Most people are not aware of the real impact and threat of ransomware campaigns going on almost constantly.
Most people are not aware of the real impact and threat of ransomware campaigns going on almost constantly. While I’m sure everyone knows of the ransomware attack on the Colonial pipeline and the more recent similar attack on JBS, these are only the latest and most visible in a continuous stream of attacks. These are just the tip of the iceberg. The true scale is hidden not only by the media but also by a reluctance to talk about the problem.
In the Colonial pipeline case, a ransom payment was made of $4.4 million. It sounds sizable. Estimates of the worth of ransomware as a global industry range between $1 to $10 trillion. That means if every single ransomware attack received the same payment as the Colonial pipeline, we would be looking at a minimum of 200 000 such attacks each year, more than 500 per day. The vast majority of attacks do not even come close to that level of fine, so we are looking at a lot more incidents, impacting a huge number of people every day.
So what is ransomware?
The layman’s view of ransomware is software that encrypts some files then demands payments to decrypt them. However, modern ransomware organisations are becoming more sophisticated. The encryption of files still happens, though attackers will often exfiltrate information and threaten to publish it if payments are not made. Partial publications are often made to back up the threat. And quite frankly, there is no guarantee that on payment of the ransom, the victim will receive their data back, let alone prevent future threats and publication. What is guaranteed is that they are now marked as a potential income source for future attacks.
It’s also important to note that much of today’s ransomware is effectively a commercial product. Criminals can license the software or purchase it as a managed service and deploy it where they’ve already gained access. Alternatively, and growing more and more common, a group may license the core software, customise it, and buy access to organisations from access brokers who make their living simply by finding ways in and selling that on.
Even where payment is made, and the keys are provided to decrypt the files, there are no guarantees that they will work faster than restoring from backups, if they work at all.
What are the good guys doing?
Many security researchers look for ways to break or exploit ransomware, finding ways to decrypt files that don’t require any communication with the attacker. This is an ongoing battle, and the debate still rages about whether to publicise these tools or keep them quiet. In a recent case, a certain well-known security company published their decryption tool using a hole in the software discovered by a researcher. Of course, the ransomware organisations have access to the same internet as the rest of us, found the tool, reverse engineered it, and improved their software to prevent the hole from working in future.
What’s the real impact?
Cases like the Colonial and JBS attacks are well-publicised and relatively rare. The vast majority of attacks never reach the headlines, and just as with everything else in business, most of them don’t affect such high-profile organisations.
In 2017 it estimated that one-third of small businesses worldwide were affected by ransomware. Of these one fifth had to cease operations. Not a temporary stoppage as Colonial and JBS with insurance and reserves to get through the incident enacted, but permanently closing their doors. Most of these attacks succeed because of human error, not a clever technical vulnerability. From what we know of the Colonial attack, like the SolarWinds attack, which has largely been forgotten but ended up giving the attackers root access to government agencies and military research organisations worldwide, it was down to a poor password choice.
Many businesses that haven’t been impacted by ransomware believe that they aren’t a target. Even some who have been subject to small incidents assume that they will not be affected by anything larger, despite often not even understanding how the malware got onto their systems in the first place.
What can businesses or individuals do?
There are two parts to dealing with ransomware attacks. The first is prevention, and often that’s simply being above the exceptionally low bar set by other businesses in terms of security. Ransomware groups are well-resourced and technically skilled, but they are eager to extract maximum profit for minimum effort as with any other profit-minded organisation. Closing down the easy holes, carrying out just basic security hygiene, requires them to expend more effort, so they will often move on to another victim. Until the entire world has got up to a basic level of security, this tactic will keep working.
The second part is to ensure thorough backups and a disaster recovery strategy is in place and tested. While ransomware exists that will hibernate, making sure to infect backups, this is rare as it requires additional effort and thought. In addition, knowing that you can restore operations within a few hours after losing systems removes the threat of ransomware.
How about insurance?
AXA recently announced that they would no longer be making payouts for ransomware as part of their cyber insurance policies. Unfortunately, others may follow suit, as ransomware is one area where insurers seem to have misjudged the risk. Worse, there are known cases of companies with insurance policies being targeted, but the ransom payments are set at a level known to be covered by the insurance policy. In effect, insurance companies have been subsidising the ransomware industry, driving up payments by making payouts available to their affected customers.
Cyber Security Fundamentals – Ransomware, Insurance, and Backups
By James Bore
James Bore is an independent cybersecurity consultant, speaker, and author with over a decade of experience in the domain. He has worked to secure national mobile networks, financial institutions, start-ups, and one of the largest attractions’ companies in the world, among others. If you would like to get in touch for help with any of the above, please reach out at firstname.lastname@example.org