Ransomware Impacts Grow in Winter 2019
by Benjamin Campbell
Organizations face a number of threats that can render their systems inoperational and impact revenue. A power outage or wildfire can force a company to implement their disaster recovery plan in order to ensure business continuity and minimize downtime until normal services can be rough back online.
However, in the modern world, organizations also face a range of manmade disasters. An organization can be the victim of a Distributed Denial of Service (DDoS) attack or targeted by ransomware, which can be just as damaging as a natural disaster.
In Q4 2019, the threat and impacts of ransomware attacks grew significantly compared to the previous quarter. Cybercriminals are becoming bolder with their attacks, and their victims are paying the price. For some, the cost of a ransomware attack can be enough to drive them out of business completely.
The Evolution of Ransomware
Ransomware was not always the biggest threat to an organization’s ability to operate. While ransomware was invented over a decade ago, it was relatively unheard of before 2017. In that year, WannaCry made ransomware a global phenomenon, and the NotPetya wiper (masquerading as ransomware) cemented it in the public consciousness as one of the most damaging malware threats in existence.
The WannaCry and NotPetya attacks took advantage of EternalBlue, an exploit developed by the National Security Agency (NSA) and leaked by the Shadow Brokers that took advantage of a vulnerability in the SMB protocol in Windows computers. The wide usage of Windows and the fact that many organizations had failed to patch this vulnerability prior to the attacks enabled the malware to spread widely. This large base of potential victims allowed the ransomware operators to demand a relatively small ransom from each of their targets, focusing on quantity rather than quality of ransoms to create a worthwhile payoff.
In recent years, while widespread ransomware epidemics like WannaCry have trailed off, the threat of ransomware is still very real to organizations. Instead of ransomware worms taking advantage of widely unpatched vulnerabilities (which don’t come around every day), the modern ransomware operator uses a spear phishing email to deliver their malware to a vulnerable organization.
With these targeted attacks, ransomware variants like Ryuk and Sodinokibi are able to demand massive ransoms from their victims. For public sector organizations, like hospitals and cities, who have no recovery plan in place, there may be no choice but to pay up. For large enterprises, which are commonly targeted by these variants, the costs of downtime and lost productivity can outweigh even a massive ransom demand.
The Impacts of Ransomware are Growing
A ransomware attack can have a number of negative impacts upon a victim. At a minimum, the organization faces significant downtime as they attempt to recover data from the attack. In many cases, this data cannot be fully recovered. Organizations often face financial losses due to an attack, whether from paying a ransom or recovering data and systems on their own.
These impacts grew in the final quarter of 2019, compared to the previous quarter. In Q4 2019, the average ransom payment reached $84,116, more than double the average payout from the previous quarter. This rise in average ransom is likely driven by an increase in specialized ransomware attacks, where variants like Ryuk and Sodinokibi target large enterprises and ask as much as $780,000 for the key needed to decrypt an organization’s data.
However, paying a ransom provides no guarantee that an organization will recover all or any of their data. In 98% of cases, a ransom payment netted an organization a decryption key, and these keys allowed them to decrypt 97% of data. However, this also means that an organization can expect to lose 5% of their data when paying a ransom.
In many cases, the cause of this lost data is the fact that these large organizations are infected by the Ryuk ransomware. This ransomware’s decryptor included a programming error, which dropped the last byte of the file while decrypting. As a result, any files where this last byte is essential (and several such file types exist), are lost forever, even with a ransom payment.
Finally, organizations also experienced increased downtime due to an attack. Compared to the average 12.1 days of downtime for a ransomware attack in Q3 2019, the 16.2 day average in Q4 represents a significant jump of 33%. For many companies, the cost of lost revenue during this downtime can exceed the cost of the ransom payment.
Protecting Against Ransomware Attacks
A ransomware attack can have a devastating impact on an organization, even if they choose to pay the ransom in the interests of restoring operations more rapidly. For those who choose not to pay, the road to recovery is often much longer, and ransomware authors are actively working to dissuade organizations from taking this path.
With the high costs of a ransomware attack, it is essential that an organization deploys defenses to prevent or detect a ransomware outbreak as early as possible. Since many ransomware variants are spread through spear phishing attacks, employee training and email scanning is an essential defensive mechanism.
If these preventative measures fail, an organization needs to be able to detect and terminate a ransomware infection on their systems. Using behavioral analysis, anti-ransomware solutions can identify ransomware based upon their unusual behavior (opening and encrypting many files) and kill the programs to minimize damage.