Ransoms paid in ransomware attacks record an 171%increase, triggering 30% leap in cyber insurance premia
On May 8, 2021, the information technology systems of Colonial Pipeline the Georgia-based largest US pipeline operator of refined petroleum products, went offline – it was under a ransomware attack. US authorities immediately blamed a Russian group DarkSide, which often freelances for the Russian government, launching ransomware attacks.According to the Identity Theft Resource Center, there were 878 cyberattacks in 2020, 18% of which were recorded as ransomware. The average ransom paid by organizations in the US, Canada, and Europe increased from US$115,123 in 2019 to $312,493 in 2020—a 171% year-over-year increase.
The explosion of ransomware cases has been fuelled by the rise of cyber-insurance— which has made many companies and governments ripe targets for criminal gangs that believe their targets will pay — and of cryptocurrencies, which make extortion payments harder to trace. In a report earlier this year, Standard & Poor’s Corp. stated, “Cyber insurance premiums, which now total about $5 billion annually, will increase 20% to 30% per year on average in the near future.”
In this case, the ransomware was not directed at the control systems of the pipeline, federal officials and private investigators said, but rather the back-office operations of Colonial Pipeline. Nonetheless, the fear of greater damage forced the company to shut down the system, a move that drove home the huge vulnerabilities in the patched-together network that keeps gas stations, truck stops and airports running.
A preliminary investigation showed poor security practices at Colonial Pipeline, according to federal and private officials familiar with the inquiry. The lapses, they said, most likely made the act of breaking into and locking up the company’s systems fairly easy.
The Russian connection
The Russian connection of DarkSide was exposed when cybercrime investigations found that Darkside’s malware will check device language settings to ensure they don’t attack Russia-based organizations. They have also answered questions on Q&A forums in Russian and are actively recruiting Russian-speaking partners.
DarkSide, has emerged as one of the most audacious group of cybercriminals. It has its own website on the dark web that features an array of leaked data from victims who it claims failed to pay ransom. It claims that the group has made millions from cyber extortion. The group announced their RaaS (Ransomware-as-a-Service) in August of 2020 via a “press release.” Since then, they have become known for their professional operations and large ransoms. They provide web chat support to victims, build intricate data leak storage systems with redundancy, and perform financial analysis of victims prior to attacking.
Colonial Pipeline: An American Tragedy
Colonial Pipeline’s5,500-mile network. which runs from Texas to New Jersey, transports 45% of the east coast of US’ fuel supply meeting the needs of ~50 million customers. The Pipeline is, without a doubt, the most important finished product pipeline in the US. Ransomware is one of the top threats in cybersecurity. It exposes the vulnerability of critical US assets. The shutdown could extend a recent jump in gasoline prices — especially if the outage persists — piling on the pain for drivers as the seasonal peak in demand approaches.
The Americas region was hit the hardest, followed by EMEA (Europe, the Middle East, and Africa) and JAPAC (Japan and Asia-Pacific). Of the victim organizations with data published on leak sites, the top three countries impacted globally were the United States (47% of organizations), Canada (12%), and Germany (8%).
If these percentages are parallel to how many organizations actually pay the ransom, this could mean organizations in the US are more profitable for ransomware operators to target than others. Also, given the increasing acceptance of cyber insurance solutions in countries like the US, Canada, and Germany, many companies may decide to pay the ransom if they are already covered by their respective insurance providers.
Pandemic increased ransomware attacks
The information technology sector saw a 65% increase in ransomware incident response cases from 2019 to 2020. As organizations shifted to remote workforces due to the COVID-19 pandemic, ransomware operators adapted their tactics, accordingly, including the use of malicious emails containing pandemic-based subjects and even malicious mobile apps claiming to offer information about the virus. Last year saw both old and new families of ransomware wreaking havoc on industries globally. Ransomware operators took advantage of widespread COVID-19 concerns by conducting phishing attacks containing pandemic-related themes and heavily targeted already overwhelmed industries such as healthcare.
Ransomware is evolving. What once was a straightforward encryption-based data attack has evolved into a complex chain of events often involving data theft, data encryption, and corporate extortion. This more complex and more damaging ransomware is also becoming a larger percentage of total cyberattacks, according to industry data. Security researchers estimate that ransomware attacks more than doubled during 2020, and the early months of 2021 show no signs of a reduction in ransomware attack numbers.
Pay up or be exposed
Today’s most common ransomware attack strategy, known informally as “pay up or be exposed,” involves the exfiltration of critical data before encrypting data storage. If the victim declines to pay the ransom, the attacker threatens to release that critical data to the world, compromising confidentiality and threatening regulatory action.
These multi-phase variants and opportunities for new entries in the market underscore the reality that most organizations are not prepared to survive a ransomware attack without significant business disruption. In a recent Omdia poll, less than a quarter of all respondents indicated confidence in their company’s ransomware response. More than one-third of the responses indicated either that there were major holes in the organization’s response plan (21%), or that there was no plan in place at all (13%).
The three-pronged defence plan
Gaining confidence in an organization’s ability to withstand a ransomware attack without catastrophic business disruption rests on three legs of a response strategy—cyber protection for critical data, rapid response, and organizational learning.
Cyber protection involves going beyond the basics of a solid backup and restore plan. In addition to that foundation, cyber protection brings data security and intelligent threat response into the mix. The result is comprehensive data backup that recognizes when a file has been compromised and automatically restores any file that has been tampered with by the ransomware, without the need for the administrator to manually do anything.
Next, organizations should take steps to reduce the period during which ransomware is able to conduct surveillance, mapping, and asset inventories. Ransomware is, by its nature, a “noisy” attack—there is nothing stealthy about the demand for ransom or presence of encrypted files. A successful response, then, means catching and stopping the attack as early as possible, ideally before any data is exfiltrated or encrypted. While every effort should be made to prevent an attack (e.g., proper patching performed), organizations must have an “assume breach” mentality. Bad actors will get in eventually, and then they need to be caught as quickly as possible.
Finally, organizations must learn from their mistakes. In a recent case, a UK company paid millions in ransom for a decryption key, received it and decrypted their data—and did nothing to remediate the vulnerability that allowed the attack to succeed. Two weeks later, the same criminal organization hit them with the same attack a second time. The company had no recourse but to pay another ransom.
Understanding how an attack occurred, why it was successful, and how it can be prevented in the future should be a top priority in any ransomware attack—and the lessons learned should be immediately applied. Furthermore, the use of artificial intelligence and machine learning that trains on data from millions of endpoints, security researchers, and threat hunters can greatly help to automate the learning process. Ransomware is now part of the business cyberthreat landscape. Learning how it can be prevented with a cyber protection strategy, and the best responses when it cannot, is critical for every organization in 2021 and beyond.