To pay or not to pay?
Ransomware is the most lucrative business of the new ageIvan Mastagarkov
You can spend decades building a serious business but everything can go down the drain with a single click of a button. There is no long-term cure, no final solution. And like the Terminator, they always come back. The reason is simple - billions of dollars in easy profits. Welcome to the age of ransomware. It all started like a game but now we are talking fortunes. The modes of the attack don't change much. Usually, the targeted person or company receives an infected email.
Explained plain and simple, the malicious software encrypts the data on the infected computers, and then comes the offer - get the key to unlock it in exchange for a certain sum of money. The criminals leave instructions on the infected machines for negotiating ransom payments. Once the sum is paid, the decryption keys for unlocking the files are provided.
By the time you read this article thousands of companies worldwide will be victims of a cyberattack. According to official statistical data, ransomware bandits charged an average of $350 in 2017. Doesn't seem to be too much, does it? But the genie was released from the bottle. Ransomware attacks continue to flourish across the globe, and it is expected that 2021 will see continued attacks. Trend Micro Inc. observers reported a 77% surge in ransomware attacks during the first half of 2019, and Ankura Consulting Group reported that ransomware attacks increased from 27% to 43% of all cyber incidents in 2019. Very soon the hackers noted that busting billion-dollar companies was just as easy but way more profitable. For example, in 2017, when multiple National Health Service bodies in the UK were affected by WannaCry (a ransomware strain associated with low three-figure demands), no ransom was paid, and the NHS was estimated to had spent approximately £92m in cleanup and upgrade costs.
Well, Hamlet's famous question “To be or not to be?” has now become “To pay or not to pay?” And whatever the answer, the victim will have to spend a fortune to repair the damages. Even if the data is safe, someone has the key to your system, so you have to change the locks anyway. While most of us spent New Year's Eve 2019 celebrating, the IT department at Travelex was grappling with a ransomware virus that was spreading through its systems. Almost two weeks later, the currency exchange service finally restored its internal systems, but not before paying the attackers a reported $2.3m ransom.
In May 2021, Brenntag's North American division was compromised by criminal hackers. The chemical distribution company has over 17,000 employees in over 670 sites worldwide, but the damage to just one part of its business, in which 150GB of data was stolen, caused huge disruption.
The group responsible for the attack, DarkSide, initially demanded a 133.65 bitcoin ransom, which equated to approximately $7.5m. Millions of Americans got a first-hand glimpse of the disruption that ransomware can cause in May 2021, when Colonial Pipeline was crippled by the DarkSide gang. The fuel supplier was forced to halt operations amid the attack, which targeted the company's business network. This included Colonial's billing system, which meant it had no way to track fuel distribution and to accurately bill its customers. After initially stating that it wouldn't negotiate with the attackers, Colonial eventually relented. Initial reports claimed that the organisation paid $5m in bitcoin, but the Colonial's CEO Joseph Blount later confirmed that the fee was $4.4m. The US travel services company CWT Global set a world record for the largest ever ransom payment in July 2020, after it handed over $4.5m in bitcoin to the Ragnar Locker ransomware gang. The attack is believed to have taken down 30,000 computers and compromised two terabytes of data. Financial records, security documentation and employees' personal details, such as email addresses and salary data, were all affected.
Last year alone in the US, ransomware criminals hit more than 100 federal, state and municipal agencies, upwards of 500 healthcare centres, more than 1,600 educational institutions and untold thousands of businesses, according to cybersecurity firm Emsisoft. Dollar losses are estimated at tens of billions of dollars. Accurate numbers are elusive. Many victims shun reporting, fearing the reputational blight.
EU law enforcement agency Europol offers more than 90 freely available online decryption tools to tackle over 100 different strains of malware, via the No More Ransom initiative, which is promoted on the Europol website. This initiative is estimated to have helped 200,000 ransomware victims recover their files since 2016.
Still, the top European insurance companies refuse to seal contracts with clauses involving ransomware.
The insurer AXA said it made the decision in response to concerns aired by French justice and cybersecurity officials about the global epidemic of ransomware, in which France is the second worst-hit country in the world after the US. Last year alone, according to Emsisoft, France's overall losses amounted to more than €4.5bn in damage from ransomware to businesses, hospitals, schools and local governments. UK cyber-security firms have estimated annual ransomware costs at £10bn and rising. A 2015 British law prohibits UK-based insurance firms from reimbursing companies for the payment of terrorism ransoms, a model some believe should be applied universally to ransomware payments.
But paying doesn't guarantee anything near full recovery. On average, ransom-payers got back just 65% of the encrypted data, leaving more than a third inaccessible, while 29% said they got only half of the data back, cybersecurity firm Sophos found in a survey of 5,400 IT decision-makers from 30 countries. In a survey of nearly 1,300 security professionals, Cybereason found that 4 in 5 businesses that chose to pay ransoms suffered a second ransomware attack.
Success is driving cybercrime, along with “outsourcing” of hacking technology. Sophisticated groups write powerful hacking tools, then sell “ransomware kits” or “software as a service”, enabling small criminal gangs to launch attacks.
On the bottom line, the easy answer to Hamlet's question would be “Not to pay”, but damages done may seem to be too big to swallow. One thing is for certain, hackers will keep coming back, again and again. Just like Terminator.