Ransomware is a well-known issue at this point.
It continues to make headlines, from Egregor to Doppelpaymer to Ryuk. Over the last year, ransomware groups have benefited from pandemic-fueled phishing scams, a lack of visibility around remote endpoints, and lax attitudes. Worse still, ransomware is no longer selective. It has a stranglehold on small towns and local offices, video game developers, and, shamelessly, healthcare institutions and school systems that have already been brought to breaking point by the COVID-19 pandemic.
Over the next two to three years, the danger could become much more widespread, not because ransomware is successful in and of itself, but because other players in the game – insurance firms, insurers, and even lawyers – continue to fan the flames.
Unfortunately, many victims are baffled as to why this is so.
To comprehend the world of ransomware, it’s helpful to think of it as a business: To facilitate their business model, attackers use malware and demand a ransom. Once established, these operations – usually cottage industries – can be updated and adjusted to meet their needs.
When it comes down to it, ransomware’s aim is to be compensated, just like every other business. The business model enters the picture at this stage.
The vendors, who are typically cybercriminals selling ransomware-as-a-service (RaaS) solutions, have shown a proclivity for expanding their market. Being a ransomware operator is more about being an entrepreneur than it is about having technological skills.
According to recent estimates, ransomware gangs will raise at least $350 million in 2020, up 311 percent from the previous year. Ryuk, which has been around for a long time, has managed to remain stable by focusing on businesses that can afford to pay. How high is it? According to estimates, the total ransom demand for the fourth quarter of last year was about $154,000, up from $111,000 six months prior. According to reports from January, the Ryuk gang has already made over $150 million in payments in the hundreds of thousands of dollars.
As the figures show, victims pay a high price – not just for the ransom, but also for the downtime their companies suffer, the negative coverage, and regulatory penalties. As we’ve seen, depending on the situation, these costs will skyrocket – In 2017, the NotPetya ransomware cost shipping giant Maersk over $200 million. Forward Air, a trucking firm, said earlier this year that a recent cyberattack cost it $7.5 million, and CWT, a travel management company, said it charged hackers $4.5 million last summer after a ransomware attack.
Affected organisations are also responsible for paying incident management companies. If a new strain of ransomware is used, incident management consultants will be able to figure out how the attacker gained access to the victim’s infrastructure. When a ransomware attack occurs, computer forensics firms are called in to solve the problem and try to decrypt or restore files.
There’s even the ransomware broker to consider. Not every company that has been struck by ransomware is acquainted with an attacker’s fiduciary requests, such as how cryptocurrency like Bitcoin functions. This specific service provider may be contracted by companies or their legal counsel to negotiate a lower ransom or to manage the ransom payment process.
Insurance companies have emphasised the cyclical aspect of ransomware in recent years. Traditionally, cyber insurance companies have protected damages suffered as a result of a ransomware infection, including disruption for business operations. Depending on the circumstances, some insurers recommend paying a ransom when restoring operations quickly will save money. Although this enables victim organisations to acquire a decryption key more easily and stop the bleeding, it does not resolve the underlying issue.
The city of New Orleans was forced to spend more than $7 million in financial damage as a result of the 2019 ransomware attack, which exceeded the city’s $3 million cyber insurance policy. As a result, the city expanded its insurance policy to $10 million. While it will provide peace of mind to the city, it also means a bigger paycheck for the insurance company and a bigger payday for cyber criminals in the future.
Another player in the ransomware economy, legal counsel, has a part to play as well. The legal advisor, who is hired to act as a “go-between” to handle the partnership with the broker and insurance company, will determine what companies should pay and whether notifying parties involved – staff, investors, and regulators – is appropriate.
Also threat actors – the actual writers of ransomware – are taking new and fascinating steps to ensure their malware gets out there and, more importantly, that they get their fair share at the top of the food chain. Attackers have recently threatened top managers and executives with direct access to confidential data with the Clop ransomware. Others are going after senior executives with bank accounts and the ability to approve payments.
Ransomware will continue to thrive as long as these increasingly splintered companies from both sides of the law – authors, creators, brokers, legal aid, and insurers – make a profit. Except for the perpetrator, it’s a win-win scenario.