What is ransomware?
Ransomware is a form of malicious software that encrypts files on a victim’s computer, preventing the victim from accessing them. The attackers demand a ransom payment in cryptocurrency in exchange for decrypting the files. Ransomware has become a lucrative criminal enterprise, with estimates of yearly profits in the billions of dollars.
The most common way ransomware infects systems is through phishing emails containing malicious attachments or links. Once executed, the ransomware encrypts files and displays a ransom note demanding payment. Most ransomware aims to encrypt files that are critical or valuable to the victim, such as documents, photos, databases, and other data.
Attackers often threaten to delete encryption keys or increase the ransom amount if payment is not received quickly. Some ransomware variants also steal and exfiltrate sensitive data prior to encrypting it, adding extortion to the criminal activity.
What are the different types of ransomware?
There are several major strains of ransomware that have caused widespread damage globally:
WannaCry: One of the most infamous ransomware attacks, WannaCry affected over 200,000 systems across 150 countries in 2017. It exploited a Windows vulnerability to spread quickly across networks.
Ryuk: Active since 2018 and often deployed manually, Ryuk targets large enterprises and government agencies. Infamous victims include universal health services and shopping giant Guess.
Conti: The Russia-based Conti group operates a Ransomware-as-a-Service model, allowing affiliates to pay to use the malware. Conti leaks victim data if ransom goes unpaid.
REvil: Active since 2019, REvil (also called Sodinokibi) is one of most prolific and profitable ransomware groups currently operating.
Quantum: Associated with highly targeted attacks on critical infrastructure organizations, Quantum extensively reconnoiters victims’ networks first.
LockBit: Utilizing a RaaS model since 2019, LockBit often auctioned off access to victim networks, allowing multiple parties to launch attacks.
New ransomware strains and variants continually emerge, evolving to use more sophisticated evasion and encryption techniques.
What are the impacts of a ransomware attack?
The impacts of a successful ransomware attack can be severe:
- Loss of access to critical data and systems, crippling business operations
- Revenue and productivity losses from downtime during recovery
- Permanent data loss if backups are impacted
- Reputational damage and loss of customer trust
- Legal and regulatory compliance issues due to data loss
- Costs associated with recovery, such as investigation, remediation, upgrades
- Payment of sizable ransoms, sometimes in untraceable cryptocurrency
Recovering from ransomware without paying the ransom can be challenging and time-consuming depending on the specific strain. Some estimate the average recovery to take 287 days.
What is the average ransomware payment?
According to cybersecurity firm Coveware, the average ransomware payment has steadily risen:
Q1 2019 | $12,762 |
Q1 2020 | $84,116 |
Q1 2021 | $220,298 |
Q1 2022 | $247,521 |
Payments can vary widely though, from several hundred dollars to millions depending on the victim. Public sector entities and critical infrastructure firms often pay higher ransoms on average.
The highest publicly reported ransom was $40 million paid by Colonial Pipeline in 2021. However, undisclosed payments running into the hundreds of millions may have occurred.
Should you pay the ransom?
There are pros and cons to paying ransomware demands:
Potential benefits:
- Quicker recovery of encrypted data and systems
- Avoid costs associated with decryption and recovery
- Prevent threat actors from leaking or selling data
Potential risks:
- No guarantee files will be decrypted or confidentiality maintained
- Perpetuates the criminal enterprise and funds further attacks
- May violate laws or regulations prohibiting ransom payments
- Appears vulnerable and liable to repeat attacks
Ultimately, the decision depends on each organization’s unique situation, threat tolerance, and recovery capabilities. Consultation with law enforcement and cybersecurity experts is recommended. Most experts advise avoiding payment unless absolutely necessary.
How can you improve your ransomware resilience?
Organization can take several steps to enhance ransomware resilience, including:
- Backups: Maintain regular backups stored offline and immutable to ransomware encryption.
- Incident response plan: Have an up-to-date plan with roles, responsibilities, and procedures.
- Network segmentation: Isolate and segment critical systems and data repositories.
- Access controls: Limit, monitor, and control access, especially to privileged accounts.
- Email security: Filter malicious attachments, links, and spam.
- Vulnerability management: Rapidly patch known software vulnerabilities.
- User training: Educate staff on cyber risks and attack vectors like phishing.
- Next-gen antivirus: Use advanced endpoint detection and response tools.
- Penetration testing: Test defenses by emulating realistic attacks.
Maintaining comprehensive and rigorous cybersecurity defenses makes organizations a harder target and improves the chances of preventing an attack outright.
Should ransomware attacks be reported to law enforcement?
Reporting ransomware attacks to law enforcement like the FBI or Secret Service is generally recommended. Law enforcement may be able to provide data recovery or decryption assistance and help track threat actors.
