help minimize business disruption during and after an attack — and help cover some of the costs associated with dealing with the attack and recovery — it is not a cure-all. According to Cybereason, 42% of organizations with cyber insurance policies indicated that insurance only covered a small part of the damage.

Joint action

Governments are also swinging into action, given the rise in activity — and the drain on the economy that bigger and bigger payouts are having. For instance, in early November, the International Counter Ransomware Initiative (CRI) had its third meeting. One of the main aims of this group is to get different countries to come together and share information to more efficiently battle the evolving ransomware threats. The Financial Times reports, the “50 members of the CRI adopted new protocols around information sharing and, most importantly, published a joint statement calling for an end to ransom payments.”

The FT suggests that private companies are unlikely to comply, however, for two main reasons: “One reason is that hackers usually set their ransom demands well below the likely financial hit from data breaches. Another is that companies are increasingly buying cyber insurance to transfer the costs.” In other words, insurance that protects companies from the impacts of ransomware is, in its own way, perpetuating the problem.

For companies searching for a cyber insurance provider, there are also many questions to ask. For instance, will an attack backed by a government be excluded as an “act of war”? As risks evolve, organizations need to know their coverage will evolve as well. More importantly, companies should stay up to date with the latest prevention methods and ensure that their employees have the training necessary to spot problems before they start.