As if ransomware wasn’t a big enough problem already, it just evolved from a costly nuisance into a full-fledged data breach designed to shame companies into paying. This new twist on ransomware is being driven by several well-established cybercriminal groups that have upped the stakes by threatening to publish customer data and trade secrets of victims who refuse to pay the ransom. One ransomware ring has even created a website to publicly expose companies that choose to rebuild their digital assets from backups rather than giving in to ransom demands.
This means victimized businesses can no longer sweep a ransomware attack under the proverbial rug. When attackers go beyond the encryption of files and actually extract data, targeted companies are subject to the full ramifications of a data breach, which can include remediation costs, regulatory fines, customer notification, brand damage and loss of business. According to Ponemon Institute, the global average cost of a data breach in 2019 was $3.92 million, a 1.5% increase from 2018.
While this new shaming tactic is shocking to the businesses that fall prey to this new form of ransomware, it really should come as no surprise that cybercriminals are willing to do just about anything to preserve their revenue streams. After all, ransomware is a thriving industry. High earners make up to $2 million per year. Mid-level criminals make up to $900,000. And entry-level hackers make $42,000. With a broad range of accessible tools and services—including exploit kits, custom malware and botnet rentals—it’s never been easier to run a ransomware “business.”
Ransomware really started making an impact in 2017. Then gathered more attention as the networks of major cities including Atlanta, Baltimore, New York, Greenville and others were knocked offline by attackers demanding a ransom to unencrypt their files that were being held hostage. PhishMe detected a total of 850.97 million ransomware infections in 2018. Ransomware gathered even more steam in 2019 with some industry sources such as McAfee reporting double the number of ransomware attacks compared to the previous year.
The evolution of ransomware is really no different than any other well-executed business strategy. Many first-generation ransomware campaigns used what is called the “spray and pay” strategy. By randomly targeting a wide net of consumers, businesses and governments, attackers were able to test the “market.” Just as with any early-stage market, the technologies used in first-generation attack campaigns were a bit crude but nonetheless effective.
As cybercriminals collected and analyzed their “sales” and “product” data, they discovered which factors improved their profits. With a proven business model, ransomware gangs began to concentrate their efforts on local governments, schools, healthcare and small businesses because they had a higher probability of paying the ransom and fewer resources to counter an attack. New attacks were backed by more powerful forms of file-locking malware, data exfiltration and campaigns designed to be even more lucrative than before, including attempts to embarrass victims into paying.
In 2019, the U.S. was hit by an unprecedented number of ransomware attacks that impacted at least 966 government agencies, 1,233 educational establishments and 764 healthcare providers at a potential cost in excess of $7.5 billion. The average payout for a ransomware attack increased by six times between 2018 and Q3 2019, bringing the average payment to $41,198. That’s a pretty successful business model.
As with any growth market, new products, services, innovations and partnerships are being introduced to support the increasing demand. Beyond shaming businesses into paying ransoms and introducing more sophisticated forms of data exfiltrating malware, threat groups are collaborating with each other and finding new revenue streams. For instance, the operators of the TrickBot banking Trojan are selling access to the networks they have previously compromised. This allows threat groups to distribute ransomware more easily without having to put the time and resources into breaching a network on their own.
In 2020, you can expect to see even more sophisticated attacks designed to exploit the connected and device-driven world we live in. With data scattered everywhere, next-generation attacks will be even more difficult to defend against and have farther-reaching impacts.
Bottom line: Ransomware isn’t going away anytime soon. The likelihood that a business will be hit and the potential for serious damages is only going to get worse. Today, security risks are business risks. Companies need to protect against the threat the same way they would protect their business against any other threat that might be enough to shutter their doors. The U.S. National Cyber Security Alliance reports an estimated 60% of small companies go out of business within just six months of a cyberattack.
If a company is still depending on traditional security methods such as anti-virus, firewalls and intrusion detection systems (IDS), they are vulnerable to attacks. Mobility, cloud and IoT trends have dissolved the network perimeter and environments are no longer static, so they need to implement adaptive security models that automatically analyze behaviors and events to create a feedback loop of threat visibility, detection and prevention that consistently becomes more effective. Paired with layers of endpoint security, data security and monitoring, adaptive security, businesses can prevent an attack from occurring or respond to a breach within milliseconds.
Further, security is only as strong as the weakest link. And right now, humans are a favorite target of cybercriminals for this very reason. Just one wrong click opens the door for a hacker to penetrate a business’s defenses. To shore up defenses, they must hold employees accountable and responsible for corporate security. Formal security training programs can help teach employees how to protect themselves and a company against cyberattacks, but ultimately today’s companies must change the attitudes and habits of their workforce by building an all-inclusive security culture.
Finally, cybercriminals keep gaining ground because they are willing to innovate. Businesses need to be willing to do the same. There are potentially game-changing products in development. Autonomous services, adaptive identity management, blockchain-based data protection and automated data rights revocation are just a few areas of innovation that will be key to success in the coming years. All companies should be working with dedicated security employees or a trusted security adviser to define and implement an offensive cybersecurity game plan that puts their business ahead of the threat curve and keeps them off the public list of data breach victims.