May 20th, 2022 by Van Ausdall & Farrar
Ransomware is one of the most damaging cyber-attack types of all time. It’s the one feared the most by business owners and cybersecurity defenders. This worry is not without reason. In an instant, an organization’s critical IT infrastructure can be brought down for weeks to months, completely stopping all business. Some data and systems may be lost forever. Complete recovery may take over a year.
Customer impacts may last long past the technical recovery process. The FBI is investigating about 100 different types of ransomware “gangs” and most are operating in foreign cybercriminal safe havens where the victim’s domestic law enforcement agencies cannot stop them. Despite the best efforts of security software companies, the occurrence of ransomware continues to increase.
Financial Troubles from Ransomware
The financial damage caused by ransomware is daunting. Ransomware was successful in exploiting up to 68% of surveyed organizations in one year alone, according to the 2021 Cyberthreat Defense Report. Ransomware mitigation vendor Coveware says the average ransom paid in Q3 2021 was $139,739 USD.
Some organizations have paid tens of millions of dollars in ransomware extortion. Overall, recovery costs are usually many times higher than the ransomware extortion payment. One cybersecurity vendor stated $18 billion was paid globally in ransom in 2020, and total costs were in the hundreds of billions of dollars. Another cybersecurity analyst predicted total ransomware costs could hit $250 billion by 2031.
Ransomware can take different forms, causing many different types of threats and damage. In its most common form, criminals use it to threaten to prevent access to critical data and systems and/or to release sensitive data unless a ransom has been paid.
Here are some of the common impacts of ransomware:
- Encrypts data and systems, causing downtime and recovery costs
- Steals confidential data exfiltrates it outside the organization and threatens to release it
- Steals organization, employee, and customer login credentials
- Uses compromised victims’ systems and earned trust to compromise customers and business partners
- Publicly shames victim, causing reputational damage
The general media has coined the term “double extortion” to describe the threats and damage that ransomware groups promise and/or accomplish along with the traditional encryption of data. All-in-all, the damage that the average ransomware attack causes to a victim organization is often quite extensive. The ransomware hackers primarily use the following vectors to infect a machine:
- Phishing emails
- Unpatched programs
- Password guessing/theft
- Compromised vendors
- Poisoned online advertising
- Compromised software downloads
If the ransomware attack is successful, once the files are encrypted and/or stolen, the hackers will display some sort of screen or webpage explaining how to pay to unlock the data or prevent the unauthorized release of data and credentials. Ransomware often has a less than one-week deadline, which if passed, causes the payment to automatically increase or the encryption may be left in place permanently and the stolen data released publicly or to other cybercriminals. Paying the ransom invariably involves paying with some form of cryptocurrency, such as Bitcoin (abbreviated BTC).
Bitcoin is currently the most popular form of cryptocurrency and the most popular type required to pay ransomware extortions. But there are other popular cryptocurrencies including Ethereum, Litecoin, Ripple, Tether, XPR, Dogecoin, Monero and many more. Some ransomware groups use other types of payments, such as gift cards or money-wiring services, but Bitcoin and cryptocurrencies remain the number one payment method by a large margin because of their nearly guaranteed anonymity. Cryptocurrencies can be transferred anywhere in the world via the Internet. Observers can see the associated “digital wallets” involved in any cryptocurrency transaction, but unless the involved parties go out of their way to identify themselves, who sends or receives the payment is usually unknown. This makes cryptocurrency the ideal payment method for ransomware groups.
Regardless of whether you have been hit with ransomware or not, protecting your network from these types of attacks is now an integral part of any network security framework for both individuals and companies. This step is vital. If you are going to take a hit on your files, at least learn from any mistakes that were made. It is time to get some countermeasures in place and take some proactive steps to prevent this—and other issues like it—from being able to affect you again.
We recommend the following steps as the bare minimum:
Implement effective security awareness training combined with simulated phishing attacks to dramatically decrease the Phish-prone™ Percentage of your employees. It is important to be able to recognize a threat before it causes downtime.
- Install and maintain high-quality antivirus or endpoint detection and response software, as a layer you want to have in place, but do not rely on it—they always run behind.
- Patch all critical patches within two weeks of the vendor releasing the patch.
- Use strong multifactor authentication (MFA) where you can and strong, unique passwords which are not shared across any two websites or services.
- Configure high-quality backup/restore software and test the restore function regularly.
There are many other mitigations that should be deployed by every computer and network defender. But it is the inability of most defenders to more strongly focus on these critical four mitigations well enough that allows most hackers, malware, and ransomware to successfully exploit their devices and environments.
Hopefully, this article has provided you with a summarized series of steps to include in your ransomware response plan. We hope your organization is never successfully exploited by ransomware. If you are interested in consulting with us about our Managed Services and Managed Security Services practice, please send us a quick note from our ‘Contact Us’ link.