The rise of ransomware: Its cause & effect
Part one: Discover how the ransomware situation reached a fever pitch and where it is heading.
In many ways, cyber risk is its own pandemic and ransomware has quickly become the predominant strain. Reports have estimated the volume of attacks alone has increased anywhere from 200% to 300% in 2020, and are doubling again.
The demands themselves are also growing. Many experts are citing a ransom increase of anywhere between 50% and 80% with remediation costs also doubling to $2 million, up from an average of $761,000 just two years ago. These increases can be attributed to the surging value of bitcoin, the increasing willingness of victims to pay, advances in intrusion techniques, and the growing market of cybercrime in general.
As more and more victims pay demands, ransoms rise. As ransoms rise, more malicious actors are attracted by the potential payout, and as the pool of cybercriminals grows, so does the number of circulating strains that become more intelligent and more damaging. It’s a vicious cycle. As long as victims continue to pay, those ransoms will continue their trajectory. And the hard truth is, cybercriminals are often spending more time and resources in executing attacks than many companies are spending on cybersecurity.
If the data weren’t concerning enough, cybercriminals are applying more pressure. They understand companies are mitigating their risks by performing robust backups. To circumvent those backups and force their victims into paying, hackers have often threatened to publish exfiltrated data if ransoms are not received. They’re also going one step further by concurrently launching denial-of-service attacks while harassing their victims, and notifying the organizations’ customers and vendors that the company has been hacked.
Cybercriminals are also shifting to more advanced techniques in an effort to maximize their returns. In addition to leveraging artificial intelligence, they’re also deploying “supply chain attacks,” as demonstrated by the recent breach affecting IT company Kaseya. Kaseya provides software utilized by companies for the remote monitoring of their networks. In this specific attack, hackers were able to covertly install malicious code into a software update, which was then installed by a large number of its users, effectively breaching an estimated 800-1,500 victims.
The combination of COVID lockdowns, increase in remote work arrangements, mass resignations and resulting labor shortage, is also providing an ideal environment for ransomware attacks. Employees working from home may be distracted or disregarding security protocols, new employees are often poorly trained, and the labor shortage is causing many employees to become stressed and overworked. All of these situations decrease employee awareness resulting in an increased likelihood of being breached.
Also fueling these attacks is the reduced barrier to entry. It’s becoming even easier for less sophisticated hackers to capitalize on extortion attacks. Ransomware gangs are increasingly targeting disgruntled employees for assistance, and the emerging market of “ransomware as a service” offers code & services for lease or sale to other hackers in a marketplace akin to eBay. The Colonial Pipeline attack, for example, is believed to have originated from a single user password purchased on the dark web, which can be obtained for as little as $1.
The breaches against Colonial Pipeline, JBS, and the agricultural cooperative New Cooperative, which resulted in food production shortages and spikes in gas prices, also signal a shift in the types of companies and type of data being targeted. Traditionally ransom attacks targeted more traditional information such as personal/health records, but they’re now shifting their attention to critical systems of companies providing critical infrastructure and public services such as hospitals and schools. Many experts cite the public service sector is particularly vulnerable due to lower cybersecurity budgets and more lax security measures. In fact, a recent report by MS-ISAC indicates attacks against schools account for upwards of 57% of all ransomware attacks.
Cyberattacks such as these have effectively demonstrated the far-reaching impact ransomware can have on the public. However, they have also had an unintended consequence for the hackers, attracting serious attention from concerned regulators and lawmakers who are now beginning to take aim with more aggressive measures.
In October of 2020, with the hopes of deterring payments to malicious actors, The U.S. Department of Treasury’s Office of Foreign Assets Control issued an advisory, warning of potential civil fines for companies that make certain ransom payments.
The DOJ quickly followed suit with the formation of its “ransomware and digital extortion task force,” which led to the successful seizure of sizable ransom payments and notable arrest of a foreign actor in Ukraine. Shortly thereafter, following months of foreign negotiations, Russia arrested additional members of the notorious REvil group tied to the Colonial Pipeline hack. These arrests underscore the importance or foreign cooperation in investigating cybercrimes, prosecuting malicious actors, recouping ransoms, and deterring future attacks. When foreign relations become strained, increases in attacks (including state-sponsored attacks) are likely.
Editor’s note: This is the first part of a two-piece series looking at the growth of ransomware and how the insurance industry and regulators are responding. Part two of the series will explore the role cryptocurrency has played.
Evan Bundschuh, RPLU, is vice president and commercial lines head at GB&A, a specialty insurance brokerage located in New York that focuses on professional and management liability programs, including directors and officers, employment practice liability, cyber risk and professional liability insurance. He can be contacted at evan.bundschuh@gbainsurance.com.
Opinions expressed here are the author’s own.
Related: