Posted in:

Ransomware returns!

Reports of the demise of ransomware have been grossly exaggerated: businesses have to redouble their defences as new variants become ever more devious. By James Hayes.

Cyber Security Europe - Ransomware

Despite some signs that it is being displaced by newer malware such as ‘cryptojacking’ (malicious use of computer processing power to mine cryptocurrency) as cyber criminals preferred cash cow, ransomware remains a serious persistent threat to organisations of all kinds. SonicWall’s 2019 Cyber Threat Report records 206.5m ransomware attacks in 2018 – that’s a rise of 11% on 2017. High-profile targeted attacks on Tribune Publishing (US), City of Albany (US), Arizona Beverages (US), the Police Federation (UK), and Norsk Hydro (Norway) in the first quarter of 2019, show that it still carries a significant sting, and that its proponents think that the bigger the target, the higher the possible ransom to be extorted.

What’s more, because ransomware raises multiple ethical questions in terms of an organisation’s governance policies, cyber-savvy CEOs and their c-suite colleagues must stay apprised of the dilemmas it stirs up. NTT Security’s latest Global Threat Intelligence Report, for instance, found ‘compelling evidence’ that ransomware attacks ‘are still on the rise’.

Ransomware volumes for 2018 were up 350%, the report finds, and rose from less than 1% of global malware in 2016, to nearly 7%. Across Europe, ransomware was the leading malware manifestation at 29% of the total threat spectrum, NTT Security found, being focused mainly on the business and professional services, and healthcare industry, sectors.

Not only are there more attacks; the average ransom cost is also on the up: Coveware’s most recent Ransomware Marketplace Report says that the average ransom demand increased by about 10% per quarter during 2018 (to a high of €5,975/£5,160 approx.) The same study also names the average number of days a ransomware incident lasts at 6.2, and average financial cost of ransomware incident-related downtime as €48,727 (£42,085) approx. Estimates here vary by source: SentinelOne reckons that globally, ransomware costs individual businesses an average of €684,651 (£591,238) approx. per annum.

Sophos, meanwhile, sets the median total cost of a ransomware attack at €118,054 (£101,962) approx. – this extends beyond any ransom demanded and includes downtime, manpower, device cost, network cost, and lost opportunities. All figures, again, were increases over the previous year’s figures: no surprise given that studies of cyber security trends indicate that there are rich pickings to be had, as a proportion of compromised organisations opt to pay ransoms to recover their indispensable data.

Further inducement for cyber criminals may well come from the fact that organisations polled across vertical sectors now not only expect ransomware to become a fact of commercial operations, but see it as somewhat of a tolerable business cost. This is despite evidence that paying a ransom is no guarantee that encrypted data will be recovered. Coveware reports that when a victim of ransomware pays, they receive a decryption key 93% of the time; but that is just the beginning of the recovery process.

How ransomware gets into systems

Encryption can damage or delete files, and sometimes the decryption tools do not work well. The average data recovery rate when a working tool is delivered is about 95%, but varies markedly depending on the type of ransomware. For example, ransomware Ryuk is low at ~60%, but SamSam is close to 100%, the Coveware study found. Ransomware creators continue to build-in new ways to add value to their attacks. New ‘in-development’ ransomware (discovered by support website MalwareHunterTeam) encrypts files, and also tries to steal owners’ PayPal credentials with an included phishing page. This ransomware contains a ransom note that states the user can remit either via Bitcoins or with cash through PayPal. If a user chooses to pay using PayPal, they will be brought to a phishing site that will then attempt to filch their PayPal credentials.

“This technique aims to maximise the return-on-investment for the attacker. Once the victim falls into the trap and pays the initial ransom, they will also be duped into providing their PayPal account credentials, which will profit the attacker even further,” says Maor Hizkiev, CTO & Co-founder at BitDam. “This kind of attack demonstrates that once an attacker gains control, there is no limit to what they can do and how much money they can steal.”

Hizkiev adds: “The problem lies in the fact that almost all current security solutions are reactive, adjusting their defences based on attacks they have seen in the past. Attackers relentlessly thinking of new tricks to evade static and dynamic solutions. New attacks are emerging daily, making it harder for vendors to keep up to date and protect from the newest attackers’ tricks.”

The fact that technological safeguards have their limits places even greater emphasis on the human factor when it comes to keeping-out ransomware. Coveware’s report sample says that 15.5% of ransomware attacks came through social engineering or phishing attacks. Many cyber security expert theorists now expound the necessity for organisations to implement a holistic cyber security policy that devolves responsibility for defence beyond the IT department and out to the frontline workforce – and that includes everyone, from senior executive to temporary staff. Getting this right is acutely important in respect to avoiding ransomware, because its success mostly depends on an employee inadvertently enabling the ransomware to get into a company’s IT network.

SentinelOne’s Global Ransomware Study 2018, for instance, found that with around half of respondents whose organisation had suffered a ransomware attack in the last 12 months, the attack worked because an employee was careless (51%) and/or anti-virus was in place, but did not stop the ransomware attack (45%). This latter factor is echoed by Sophos’s SophosLabs 2019 Threat Report: it found that 75% of companies infected with ransomware were, nonetheless, running up-to-date endpoint protection software.

