Is Ransomware Stoppable?
The first documented ransomware attack occurred in 1989 when 90 infected floppy disks were distributed at the World Health Organization’s AIDS conference. Unsuspecting users had the ransomware copied to their computers, where it remained dormant until the computer had been powered on 90 times. On the 90th time, all the documents in the MyDocuments folder were encrypted, and users were instructed to pay a ransom to have their files unlocked.
For the next ten years, ransomware kept a low profile until internet usage skyrocketed in the 21st century. Once the world became connected, ransomware started its rise in the criminal underworld. Today it is the most dominant form of cyberattack in the world, with 304 million ransomware attempts in 2020. That is a 62% increase over 2019. With over half of all ransomware attacks coming through spam or phishing emails, every organization needs to understand what ransomware is, what it does, and how to protect against it.
What is Ransomware?
According to the Cybersecurity and Infrastructure Security Agency (CISO), ransomware is:
an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable until a ransom is paid.
Ransomware is a form of malware with numerous variations. For example, REvil ransomware is configurable, meaning it can be adjusted to target specific victims. The malware exploits known vulnerabilities, encrypts or deletes possible resource conflicts, copies information, and encrypts data on local storage devices and network shares. It is suggested that this ransomware was used in the recent JBS and Kayesa cyberattacks.
How Does Ransomware Work?
Hackers are more than individuals trying to extort money; they are organized groups of criminals looking for huge payouts. Individual hackers may use the “spray-and-pray” method where they launch software looking for vulnerabilities that they can exploit for a ransom. Their return on investment is typically low, meaning they have to launch a number of attacks before finding a vulnerable system. The targets are smaller, and the ransoms are lower than those “big game hunters” who are looking for a payout of millions.
Organized Crime
Organized groups of cybercriminals are the hackers most often responsible for attacks that make the news, such as Colonial Pipeline or SolarWinds. These groups are looking for the best return on their investment of time and resources. These attacks come in phases. For example, the first phase may be a phishing or spam attack where the bad actors attempt to steal credentials. They leverage those credentials to achieve higher levels of access.
With greater access, they place malware on the compromised system to perform reconnaissance. These pieces of software can map the infrastructure and identify critical digital assets. With that information, they begin the process of encrypting backups and removing anything on the network that would minimize the impact of the ransomware. Only after everything is in place do they launch their attack.
Recently, cybercriminals have copied personal or confidential information on clients or employees to the Dark Web before launching an attack. They threaten to release the information if the ransom is not paid. In some instances, the bad actors threaten to notify the individuals directly. Cybercriminals will use any additional leverage to ensure payment is made.
Costs
From the time a hacker decides to infiltrate a system until the attack actually occurs, it can be weeks or months. During that period, the bad actors have unlimited access to a company’s system, confidential information, and digital assets. The cost of a ransomware attack can be far more than just paying the ransom.
A recent survey found that the average ransom paid was just under $200,000 compared to a recovery cost of close to $2 million. But paying the ransom did not guarantee low recovery expenditures. Approximately 65% of those attacked recovered some of their data, but close to 35% lost more than half of the encrypted files. Regardless of whether companies pay the ransom, they still incur significant recovery costs.
Can Ransomware Be Stopped?
Ransomware attacks will continue as long as the ransom is paid. However, not paying the ransom is easy to say but difficult to do. Take the attack on Colonial Pipeline, for example. Not paying the ransom had a real-world impact that harmed the company’s bottom line and the livelihood of many businesses in the supply chain. Even consumers were faced with a gasoline shortage because of the pipeline shutdown.
Prosecution
Finding and convicting cyber criminals is not easy. Although criminal groups may claim responsibility, proving that is more complex. It is especially difficult when countries such as Russia or China protect groups from prosecution. If prosecution were possible, ransomware attacks would decline.
Private companies do not always maintain the necessary documentation to trace an attack or to attach blame to a specific group. Without that information, it is impossible to bring charges against a criminal group. Some organizations do not even report cyberattacks for fear of damage to their reputations.
Ransom Recovery
Preventing cybercriminals from benefiting from the ransom is equally problematic. Most ransoms are paid with Bitcoin, an unregulated cryptocurrency that offers a level of anonymity for users. Although investigators have gained ground in tracing Bitcoin payments, it is still difficult to trace transactions to an individual since no identifying documentation is required to buy or sell bitcoin.
The recovery of $2.3 million of Colonial Pipeline‘s ransom payment was possible because the cybercriminals did not move the money from the original payment account. Most cyber payments are moved from the original account within minutes of deposit and then transferred to other accounts, making it difficult to trace.
A Way Forward
President Biden recently signed an executive order to strengthen cybersecurity throughout the government’s supply chain. Among its seven directives, was increasing information sharing between the public and private sectors to improve the country’s cybersecurity posture. That included setting standards, developing playbooks, and establishing a review board for all cyberattacks.
In signing the order, the President made it clear that everyone has a part to play in creating a secure digital world. As you look to improve your cybersecurity posture, reach out to Acom Networks to learn how to protect your organization from ransomware attacks.
