Ransomware holds your files hostage until you pay a fee to regain access. Ransomware attacks against organizations are becoming increasingly common and expensive to recover from. Every time someone pays a ransom demand, it’s an incentive for criminals to expand their attacks even more. Companies must have strong malware security and plans to recover from business interruptions in case of an attack.
Ransomware is software that makes an individual’s or company’s data and files inaccessible, effectively holding them hostage until the victim pays a ransom. Criminals trick people into clicking a link, opening an attachment, or downloading a file that surreptitiously installs ransomware on a computer. The program encrypts certain files on the computer, encrypt files on the company’s network, and tries to infect other computers on the network. The malware employs modern cryptographic techniques, which are essentially unbreakable without the decryption key. Besides losing access to the encrypted files, some perpetrators might threaten to expose the contents of the files publicly on the Internet as additional encouragement to pay the ransom.
Ransomware is particularly attractive to cybercriminals for several -reasons. First, it can be used in a broad, nontargeted way to affect many unknown targets at a large company, or it can be used in a very targeted fashion to attack specific people in an organization or high net worth individuals. Ransomware is and continues to be a problem for one simple reason: it works. Criminals have been successful extorting large sums of money from organizations using software that makes it effective and profitable.
The victim of a ransomware attack is typically very aware that the attack occurred because the software displays a prominent notice with instructions on how to pay the fee. The notification screen often locks the computer that’s been attacked and prevents the user from doing anything with the machine. While an IT professional can easily remove the lock and notification screen to make the computer usable, the damage of encrypting files has already been done. Ransom demands are typically made in Bitcoin because the cryptocurrency provides more anonymity than other electronic payment methods.
Ransomware causes many problems for an organization. The amount of the ransom is often small compared to the long-term financial consequences of a ransomware attack that include fines, lawsuits, recovery expenses and preventative investments. Businesses that are paralyzed by a ransomware attack can lose customers to competitors temporarily or permanently. Even after a company recovers from an attack, publicity about the attack can damage the company’s reputation. A successful ransomware attack can be devastating to an organization, and that’s a dream come true for criminals.
The most common way that ransomware gets downloaded to a person’s computer is through a link or attachment in an email message. An email might appear ordinary and mundane so people don’t suspect it poses a threat. Or, an email might appear important and urgent so the recipient acts before considering potential consequences. Macros embedded in word processing and spreadsheet files are another common way that malware gets introduced. More sophisticated attackers might gain administrator-level access to a trusted website and plant malware in common links or downloads without revealing that the website was hacked.
Everyone makes mistakes, and it only takes one mistake by one individual to introduce ransomware into an organization. The best defense combines security, continuity and education. Organizations should fortify their email security to ensure that all email is scanned for viruses and malware, and that attachments and links can be safely previewed or opened in sandboxes. A company’s disaster recovery plan must include ransomware as a potential disaster and provide for the recovery of files with minimal downtime and an acceptable amount of data loss. It’s also critical to test the file recovery procedures with real data when there’s no emergency to have confidence that the actions in the plan are effective. Finally, it’s essential to educate all employees about the risks of ransomware, the potential vulnerabilities, and the procedures to follow if they identify something unusual or if they are the victim of an attack. Knowledgeable and vigilant people can be one of the best defense mechanisms against a variety of bad actors.
Attacks against public sector targets are increasing, but private companies are more often the victims of a ransomware attack. There’s often not as much publicity about private company incidents because the companies prevent the attack from being disclosed to the public. Professional service firms are some of the most common targets of ransomware attacks.
Law enforcement agencies unanimously agree that victims of a ransomware attack should not pay the ransom. Nevertheless, a 2020 survey by Sophos reports that about a quarter of ransomware victims complied with the ransom demands, which were often paid through cybersecurity insurance policies. The travel company CWT reportedly paid a $4.5 million ransom in Bitcoin to its attackers, who demanded $10 million. Garmin supposedly paid a $10 million ransom to criminals that caused its GPS services to stop for several days.
The cost to recover from a ransomware attack is often even more than the ransom demanded. While neither the City of Atlanta nor the City of Baltimore paid any ransom, they each spent close to $20 million recovering from their attacks where criminals demanded less than $100,000. Experts claim that paying ransom does nothing to reduce the cost of recovering from an attack. It just makes it more expensive.
Like telemarketing and spam, ransomware will exist as long as it remains profitable and the reward is greater than the risk. Until everyone fortifies their security and refuses to give in to the demands of criminals, ransomware is here to stay.