The multi-billion-dollar cost of ransomware

2019 was a big year for ransomware, with research from the cybersecurity firm Emisoft revealing that it cost over $7.5 billion in the United States alone. Attacks were found to affect a huge range of organizations, from schools to healthcare providers.

“The fact that there were no confirmed ransomware-related deaths in 2019 is simply due to good luck, and that luck may not continue into 2020. Governments and the health and education sectors must do better,” the company says.

It’s a problem that a report published last year suggests that ransomware affected around 30% of federal agencies over the past three years. For instance, the city of Baltimore was struck down by a variant of the RobinHood style attack, with city officials following FBI guidance and not paying the $76,000 ransom the attackers demanded. The attack eventually cost many millions, with an estimated $10 million spent on data recovery and $8 million due to the unavailability of key services for the duration of the attack.

To pay or not to pay?

The FBI’s guidance is based upon three core reasons:

1. No guaranteed results - the decision to pay often rests upon the assumption that once the ransom is paid, the decryption key will automatically be handed over, but the FBI cite various examples of this not happening, and suggest trusting criminals is perhaps a foolhardy endeavor.
2. Multiple attacks - the payment of the ransom also assumes that attackers will limit their assault to a solitary attack. The FBI believes that if an attacker has found both a vulnerable target, and one that appears willing to pay a ransom, then the chances of multiple attacks increase. What’s more, subsequent attacks are likely to demand ever higher ransoms, with suggestions that demands could grow up to 12 fold.
3. Don’t encourage the business - last, but not least, they believe that by paying the ransom, agencies are liable to encourage the ransomware business model, and therefore put other agencies at risk.

All of which represents something of a problem, as a state audit for Mississippi in 2019 found that the government was doing a very poor job in terms of cybersecurity, which was reinforced by researchers from the University of Maryland, who believe that the problem is common across local governments. It’s perhaps no surprise that a report from the National Governors Association found that the majority of ransomware attacks were conducted on local government agencies.

So what should agencies do to better protect themselves from ransomware attacks? Responses revolve around both reducing vulnerabilities to attack in the first place, and then being able to recover as quickly as possible (without the encryption key the attackers are holding to ransom) to, therefore, minimize the damage.

Educating staff

Data from Netwrix suggests that government agencies are at least appreciating the importance of better cybersecurity, with 59% of the government organizations they surveyed regarding cybersecurity awareness among staff as a priority. This is likely to manifest itself in a big boost to training for cybersecurity awareness so that staff are better able to spot the signs of ransomware, and then respond appropriately.

Given that some ransomware attacks, such as the Sodinokibi attack on a number of cities across Texas last year, don’t require any kind of human action at all, it could be argued that the most important steps are in trying to mitigate the effect of an attack rather than trying to prevent them entirely.

If agencies can develop a robust plan to respond quickly and thoroughly to any attacks, and therefore limit their damage, it can take the wind out of the sails of attackers. Being able to detect attacks quickly, respond in kind, and then recover data effectively are key.

This can be done by having a robust and up to date inventory of the data held by your agency, and who currently has access to it so that any risk of data being lost is minimized. Ransomware often depends upon compromising an individual who has certain access rights, so enforcement of access privileges is key.

Agencies can then bolster their detection systems by monitoring user behaviour across all of their key systems and databases, regardless of whether these are on-site or in the cloud. There should be constant screening for unusual behavior, which can be an early sign of an attack in progress.

The agency can then work to bolster their data recovery capabilities through having a better understanding of precisely what files or information was modified by the attackers. If all of these three steps can be ‘war-gamed’ on a regular basis, staff will be well prepared for the ransomware attacks that are likely to hit them at some point. This process also allows staff and agencies to keep on top of the constant changes in the cybersecurity world, and the different methods of attack hackers are likely to use.

No organization wants to find themselves the victim of a ransomware attack, but if agencies assume that they will be at some point, then it puts them on a better mental footing to better plan and coordinate a response.