How ransomware impacts the business

The financial cost to targeted businesses is another determinant that might – in the short term, at least – lead some organisations to the view that they are actually better-off paying ransoms than spending their money on defensive measures that do not seem able to fully protect them. In employee terms, the word ‘careless’ (re. the SentinelOne study findings) is perhaps used a little pejoratively. Training must keep up with the latest threats, which continually find ways to con even suspicious staff to click when they should shun. For business owners it’s also important to be mindful of how factors like staff churn bear on cyber security.

This might well cause a shift in cyber security spending from technology to training, as organisations strive to reduce their ‘human exposure’ by coaching their staff to be more cyber attack-savvy. A dilemma for employers is that they are likely not to want to expend on advanced security awareness training for temporary workers – many of who, in 2019’s commercial climate, are likely to be placed in the cyber security frontline in terms of dealing with digital customer interaction that exposes them to phishing attacks, for example.

Almost all – 94% – of respondents to the SentinelOne Global Ransomware Study 2018 cite that there has been some impact on their organisation because of ransomware attacks in the past 12 months, with the greatest impacts being an increased investment in IT security (67%), and a change of IT security strategy, to focus on mitigation (44%). It’s arguable that these initiatives will reinforce an organisation’s security against other threats, and help protect against a multichannel cyber threat attack ‘double-whammy’ – i.e., being hit by ransomware and hack-based data exfiltration at around the same time – the CISO’s nightmare. Furthermore, more than 10% report that their organisation has received negative press/bad publicity (14%) and/or seen senior IT staff lose their jobs (14%).

Where the ransomware comes from

Few organisations seem to hold an expectation of being able to identify who is behind the attacks they suffer – some might point to ‘nation state’ or ‘cyber criminal gangs’, according to the stipulations of their cyber insurance coverage.  “Many victims of data breaches or ransomware attacks cry ‘nation-state!’ as the first response to the incident, even though very few are able to prove it,” says Igor Baikalov, Chief Scientist at Securonix. “Lax cyber security programs is [probably more] to blame in most cases.” According to NTT Security’s Threat Intelligence Report, the ransomware attack origination countries often do not follow general perceived expectations. It found that the biggest number of attacks on European region targets, for example, came from the US (21%) followed by China (18%). Surprisingly, perhaps, the UK was the third most prevalent source of ransomware attacks (5%), NTT Security reports.

Can pay, do pay…

Official bodies, criminal agencies, and the security vendors strongly advise against paying ransom. They point out that, aside from contributing to cyber crime’s finances, there is no guarantee that the ransomers will provide keys to ‘unlock’ compromised data, or if they do provide keys, that they will work as promised. Other voices point out that decryption keys may be already be freely available in the public domain to ‘release’ compromised data; and yet, despite this, some targeted organisations seem now to evaluate the pros and cons of paying in purely business terms, almost as ‘a cost of doing business’. Some of the financials do seem to lend substance to the ‘pay and be done with it’ argument. The cost of business downtime is some 10 times greater than the cost of the ransom requested, according to respondents to Datto’s The State of the Channel Ransomware Report.

MSPs report the average requested ransom for SMBs is ~€3,831/~$4,300 while the average cost of downtime related to a ransomware attack is ~€41,700/~$46,800. This viewpoint is perhaps informed by the fact that only 8% of respondents to the Datto report thought that ransomware attacks are likely to decrease to any degree in the foreseeable future. They accept arguments for taking the ransom on the chin, learning everything that can be divined about how it happened, then making efforts to prevent a repeat incident. When considering all the ransomware attacks that their organisation has experienced in the last 12 months, a little less than half – 46% – of respondents to SentinelOne’s Global Ransomware Study say that their organisation did not pay a ransom because they decrypted the data themselves/had backups. In contrast, 19% admit that their organisation paid the ransom demanded by the attacker every time.

According to respondents whose organisation/the organisation’s insurer has paid some or all the ransom(s) demanded by ransomware attackers for an attack in the last 12 months, the total value of the ransoms paid in this period is €40,470/£34,845, on average and the largest value that their organisation has ever paid is €40,086/£34,514, on average. average. Of those whose organisation/the organisation’s insurer has paid some or all of the ransom(s) demanded by ransomware attackers in the last 12 months, around 60% state that their organisation paid the ransom because the cost of paying the ransomware was less than the lost productivity caused by downtime from the attack – 58% – and/or the cost of paying the ransom outweighed the cost of restoration/damage to business (56%).

Lastly, some 33% report that an employee has paid a ransom in the past without the involvement or sanction of IT/security departments. Whether this was from company money or personal funds (i.e., due to embarrassment or fear of job loss) is unclear. The possibility that some senior executives may be quietly sanctioning payments as ‘miscellaneous’ expenses, because they do not want a ransomware attacks in which they are in some way inculcated made official record, should not be discounted.