Although the last year has fortunately not seen the emergence of a major, global ransomware virus-like WannaCry in 2017, several major companies have fallen victim to different variants. The big question is what to expect in the future.
There is probably no one who has not heard or read (even if they have been lucky or sensible enough to avoid encountering it) about what it is like to have one’s computer files encrypted and only promised to unlock them for ransom. Egregor, Doppelpaymer, Ryuk – today’s most aggressive ransomware types and distribution teams. Now we want to find out whether there is any chance of these ransomware viruses disappearing from our lives in the near future.
The short answer is unfortunately not, and in the longer answer, we will try to outline the reasons for this, point by point.
The ransomware virus as a well-functioning economic model
The criminal business model that has been evolving since 2013 is absolutely viable and is making money. Attackers install malware and demand ransoms, and money changes hands. Cybercriminals who distribute turnkey solutions using ransomware-as-a-service (RaaS) prove year after year that they can grow their business by building a complete ecosystem.
Their service includes 7/24 support and requires no special expertise to use. According to the most recent reports, ransomware gangs earned at least $350 million in 2020, a 311% increase over the previous year. The average ransom amount for a company has also increased significantly, to around $154,000 (46 million forints), compared to “only” $111,000 six months ago.
Protection and prevention are at an early stage
Although we are talking about a pest that is now almost nine years old, many places are unfortunately still at a loss when it comes to effective control and prevention measures. Unfortunately, open RDP (Remote Desktop Protocol) has proven to be a proven attack vector in the ransomware environment.
But we can also mention weak passwords, neglected backups, uncontrolled privileges, no or missing virus protection, neglecting to run regular patches to patch application software, and operating system vulnerabilities. And this also includes communication about the attacks that have occurred, which unfortunately in many cases amounts to nothing more than simple denials, even in official communications, which, in addition to doing much damage to the reputation of the companies involved once they are exposed, in many cases also constitute a breach of GDPR regulations.
Blackmail gives the blackmailer serious power
In a corporate environment, suffering a ransomware attack can cause huge damage. It is not just the ransom itself that is lost, but also the disruption to services provided by organizations, lost revenue, reputational press coverage, stock market falls, and regulatory fines such as those imposed by GDPR, plus the cost of recovery. This has been compounded by a new type of threat that we have been experiencing for the last 1-2 years: ransom demands not only to unlock encryption but also to stop the disclosure of stolen confidential data. The latter is sometimes a bluff, but most of the time a real threat.
As the figures show, victims are willing to pay staggering sums. For example, in the summer of 2020, CWT Business Travel Management Company paid criminals $4.5 million, roughly HUF 1.3 billion at the exchange rate at the time.
This recent trend suggests that attacks are now specifically targeting the workstations of top executives at corporate targets. This is where a large number of sensitive documents can be obtained if successful, making it more important than recovering the encrypted files for the company concerned that they are not made public under any circumstances.
The ransomware brokers have emerged
Initially, alongside the criminal gangs spreading ransomware, independent-looking support organizations emerged to answer the “what is bitcoin, where can I buy it?” questions of novice ransomware users. But in many cases, it has been shown that some of these facilitators were in fact accomplices sharing the money, and there have been a number of arrests and prosecutions. Later, suspicious elements have emerged in the form of fake IT security ransomware consultancies, alongside genuine facilitators with legitimate, legal activities. For example, the Russian cybersecurity consultancy Dr.Shifro is suspected of collaborating with ransomware spreaders.
Although these companies may appear to be legitimate businesses and advertise their services as including, for example, involvement in ransom negotiations, as in classic hostage negotiation, their business is opaque and experts say their activities are more than suspicious.
The icing on the cake is that in 2020, the US government issued a warning on the growing risk of ransomware, warning public companies that those facilitating ransom payments (including financial institutions, cyber insurance companies, and digital forensics and incident response companies that explicitly encourage ransomware payments) risk being severely penalized for violating existing regulations.
Insurance is only half the solution
Insurance is only half the solution
It is clear from the increase in the number of ransomware viruses and ransom payments that ransomware insurance has not really worked, and sometimes even had a counterproductive effect, as public organizations, agencies, and institutions with such insurance often considered their protection to be taken care of, assuming that the insurer would pay in case of trouble, and did not pay enough attention to technical protection, filtering, preventive measures, and regular security awareness training of their employees.
In the same context, criminals have experienced that such targets pay quickly and well, and as a consequence, they have practically turned to operational attacks on public offices.
How to protect against and prevent ransomware, and all the practical steps involved, have been described here.