A new form of terrorism is now spreading like wildfire, inflicting significant damage to individuals and institutions. However, it does not evoke the same attention as other forms of terrorism. It is Ransomware—a cyber attack blackmailing users into paying money. Attackers used to use ransomware to blackmail individuals, whereas now they are used to blackmail corporates.
In recent years, greater damage has been inflicted to organizations by ransomware attacks, leaving many crippled and important information inaccessible. Institutions across all sectors have fallen victim to such blackmail. However, instead of finding appropriate technical solutions, some paid ransoms demanded by criminal groups to recover their services.
Scale and Implications of the Problem
In June 2013, McAfee Corp. for cybersecurity services released data showing more than quarter a million ransomware attacks in the first quarter of the same year, which is more than double the number of attacks recorded in the first quarter of the previous year. 181.5 million ransomware attacks were recorded in the first 6 months of 2018, recording an increased rate of 229% more than the first 6 months of 2017.
The industrial sector alone fell victim to 20% of the ransomware attacks, followed by the retail sector, transport, health, finance, law and justice, as well as education and governance. A report, The State of Ransomware 2020, issued by cybersecurity company Sophos, reveals that 51% of organizations were hit by ransomware in 2019; the global average remediation cost of the impacts of one ransomware attack is $761,106; remediation costs of ransomware reached more than $400 million in 2020 and exceeded $81 million in the first quarter of 2021.
Ransomware damage costs are doubling by a geometric progression of (1, 2, 4, 8, 16, etc.). According to a Cybersecurity Ventures report issued in 2017, global ransomware damage costs reached $5 billion in 2017, up more than 50X from 2015.
Ransomware damage costs include data destruction or loss, work suspension, poor production, hindered course of action, criminal investigations, data restoration, reputation damage, training personnel on how to directly manage ransomware attacks, as well as ransom payments.
Cybersecurity company Kaspersky Lab reported that in 2017 ransomware hit businesses every 40 seconds after an average of every two minutes in early 2016. To this end, Cybersecurity Ventures reported that businesses fell victim to a ransomware attack every 14 seconds in 2019, and every 11 seconds in 2021. This does not include constant ransomware attacks on individuals, which go beyond those on businesses. The FBI's Internet Crime Complaint Center (IC3) estimated ransomware losses in USA at $29.1 million in 2020.
Those losses are limited to ransom payments and do not include costs of other cyberattacks. The real costs are definitely many times more than the stated number given that cybercrime reports only record reported crimes.
Despite the success achieved by law-enforcement institutions dismantling many ransomware gangs, these malwares have proven to be a Hydra-like monster— for every head chopped off, more regrow. A Cybersecurity Ventures report predicted ransomware damage costs to reach an annual $265 billion by 2031.
Companies that have reported ransomware attacks are 61% of the total number of companies. These attacks resulted in work suspension for six days, and increased damage costs from $761 thousand per attack in 2019 to $1.85 million in 2021.
According to a VentureBeat survey, ransomware attacks have increased by 250% in the first half of 2021 alone. Such constant threats prompted two thirds of decision-makers to announced counter-ransomware be accorded the same priority as counter-terrorism. It should be noted that one out of every 10 companies hit by ransomware in 2020 have succumbed to ransom payment.
Unfortunate Cases of Ransomware Attacks
In early 2012, the infamous REVETON ransomware was active across several European countries. This malware uses cybersecurity police logos, claiming that the infected PC had been used for illegal activity, and thus the victim is instructed to pay a fine using a prepaid voucher card. By August 2012, a new REVETON version spread across the US, demanding $200 fines to be paid to the FBI office.
In May 2017, the world witnessed the biggest piracy wave generated by WannaCrypt ransomware that crashed more than 150 countries, inflicting 200 thousand victims. Russia was among the most affected states, while the UK had to cancel a number of surgeries post ransomware attacks on some hospitals. This malware also hit 70% of the PCs of the Spanish communications company. In addition, the National Cybersecurity Authority (NCA) of the KSA Ministry of Interior announced that nearly 2000 PCs have been hit in KSA.
