5 Ransomware Facts You Need to Know About

By: | December 9, 2019

Dane Greisiger is a second-year student at the Wharton School at University of Pennsylvania. He has conducted independent research on cyber security and completed internships at Philadelphia Insurance Companies, NetDiligence and Relay Network. He also oversees business operations, including a multi-million dollar budget, at Penn's newspaper, The Daily Pennsylvanian. Dane can be reached at [email protected].

Don’t expect a note with hand-cut magazine letters when your enterprise network is taken hostage. You’ll know when the entire business shuts down, when panic unfolds as no one can access systems for needed operations, and when a nameless threat actor on the opposite side of the world starts demanding large sums of money in Bitcoin in exchange for your decrypted data.

In relatively short order, ransomware has become a leading method of attack for cyber criminals. It’s faster to infiltrate a network, encrypt data and collect a ransom payment then to capture, sort and sell what has become increasingly overexposed data on the dark web, and as many thieves have discovered, the profits can indeed be impressive.

Yet there is still much we don’t understand about this cyber security threat because the details of so many ransomware attacks go publicly underreported. For that reason, I conducted a survey of 14 leading experts across a number of fields from computer forensics to cyber risk insurance to find out about their experiences on the ground.

Here are five things those experts want you to know.

1. Ransomware is here to stay and it’s only getting worse.

The majority of respondents (93%) agreed that ransomware frequency is increasing, as are the payments made to mitigate harm or business interruption. All of these global experts have each handled hundreds of ransomware cases.

Nearly 30% of respondents described seeing more “complete” variants of the attacks, which now includes going after the victim’s backup data so they have no recourse but to pay up. The most common reasons cited for this uptick in attacks is the low bar to entry — it’s easy to learn the technology — and the lucrative nature of ransomware relative to other cyber crimes.

Phishing training is the key to avoiding ransomware, said one expert. As with immunizations, nothing is fail-safe and constant updates are required but some precautions are better than none.

The experts I asked reported an average ransom of $100,000. (That doesn’t account for associated crisis service costs such as forensic investigation, typically in the $50,000 to $150,000 range, and data restoration, which can be an additional $100,000 to $300,000.). And most of these experts have seen ransom demands in the millions.

2. There’s a mini-economy relying on and possibly enabled by this cyber threat.

Ransomware threat actors are often perceived as lone-wolf types but they simply cannot survive and ply a living without a whole ecosystem of supports, many of which are successful, legitimate businesses. That includes cyber-risk insurance underwriters, forensic experts, breach lawyers and bitcoin brokers, which are built on assisting victimized organizations and preventing others from being breached.

This network of remediation services and consultants facilitates dealing with and paying cyber criminals. It’s easy, then, to see how businesses might view handling ransomware as another cost on their balance sheet as opposed to material support of criminal enterprises.

Once again, many attackers understand that this remediation framework exists, and they most likely see it as beneficial to streamlining and simplifying their operations. One expert cited the attackers’ growing knowledge and reliance on the fact that ransomware attacks are often covered by insurance policies and victims’ being incentivized to immediately resolve the attack as their financial burden is ceded to the insurance company. In other words, if everyone knows the insurer’s going to pay, it’s no big deal, right?

3. The hackers may actually be reliable.

Once we view ransomware as a business, we start to see its perpetrators as business people. 71% of respondents said that in less than 5% of the cases they’ve handled, a threat actor has not provided the decryption key.

Why is it that 95% choose to send over the decryption keys? They’ve already been paid, and victims seemingly have no leverage over them whatsoever. While all of this information is true, “it is in the threat actors’ best interest to comply. If they do not, nobody will ever pay or take the risk.”

In the larger scheme of a ransomware campaign, reliably releasing decryption keys is one of the most important aspects of a threat actor’s continued success. Breach remediation service providers deal with the same groups of ransomware attackers on a daily basis and will advise ransomware victims on the reliability of threat actors’ promises based on prior interactions. It turns out that word of mouth is still the key to success, even in the criminal underworld.

4. You need cyber risk insurance.

Beyond the reasonable IT safeguards, part of any decent protection strategy appears to increasingly include having cyber risk insurance coverage in place. With this coverage comes immediate access to many of the leading breach response experts that I surveyed, along with insurance help to cede a good portion of the risk.

5. Treat ransomware like the flu.

Ransomware is an ongoing threat that will only mutate over time. That being said, there are some helpful protections that should be put into place at an organization of any size. That includes protecting Remote Desktop Protocol (RDP) ports.

Remote Desktop Protocol gives a user the ability to control a computer remotely with only a username and password. The most common exploits of RDP include guessing weak passwords and utilizing exploits in outdated software.

In the larger scheme of a ransomware campaign, reliably releasing decryption keys is one of the most important aspects of a threat actor’s continued success. Breach remediation service providers deal with the same groups of ransomware attackers on a daily basis and will advise ransomware victims on the reliability of threat actors’ promises based on prior interactions.

65% of experts cited the use of RDP ports without multi-factor authentication as a significant vulnerability in ransomware attacks. Proactive organizations will continue to deploy smarter security prevention and surveillance tools.

One example is CrowdStrike’s endpoint protection software called Falcon Prevent, which leverages behavioral analytics to stop file-less malware before it unpacks. And finally, 50% of experts cited the use of phishing campaigns as the biggest threat to current cyber security tools.

“Phishing training is the key to avoiding ransomware,” said one expert. As with immunizations, nothing is fail safe and constant updates are required but some precautions are better than none. &

To connect with Dane, visit LinkedIn: www.linkedin.com/in/dane-greisiger-13107a158/

More from Risk & Insurance