Why do some companies keep ransomware attacks secret?

The average ransom amount now is more than $1 million. Meanwhile, a lot of businesses decide to remain silent about the times they were attacked. At the same time, new technologies emerge to protect companies from cyberattacks.

“The pandemic has shifted many things online. And it increased the attack surface for hackers,” Maya Levine, technical marketing engineer at Check Point Software Technologies, recently told CyberNews.

In Q3 2020, Check Point Research saw a 50% increase in the daily average of ransomware attacks, compared to the first half of the year. 

We sat down with Maya Levine to discuss the latest trends in ransomware, and what to expect in the near future.

The impact of ransomware on businesses has grown exponentially. Does that mean that companies are not adequately prepared for ransomware attacks, and that they are not resilient?

Cybersecurity is a cat and mouse game. It’s not like I purchase this one product and I’m good for the rest of my life in protecting against hackers because they are constantly evolving. We come up with technology to protect ourselves against their attacks, and they develop new attacks, and it goes on and on. And part of the issue is that a lot of companies are behind in the kind of technology that they have but also it’s a lack of education in employees. With most successful ransomware attacks, and pretty much any cyberattacks, there’s a social engineering aspect to it. There’s the aspect where you have to trick a person to get in the environment or into the system. Humans make mistakes a lot more often than computers. Because of that, hackers will try to impersonate online shoppers, try to impersonate whatever to get you to click on something that is actually malicious.

The fact that a lot of people work from home, and might have some vulnerable devices, certainly doesn’t help?

The perimeter that people used to protect - you come into the office and everything is done in the office - that’s no longer the case. And so people need to be creative and get different solutions to match employees now working from home. Technology that employees have at home might not be as secure as the technologies that they had inside of the office.

READ MORE: With the Maze cartel gone, ransomware remains a painful issue for organizations

Would you say that cybercriminals this year became more sophisticated? We save the deployment of the double-extortion technique, and so it means that they are really innovating constantly.

Unfortunately, year after year they only get more creative, and more innovative. And the attacks get harder to detect. That’s why it is important to have advanced protection in enterprise networks but also, and specifically when it comes to ransomware, you should plan for a worst case scenario, you should have data back-ups that you are taking continuously, so that if worst case actually happens and you are a victim of a ransomware attack, you don’t actually have to pay the ransom because you have all that data that they locked you out of. You can’t operate under the assumption that you will never be attacked. I think it’s much smarter to operate under the opposite assumption, hope that you never will but prepare for an attack.

But just backing up your data can’t be enough as criminals now download your data before actually encrypting it.

That’s part of those double extortion schemes that we have seen with ransomware this year. And it’s taking it to a whole new level because previously it was just that I need access to my data, and now it’s that I can get fined by GDPR or other regulations if you release my data. Unfortunately, nowadays organizations can also get fined for paying an attacker for a ransomware attack because government agencies don’t want to encourage attackers to do this. Companies can find themselves in a really sticky situation. Obviously, the best thing to do is to invest in the right technology, and to have these preventative technologies in your system to catch these kinds of attacks. I just think that it’s hard to tell everybody that you need to have the best of the technologies. Certain sectors like education, even hospitals sometimes don’t have the funding for it. That’s why I say develop a contingency plan, have an idea of what’s going to happen if the worst-case scenario occurs.

ZDnet just revealed that the average ransom that companies pay the attackers is 1 million dollars. Do you have any insights on how often businesses decide to pay the ransom?

Part of the reason why companies pay this ransom is to keep it a secret that they were attacked in the first place. It’s in their incentive because of stock prices, general confidence in the company name to make it disappear, to make it seem like they never were attacked. So in some cases it is actually just better for them to pay it and not have that information out there. It means that we don’t have a great idea of how many companies actually have paid out for ransomware. We have estimates, and we have guesses, but we don’t know how many paid under the table, and we never heard of it. 

How often are cybercriminals not after the money, but corporate or any other type of intelligence? For example, researchers just traced Pay2Key ransomware to Iran, and it was used to attack Israeli companies? These kinds of attacks don’t seem like a coincidence.

I would say that most attackers out there are probably after money. You have information that you can get and still make money out of it, such as health records and social security numbers by selling it on the dark web. So a lot of attackers are stealing information so that they can then make a profit off it. State-sponsored attackers are definitely a real issue, they definitely exist. Obviously, we have no idea how many there are in numbers, because countries try to keep it secret. Usually, when we see an attacker not go after money, it’s because they are state-sponsored and they are trying to get intelligence, they are trying to somehow harm their enemy countries. There have been a few rare cases where attackers just wanted to cause chaos and they were not looking for money, they were just looking for disruption, but usually it’s either money or state-sponsored.

What are your predictions for the near future in terms of ransomware?

Unfortunately, I don’t see the rate of cyberattacks slowing anytime soon, especially because the pandemic doesn’t seem to be slowing down. Until things get back to normal, all of these online services shift back to in-person, that attack surface for criminals will still be large, still big. More money is being spent online now than ever before, and that’s more and more opportunity for attackers to steal money. This is just my prediction: we are going to see more ransomware attacks, more phishing scams and ways of trying to trick people. Unfortunately, we are probably going to see even more creative variants of these attacks that somehow get worse and worse.

Invisible to ransomware?

Paul-Emeric Willette is Vice President at a French startup Shadline, which, simply put, helps companies to get back to business faster after ransomware attacks

“Sometimes companies are in total blackout for days or even weeks after they experienced a ransomware attack. When it happens, everybody in the company panics,” Mr. Willette told CyberNews during the Web Summit 2020.

Therefore, he is trying to sell a platform that, in case of an attack, ensures companies’ access to communication and vital business data. By vital data, he means files and information that could ensure the continuation of business operations for the first days after the incident.

“We are not a backup solution, we are not going to backup all the data of the company. We save the company's most vital data. We talk with our clients about the worst-case scenario and what data they absolutely need in the first week,” he told CyberNews.

Mr. Willette assured that because of the technology that Shadline uses, their data is invisible to ransomware.

“Our technology relies on encryption and file fragmentation. We have a specific technology that makes data that you store with us absolutely invisible to any malware like ransomware,” he said.

It’s not always easy to sell this service to companies that haven’t experienced a ransomware attack. Nethertheless, Mr. Willette says, businesses are becoming more aware of the possible risks, and are willing to invest more in cybersecurity.