However, many victims choose not to report due to concerns over:
- Law enforcement discouraging ransom payments
- Loss of control over sensitive breach information
- Fear of regulatory fines, lawsuits, or reputational damage
- Lengthy investigations delaying recovery
Organizations should carefully weigh the potential benefits and risks of reporting based on their individual circumstances. Consulting a cybersecurity attorney is advised given the legal complexities.
At minimum, victims should report attacks to federal agencies like CISA or FBI’s Internet Crime Complaint Center (IC3) to provide threat intelligence that improves defenses across sectors.
Should ransomware attacks be disclosed publicly?
Publicly disclosing ransomware attacks allows transparency for impacted customers and partners. However, it can also have major drawbacks:
Potential benefits of public disclosure:
- Notify affected parties who may have had data compromised
- Preserve trust and reputation by avoiding appearance of a cover-up
- Provide warning to other potential targets
- Deter future attacks by showing resolve against paying ransoms
Potential risks of public disclosure:
- Reputational damage from admitting a vulnerability
- Loss of competitive advantage and stock value
- Lawsuits, fines, or scrutiny over cybersecurity practices
- Alert threat actors who may attack again
- Violate promises of confidentiality to ransomware gangs
Companies should weigh obligations to customers against business risks and consult experienced cybersecurity legal counsel on disclosure decisions.
How can businesses continue operations during an attack?
Several best practices allow businesses to maintain critical operations during a ransomware attack:
- Isolate and shutdown: Isolate infected systems and shut down spread pathways like networks.
- Standby systems: Shift to unaffected redundant or spare systems.
- Alternate sites: Move operations to alternate business sites or cloud infrastructure.
- Manual processing: Perform critical functions manually or with paper-based processes.
- Lean staffing: Pursue minimal staffing required for essential operations.
- Communicate: Keep staff, customers, partners, and stakeholders informed.
- Monitor: Watch for emerging impacts or interruptions.
- Tech workarounds: Find temporary technical solutions to access data.
The goal is maintaining workflows for vital services, even if in a degraded or limited state. Extensive business continuity planning is key to minimizing operational disruption.
Should you hire a ransomware negotiation firm?
Some major cyber insurance firms and specialty cybersecurity companies offer ransomware negotiation services. Potential benefits include:
- Experienced negotiation may lower ransom demands
- Technical analysis of malware improves situational awareness
- Services remain confidential
- Lowers risk of triggering data deletion
- Higher chance of obtaining decryption keys
- Guidance communicating with threat actors
Drawbacks may include high costs, questionable legality in some regions, and indirect support of criminal extortion.
The right choice depends on ransomware type, internal capability, recovery urgency, and legal risks. But consultation with skilled third-parties often proves beneficial.
What cyber insurance policies help cover ransomware?
Several common cyber insurance products can help cover costs related to ransomware:
Cybersecurity / Privacy Liability: Covers costs for incident response, forensic investigation, legal consultations, notifications, credit monitoring if data compromised, some ransom payments.
Business Interruption: Covers income lost and extra expenses from suspended operations during recovery.
Contingent Business Interruption: Covers lost income and costs stemming from disruptions at critical suppliers.
Digital Asset Replacement: Covers costs to replace or recreate lost data or software.
Cyber Extortion: Covers costs involved in responding to extortion threats, including some ransom payments.
However, policies vary greatly in details and often exclude payments to sanctioned entities. Organizations should carefully assess risks, exclusions, and limits when selecting coverage.
What cybersecurity measures help prevent ransomware?
A multi-layered cybersecurity strategy is key to ransomware prevention. Top measures include:
Email security: Block dangerous attachments, links, and spam. Employee training on phishing.
Endpoint protection: Advanced antivirus, endpoint detection and response tools to block exploits and behaviors.
Patch management: Addressing software vulnerabilities quickly through patching and upgrades.
Access controls: Limiting and closely monitoring admin and user privileges. Multi-factor authentication.
Network segmentation: Isolate and segment systems with sensitive data. Block unnecessary communication paths.
Backups: Maintain regular backups stored offline and immutable to encryption. Frequent testing of restoration.
Vulnerability management: Regularly scan for holes and misconfigurations, prioritize remediation.
User awareness training: Educate staff on latest social engineering and cyberattack methods.
Incident response plan: Documented processes and procedures to detect, analyze, contain and recover from ransomware incidents.
Penetration testing: Ethical hacking exercises to test effectiveness of defenses against real-world attacks.
Combining trained personnel, technological safeguards, and tested processes provides defense-in-depth against ransomware.
Conclusion
Ransomware represents a severe threat to organizations, capable of crippling operations, damaging reputations, and inflicting major financial harm. Paying ransoms promotes criminal enterprises but may be unavoidable for recovery in some instances.
By implementing comprehensive cybersecurity measures, extensive backups, and incident response plans, organizations can reduce their ransomware risks and improve resilience. But no single solution is perfect against constantly evolving ransomware – a defense-in-depth approach across people, processes, and technology provides the best protection. With ever-elevating extortion demands, companies simply cannot afford to ignore ransomware preparedness.