At the beginning of 2020, we start to see a new trend that is now prevalent throughout the industry where not only did cyber attackers encrypt your data, but they also stole that data and then threatened to post or leak it if the ransom isn’t paid. So that really has driven up the ransom demand because from the victim’s perspective, you have to consider: “Well, we need to pay to get our data unlocked, or we pay to have that not leaked.”
That can be located via a unique identifier included in a digital ransom note. These sites have a chat feature, much like you’d see on any retail site if you had a question about a product. And that’s how you get the conversation going is you start a conversation within the chat that’s on their site. If the victim makes up their mind to pay the ransom, and the amount is negotiated, the payment is made via cryptocurrency. Bitcoin is the most popular choice, accounting for 98% of ransomware payments in the first quarter of 2019. That may change now that the U.S. officials were able to seize $2.3 million in Bitcoin paid to hacker group Darkside following the Colonial Pipeline attack.
Once the payments have been made, the criminals send a decryption key. And the cycle goes on to repeat itself with another vulnerable business or infrastructure. Ransomware has grown into a multi-billion dollar industry. And surprisingly, a majority of the ransom paid is shared amongst a relatively small number of criminals. A recent study found that 199 deposit addresses received 80% of all the funds in 2020, and an even smaller group of 25 addresses accounted for nearly half.
The hacking syndicate behind these attacks is often highly organized with self-given names like Evil Corp or Darkside. We have to all realize that the cybercrime ecosystem is a business. It is a large underground business. It has all elements similar to a legitimate legal business. And so there are partnerships, and there are malware developers and distributors.
These groups have become increasingly bold, showing off bundles of cash and fancy sports cars. That’s because tracking, arresting, and bringing these hackers to justice is incredibly difficult. It’s notoriously difficult to attribute cyber attacks. It’s an ongoing challenge for governments. And so, from an organization’s perspective, whether it’s a criminal group or whether it’s a nation-backed group, it often has little consequence. So unless there’s cooperation at the political level there, we don’t see this going away anytime soon. Look how much money has been shelled out over the last five years, let alone the last two – it’s mind-blowing. So it’s a booming industry.
Ransomware attacks impact almost every sector of the American economy. Unfortunately, it’s become a bit of the sort of classic modus operandi for many hackers and criminals. And what you see also is that it’s pretty indiscriminate in terms of the industry sectors that it targets.
In 2020 professional and public service and manufacturing were the three industries that were hit the hardest, followed closely by healthcare, technology, and finance. In 2020, a ransomware attack may have also claimed its first life after taking a hospital offline in Germany. It has a real cost. There was a study done by Barron’s early in January that said that the estimated cost of ransomware in 2019 was about 11 point 5 billion. In 2020 it was 20 billion. It didn’t exactly double, but it got close enough to double. So there’s a real financial cost to businesses around ransomware.
Ransomware has also grown sophisticated enough to target government entities and critical infrastructure in recent years, resulting in costly shutdowns. It’s disturbing that there are people out there that would take down systems for things like health care, things like government, water for our city as well as many other cities, they have no concern or care for their fellow human disturbing.
In May of 2021, the city of Tulsa experienced several technical difficulties following a ransomware attack. You may try to open up Microsoft Word, for example, and it won’t open. Part of its system was actually encrypted. Or you may try to open up a document that you created, that document is encrypted, and so it can’t read it.
Besides the inconvenience, being a victim of ransomware can be a harrowing experience. Violated they have gotten into our network and into places that we don’t know where they’ve gotten, we don’t know what systems they have touched. It is definitely a moment of realization that the things you thought you were protected from, the layers that you had in place that they wrote around them, they customize their attack, and wrote systems to infiltrate and destroy.
In order to stop the money flowing into the industry, the U.S. government has historically discouraged individuals and businesses from paying their hackers. In fact, according to the Department of Treasury, paying the ransom to criminals is illegal if the hackers demanding the ransom were subject to U.S. sanctions. But this leaves many businesses in a tricky situation.
If you’re an organization that’s been struck by ransomware, it’s a tough situation to be in. It’s not ideal to be paying these ransoms. These are criminal organizations, and of course, there is a whole effort, law enforcement at the government level, to stave that activity, and clearly paying ransom fuels the industry.
Even if the business chooses not to pay the ransom, there is the cost of recovery to consider the average cost of recovery from ransomware attacks ballooned to 1.8 5 million in 2021, more than doubling from the previous year. That makes the average cost of recovery ten times bigger than the size of the actual ransom payments.
We don’t know the total cost at this point because we’re in the middle of recovery. Would it cost more than the ransom? Quite potentially, yes. The shutdowns are incredibly costly because they’re labor-intensive. They require experts, of which often we don’t have enough. The challenge for us is that they encrypted partial systems. And so basically, we have to go through and check every single system and verify that A – it’s not damaged, B- it’s not got something on it from the actual attacker, and C – that it can still be used for production. It’s a long and arduous process to do that damage assessment. And the larger your network or application base is, the more disruptive it can be.
The 2021 Colonial Pipeline incident sent shockwaves across the oil industry and the U.S. government, alerting them to the severity of cybersecurity concerns. Shortly after, President Biden signed an executive order to strengthen U.S. cybersecurity defenses. When nearly half of the congressional districts across America hit by some sort of ransomware attack from 2013 to 2020, voices in support for more regulations are growing.
Federal law doesn’t directly address ransomware attacks. It’s instead covered under a broad umbrella of cybercrime laws like the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act. Congress has instead focused more on providing state and local governments with enough resources to fight against cyber attacks.
In 2018, President Trump established the Cybersecurity and Infrastructure Security Agency, or CISA, to improve cybersecurity across all levels of government. Meanwhile, House lawmakers rolled out a bill to invest 500 million in state and local cybersecurity in May 2021.
Some states like Michigan, California, and Wyoming have taken matters into their own hands, passing laws that make it illegal to even possess any sort of ransomware. But there’s still a lot of work that needs to be done, especially when it comes to critical infrastructure.
However, the U.S. might prepare against future threats. One thing is for certain, the recent series of attacks on American businesses and the government isn’t the end. But the start of many future ransomware attacks to come. We have to be prepared that it will happen again. We’ve dealt with smaller incidents of ransomware where a single person’s files were affected, and we just restored from backup moved on. But we think the reality is right now, and it’s something we have to be prepared for at any time. The amount of impact it’s going to continue to have will grow, and we think the amount of money to be made will continue to grow.