In December 31, 2019, a cybergang used REVIL-SODINOKIBI ransomware to hit Travelex, a British exchange company headquartered in London, crippled its network, stole an estimated five gigabytes of its documents, and demanded a ransom in exchange for restoring the company’s systems and preventing data leaks online. Travelex paid a ransom of $2.3 million worth of bitcoin to recover the company’s systems. This attack cost the company more than $33 million that it declared bankruptcy in August 2020, blaming the ransomware attacks and COVID-19 pandemic.
In March 2020, Communications & Power Industries (CPI), a huge electronics company in California that manufactures military equipment and hardware components for the US Department of Defense, was hit by ransomware. CPI was reported to have paid a $500 thousand ransom to the attackers to restore its data. The following month, ENERGIAS DE PORTUGAL (EDP), an energy powerhouse in Portugal, fell victim to a Ragnar Locker ransomware attack that encrypted the company systems. The attackers demanded a $10 million ransom.
In June 2020, the infamous Honda Motor Company was hit by Snake, also known as EKANS, ransomware, which targeted their headquarters in USA, Europe, and Japan. Once the attack was detected, Honda shut down production in many locations. The following month, Garmin, a sports and fitness technology company, fell victim to ransomware. The company announced on July 27 that the five-day service suspension starting on July 23 was due to a ransomware attack. Even though Garmin managed to recover its services, their stock price fell by 10%. That July, the French telecom company Orange, the fourth-largest mobile operator in Europe, was hit too by NEFILIM ransomware. The NEFILIM ransomware actors behind the attack added Orange to the NEFILIM dark website that detailed corporate leaks in a 339MB archive.
The following August, the University of Utah was revealed to have paid a ransomware gang $457 thousand in order to avoid having hackers leak student information. In May 2021, Colonial Pipeline, that operates the largest petroleum pipeline in the US, completely shut down its systems following a ransomware attack. According to of Colonial Pipeline CEO’s testimony in front of the Senate Homeland Security and Governmental Affairs Committee, the company, that carries 2.5 million barrels a day of gasoline and other fuels across the 8850KM pipeline route, paid a $5 million ransom to hackers.
One Ransom to Another
Payment of ransom is often the last resort for ransomware victims. However, it enables the cycle of ransomware to continue. The most critical problem lies in the fact that the process of paying a ransom to get a decryption tool to recover services directly funds criminal cyberactivity. Paying any ransom creates more incentives, not only on the current ransom operators’ part, but also for future ones, that the ransomware industry has become a booming business that yields more than $100 million annually to infamous criminal groups.
Payment of ransom can be the only applicable option for some companies to keep going. However, frequent ransomware payments and the growing number of organizations that pay ransoms make the idea per se more acceptable. Many companies find ransom payments much less costly than potential damage costs. Consequently, the number of intermediary companies that help victims to negotiate ransoms, payments, and technical recovery, has been on the rise. However, that is probably what increases the ransom amount.
Some companies countering ransomware resort to cyber insurance covering ransomware. Whereas some studies showed that such step leads to overlooking their cybersecurity posture. In addition, organizations that believe cyber insurance would solve the issue and make up for their losses are less likely to invest in risk prevention.
Ransomware operators learn from their own successes and failures and constantly develop innovative toolkits. Every news title that reports a successful ransomware attack and a ransom paid by the victim, who probably had no other choice, feeds into the ransomware market and takes it to a whole new phase. Ransomware attacks used to occur without stealing data, but they now adopt the double extortion practice (encrypting and stealing data) spurred by the successes and increased ransom payments.
The COVID-19 pandemic coupled with remote work has increased ransomware operators’ opportunities to access target organizations. All these facts made ransomware a fully-integrated market—there are gangs that hack, companies that provide services to ransomware victims, and institutions that pay money to address the impacts of such criminal activity.