In 2019, experts predicted that one business will fall prey to ransomware every 14 seconds. By 2021, that span will shrink further to 11 seconds. The global ransomware damage costs are expected to escalate to up to $20 billion by then.
The good news is that technology is shifting at a rapid pace. Systems are getting more sophisticated. But, the bad news is that so are ransomware attacks. As the underlying technology gets more complex, we are facing newer cybersecurity challenges that need more time and skill to both prevent and cure.
The Goosebumps-inducing Ransomware Attacks of 2019
The ransomware landscape remained lively throughout 2019 as hackers continued to see value in targeting public bodies, governments, and enterprises.
Multinational manufacturers, as well as U.S. city and county governments, used up at least $176 million in 2019 toward costs pertaining to ransomware attacks. This includes the cost of investigating an attack, restoring backups, rebuilding networks, paying the ransom, and putting preventative measures in place to avoid similar occurrences in the future.
Let’s review the top ransomware attacks that plagued enterprises and governments last year:
- Texas Towns coordinated attack – A coordinated ransomware attack hit 22 towns in Texas on Aug 16, using the REvil ransomware (Sodinokibi). The municipalities were locked out of their IT systems after hackers breached the software of a third-party service provider that remotely managed their IT infrastructure. The hackers demanded a ransom of $2.5 million, but nobody paid (“Don’t Mess with Texas”) as the towns transitioned from assessment to recovery, incurring at least $12 million, including costs to the county governments, educational institutions, and cities and towns.
- Baltimore ransomware attack – Several critical functions for Baltimore were encrypted on May 7 when its computer systems were affected by a ransomware strain known as RobbinHood. The damage crept to online payment services for water bills, the city employees’ email and voice mail systems, property taxes and traffic citations, real estate transactions, and more. The hackers quoted a ransom of $76,000 in exchange for the decryption key. The city refused and restored the data and systems on its own, incurring $18.2 million in recovery efforts, forensic analysis, detection, new hardware and software, and new systems deployment.
- Norsk Hydro ransomware attack – The Norway-based aluminum provider suffered from a large ransomware attack with complex side effects from March to the summer: production issues, etc. Costs of recovery and mitigation were between $60 and $71 millions. Attackers used the weapon LockerGoga which was also used against many important business targets like Altran in late January.
- Demant ransomware attack – The Danish hearing aid manufacturer Demant faced an incident that prompted the company to shut down its internal IT infrastructure, as the impact spanned from the company’s Polish production and distribution facilities through its Mexican production sites and ERP system. The recovery and mitigation costs amounted to a gigantic $80 million or more.
According to Statista, spam and phishing emails are a leading cause of ransomware infections, followed by a lack of cybersecurity training and weak passwords or access management.
At TEHTRIS, we recorded a parallel increase of hackers using remote security vulnerabilities to get targeted illegal access without human interaction, beyond the phishing operations, so that it could be converted into ransomware options (from days to weeks depending on the situation of the attackers): related blog entry.
Moreover, some of these offensive hackers are now extending these damaging effects with data theft options so that they can disclose them on the Internet in case the victims would refuse to pay.
2019 saw both spray-and-pray attacks as well as targeted ransomware attacks.
What are targeted ransomware attacks and why they're growing
As cybersecurity science becomes more mature with deep learning and synchronized automatic protections, besides other advancements, it is steadily becoming capable of disrupting the commodity ‘spray and pray’ business of malware infections.
This is forcing cybercriminals to now launch targeted ransomware attacks that rake in millions of dollars. Targeted ransomware is the hard part for cybercriminals as targeted ransomware can’t be bought on the dark web. Attackers need to get their hands on the keyboard and indulge in a little DIY. Sometimes they can use parts available through Ransomware as a Service. But we switch from an automatic blind attack to fine jewelry with manual actions in order to bigger make bigger ransom demands.
Instead of relying on automation and generic ransomware programs, highly skilled hackers now research government bodies and enterprises, find targets, break into their computers, escalate privileges, disable poorly protected security tools, prepare to encrypt or safely remove backups, and wait for the right moment to launch a massive internal ransomware infection thanks to lateral movements.
Since these cybercriminals spend so much time and effort into the process, they reap high rewards and demand a hefty ransom. Criminals enjoy massive paydays with successful targeted ransomware attacks (as much as $50,000 per attack), and so these threats are here to stay!
Why cyber insurance is becoming one of the possible ways for businesses to keep their money and reputation intact
It’s nearly impossible for an organization to prevent itself from occurring on a targeted attacker’s list. Unless they get off the internet completely, and still it’s not certain.
But, there are a few things organizations can do to mitigate the risk:
- Harden (for real) and Check all your operating systems – For example, Antivirus (EPP) will help at fighting against known threats, but you should also double this first line of security thanks to Endpoint Detection and Response (EDR) with the right configurations able to get rid of ransomwares and hackers.
- Harden and Check your infrastructures – For example, you should protect them against remote threats (like anti-phishing, firewalls, application security), but also against insiders as you do not want to see global lateral movements with ransomwares (internal enhanced filtering policies, vulnerabilities patched, least privileges principle applied everywhere, honeypots services).
- Restrict and Control accesses to all (remote and internal) services – For example, allow VPN or RDP from known IP addresses and use multi-factor authentication, and check the related network activities.
- Know who did what and when – For example, thanks to a SIEM with the right correlations rules, you can follow unwanted access and some lateral movements, during the preparation phase when the hackers get their first accesses and try to figure out how far they can dig into your networks.
- Create a jump bag with hard and archived soft copies of critical administrative information (or almost everything if possible) that cannot be destroyed remotely by attackers.
- Get cyber insured.
Cyber insurance is a potentially massive yet untapped opportunity for insurers and reinsurers. According to PwC, annual gross written premiums are set to grow from $2.5 billion today to $7.5 billion by the end of 2020.
Companies can no longer afford to remain on the sidelines of cyber insurance. Cybercrimes are getting costlier, harder to detect, and increasingly difficult to combat.
As businesses prepare to address cyber risks, the cyber insurance market could grow to a whopping $20 billion by 2025. According to a recent survey, 47 percent of respondents now have cyber insurance, up from only 35 percent in 2017.
The volatile and dynamic cybercrime market is prompting companies to look out for ways to reduce the risk to their business. So much so that 71 percent of insurance CEOs and 61 percent of business leaders see cyber-attacks as a potential threat to growth, ranking it before consumer behavior shifts and speed of technological change.
We also recently recorded small cases where insurers decided to pay the ransom so that the targets could get their data back, meaning that an indirect business is being organized between cyber criminals and targets, allowing attackers to reinject this dark money in their illegal innovations to … strike again. Harder, Better, Faster, Stronger.
As the trend grows and cyberattacks such as ransomware invasions become both more frequent and severe, companies will look for cyber insurance products to mitigate the financial impact of such threats.
2020 Predictions for ransomware attacks
The implications of these trends for security professionals and enterprises are clear. It’s now time to move from a strictly defensive posture concerning ransomware to a more offensive strategy. Organizations need to become more proactive in finding and fixing vulnerabilities that can be exploited by ransomware and should definitely add a real layer of efficient detection and response.
As big as the ransomware landscape was in 2019, we don’t expect it to abate this new year. Extortion through ransomware is profitable for cybercriminals and they will keep on doing it.
In 2020, adversaries might place targets on traditional, weaker environments with a lack of backup and restore procedures. Organizations will find themselves victims of targeted attacks for as long as they agree to pay.
If you are looking for a reliable cybersecurity firm to assist you in preparing for these threats, let’s get in touch!