What do the most recent high-profile cyber attacks have in common? Ransomware.
More than a dozen cyberattacks in 2021 involved the use of malware that encrypted or locked access to files and demanded the payment of a ransom. The Colonial Pipeline attack that resulted in oil supply disruption in many parts of the United States was caused by ransomware. Similarly, the widely talked about attack on JBS Foods involved the denial of access to files and a demand for ransom.
The chemical distribution company Brenntag, computer manufacturer Acer, insurance giants AXA and CNA, major Apple business partner Quanta, and automobile manufacturer Kia Motors also suffered inconveniences and problems with ransomware in 2021. Even the NBA’s Houston Rockets reported an attack by a ransomware group.
The current year is seeing a surge in cyberattacks and it seems they are only going to get worse. Cybercriminal groups such as Darkside, REvil, and Evil Corp are boldly claiming responsibility for the security breaches while companies appear to be doing little to bolster their defenses. The infamous SolarWinds attack should have provided enough lessons should have been enough warning, but many still failed to revisit their respective security postures.
Why is ransomware the new favorite attack vector these days? Here’s a rundown of the biggest reasons.
Siloed security controls
Most cybersecurity solutions prevent ransomware installation by scanning files and links and referencing a database of ransomware fingerprints. They scan email attachments, file downloads, P2P file transfers, and other files introduced to a system to determine if they are safe or harmful. This approach tends to be easily rendered ineffective, though, when the human cybersecurity weakness is exploited.
Through phishing and other forms of social engineering, computer users are convinced to unwittingly download and install ransomware-laced programs. Employees tricked by someone who pretends to be a higher-up in the organization to install malware will be clueless that they are already defeating their own security controls. Someone excited to get a pirate copy of a popular TV show or movie will try to turn off some security controls if they are instructed by a website to do so for them to be able to download and view the video file they want.
Unfortunately, most organizations still use different systems for scanning files or links and raising alerts for unsafe behavior such as downloading and installing files from unknown or suspicious sites. As such, there aren’t that many hurdles in installing ransomware on computers. To address this security weakness, it is advisable to use a comprehensive cyber security platform to unify security controls and centralize the collation and analysis of cyber threats. This setup creates a multi-layered cyber defense to make sure cyber attacks are kept under control.
Lack of disaster recovery and business continuity plans
Another reason why ransomware attacks are surging is the apparent lack of preparedness among organizations. They tend to succumb to what the attack perpetrators demand because they are not ready to deal with the consequences. That’s why the importance of disaster recovery and business continuity planning (BCP) could not be overstated. It is not just a choice but a must for businesses of all sizes and types. It may not guarantee the swiftest recovery from an attack, but at the very least it allows organizations to decide on the best possible courses of action to take instead of simply paying the ransom to restore operations as soon as possible.
An AT&T study found that 1 in every 5 businesses do not have a continuity plan. This may sound low, but it is high enough to make easy-to-deploy ransomware attacks worth the while. When businesses are left clueless on how to handle a cyberattack that deprives them of access to crucial files or network resources, they are more likely to submit to what the attacker wants.
Easy to execute
Ransomware attacks are easy to execute. Cybercriminals can randomly deploy them and see if anything sticks. As a University of Berkeley Information Security Office FAQ explains, there are two main ways ransomware make their way into the victims’ computers. One is through malicious file attachments (through email or messengers) that are designed to trick users into unwittingly installing the malicious software. The other is through “drive-by” attacks, which entail the introduction of sophisticated malware capable of propagating and installing themselves by exploiting web browser vulnerabilities.
Once the ransomware is installed, it can discreetly encrypt files in the infected system, making the files inaccessible to the owner. The encryption process may happen gradually over a long period of time to lessen the chances of the anomalous activity getting detected. The perpetrator of the attack will then ask for a ransom to decrypt the encrypted files.
If the victim refuses to pay the ransom, the encrypted files become inaccessible forever unless some extraordinarily talented IT guy manages to figure out the decryption code and unlocks the files. Sometimes, attackers threaten their victims with a deadline for the ransom to be paid, saying that they will delete the decryption key once the indicated date or time lapses.
Profitable attacks
“Attacks happen for one reason and one reason only—they are profitable,” said cyber threat analyst Brett Callow in an interview with NPR. Compared to stealing funds by attacking the banking accounts and online wallets of businesses, ransomware attacks are notably more profitable and even easier to undertake.
While not every ransomware attack yields $1 million for the perpetrator, the ransom amounts paid have increased over the years. According to the Palo Alto Networks 2021 Unit 42 Ransomware Threat Report, the average ransom paid by victimized organizations in 2020 rose by 171 percent from $115,123 in 2019 to $312,493 in the past year.
From the same threat report, the highest amount paid by an organization increased from $5 million to $10 million or a 100 percent rise. Cybercriminals have become greedier than ever. The highest ransom demand from 2015 through 2019 was estimated at around $15 million. It has since increased radically to $30 million with one ransomware perpetrator demanding
‘Cooperative’ victims
According to one study, more than 27 percent of organizations that suffered ransomware attacks in 2020 chose to pay the ransom. For them, it is the less damaging option compared to suspending operations indefinitely.
Government authorities are stern in their call for cyberattack victims not to pay anything to cybercriminals, but many businesses are convinced it is a more financially sound decision to defy such guidance. As reported by Businesswire, the average ransomware-attributed downtime cost in 2020 is already at $141,000, around three times higher than the previous year’s number. This Businesswire report cites a study that puts the average ransom demand at $5,900.
To clarify, these numbers are different from the average ransom amounts demanded and paid cited earlier. These are from a different study, and they highlight the huge disparity between the average ransomware-related downtime cost and the average ransom demanded by attackers.
Convenient anonymous money transfers
In addition to the profitability of ransomware attacks, it is also worth noting how it has become easier now to send and receive money anonymously. The rise of bitcoin and other cryptocurrencies is certainly advantageous to cybercriminals, ransomware perpetrators in particular.
As NPR national security correspondent Greg Myre correctly suggested, “Bitcoin is fueling ransomware attacks.” The decentralized and unregulated nature of bitcoin transactions allows cybercriminals to boldly provide bitcoin or other crypto wallet addresses when they demand the ransom. They know it is unlikely that they will be traced and that the fund transfer will be reversed or canceled.
What’s more, the transactions can be in hundreds of thousands to millions of dollars (in bitcoin equivalent). As mentioned, some victims have paid up to $10 million to ransomware perpetrators.
“It really is a very powerful tool in the hands of criminals to perform money laundering, to shift currency from one state to another in a way that’s in a sense untraceable and definitely uncontrollable,” said cybersecurity expert Yonatan Striem-Amit in an interview with Myre.
A serious concern
The frequency and apparently mundaneness of ransomware attacks at present should serve as a warning to all organizations, especially as the attacks appear to have not reached their peak yet. Their volume and sophistication are expected to advance further and make prevention, mitigation, and remediation more difficult.
The best solution is still prevention, which entails training or orientation on how to prevent ransomware from getting installed in the first place. Businesses should also start having disaster recovery and business continuity plans and get these plans tested periodically. It is crucial to be aware of the problem and to be ready to deal with its consequences.