Ransomware is a form of malware that threatens users with damage by refusing access to their data. As a ransom, the attacker promises to restore access after the victim pays.
A new wave of ransomware has hit in the year 2021.
This blog contains the following information:
- Ransomware Statistics
- Five Of The Largest Ransomware Payouts
- How Does A Ransomware Attack Work?
- What Factors Contribute To The Success Of A Ransomware Attack?
- Who Are Most At Risk Of A Ransomware Attack?
- Ransomware Assault On A German Hospital Results In The First Death
- Prevent Ransomware Attacks
- How Can databrackets Help You In Mitigating The Threat Arising From Ransomware?
Ransomware Statistics
- It’s estimated that a business will fall victim to a ransomware attack every 14 seconds
- From 2013 to 2016, the primary ransomware variants reported were CryptoLocker and CryptoWall
- In 2017 and 2018 that transitioned to WannaCry and SamSam
- In late 2018 and early 2019, the primary ransomware families have been GandCrab and Ryuk
- 68,000 new ransomware Trojans for mobile were detected in 2019
Ransomware Will Remain The Number One Threat
- The average cost of ransom per incident is on the rise:
- 2018 – $4,300
- 2019 – $5,900
- 2020 – $8,100
- The average cost of ransomware caused downtime per incident:
- 2018 – $46,800
- 2019 – $141,000
- 2020 – $283,000
- Businesses lost around $8,500 per hour due to ransomware-induced downtime
- Ransomware attacks have cost U.S. healthcare organizations $157 million since 2016
- The individual ransom of 1,400 clinics, hospitals, and other healthcare organizations varied from $1,600 to $14 million per attack
- Global damage caused by ransomware grew from $11.5 billion in 2019 to $20 billion in 2020.
(Source: https://purplesec.us/resources/cyber-security-statistics/ransomware/)
Five Of The Largest Ransomware Payouts
A few years ago, one may not have ever heard of ransomware (crypto-locker software). Modern-day cybercrime is worth £10 billion per year and is now viewed as one of the major dangers to companies, institutions, and critical services.
Companies are locked out of their files and forced to pay exorbitant ransoms in dozens of cases each month. An attacker’s current price for decryption keys could be in the neighborhood of 0.3 bitcoin (approximately £100,000, or $140,000).
Reviewing five of the biggest recorded ransomware payments, we examine some of the occasions attackers have done this.
San Francisco State University ($2.3 million)
According to reports, a month-long battle with criminal hackers ended with the University of California San Francisco (UCSF) paying $1.14 million in bitcoin to unlock its systems in June 2020.
As a result of the original ransom demand, the institution countered with an offer of $780,000.
Network administrators sought to isolate and ringfence a number of systems as the discussions proceeded. In this way, the malware was stopped from reaching the UCSF core network and causing additional harm to the system.
Travelex ($2.3 million)
Travelex’s IT department was dealing with a ransomware virus on New Year’s Eve 2019 when most were celebrating. Not before paying a reported $2.3 million ransom, the currency exchange agency was able to restore its internal systems. Staff had to use pen and paper during this time, severely delaying the few operations that could still take place, while numerous UK banks who work with the company were obliged to turn away customers who were trying to order foreign currency.
Brenntag ($4.4 million)
Chemical distribution firm Brenntag paid a $4.4 million ransom in Bitcoin to the DarkSide ransomware group to get a decryptor for encrypted files and prevent the threat actors from publicly releasing stolen data. As a result of a ransomware assault, Brenntag’s North American division was the target. Threat actors encrypt devices on the network as part of this assault, then stole unencrypted material from the network. An anonymous source told BleepingComputer that the DarkSide ransomware gang took 150GB of data during their attack. This page contains a summary of the sorts of data that were stolen and screenshots of some of the files that were taken.
Colonial Pipeline Co ($4.4 million)
When an employee received a ransom letter from hackers on a control-room computer, the operator of Colonial Pipeline knew it was in danger around dawn on May 7, 2021. A difficult decision had to be made that night by the company’s CEO. Joseph Blount, CEO of Colonial Pipeline Co., sanctioned the ransom payment of $4.4 million because management was unclear as to the extent of the hack and how long it would take to restore the pipeline.
A group of hackers had “exfiltrated” documents from the company’s shared internal hard drive and demanded $5 million in exchange for the contents. It was infected by a ransomware application produced by DarkSide, an alleged Russian cyber-criminal organization. FBI worked with Colonial Pipeline to trace the bitcoin after the payment was made to get the money back, CNN reported at the beginning of the month.
Officials said Colonial Pipeline’s fast response in notifying federal authorities allowed investigators to swiftly recover most of the cash, which was recovered after identifying the virtual wallet used in the transaction, according to officials. According to investigators, the DarkSide hackers would not “see a cent” of the ransom money.
CWT Global ($4.5 million)
CWT Global, a US travel services firm, paid $4.5 million in bitcoin to the Ragnar Locker ransomware group in July 2020.
Two gigabytes of data were allegedly hacked. Among the records impacted were financial records, security documents, and employee personal information, such as email addresses and payment data.
Remarkable is that both parties engaged in talks in a public, anonymous chat room.
After the ransomware group demanded $10 million, those who followed the negotiations were able to observe how CWT Global handled the situation.
Replying on behalf of the organization’s chief financial officer, the representative indicated that COVID-19 had badly impacted CWT Global and that it was unable to pay what the attackers wanted.
A little less than half of the initial amount was agreed upon, but it was still more than any other organization had ever paid. CWT agreed to pay $4.5 million in bitcoin, which is a form of digital currency.
How Does A Ransomware Attack Work?
Computer hackers utilize current encryption techniques to create ransomware, which is a form of the virus meant to make money. Modern technology makes it difficult to decipher encryption methods in use today, such as the Advanced Encryption Standard (AES).
As a result, companies are denied access to mission-critical files and data.
As a consequence of this invasion, people and organizations are compelled to pay the ransom. Once data has been encrypted by one of these algorithms, the only way to access it is with the corresponding encryption key.
Using this information, cybercriminals attack computers with malware. Spear-phishing emails are one of the most popular ways to achieve it. Word macros (or other techniques) can be used to download and run ransomware.
Executive assistants might be targeted by fraudsters posing as C-level executives and demanding a transfer of money or gift cards.
As soon as Spear-phishing emails are on the machine, it begins to encrypt all of the user’s files. This may depend on the sort of ransomware versions that have been used. A few users may encrypt all files, leaving only those that are vital to the computer’s functionality.
In certain cases, the attacks are more focused, targeted at specific files that are more likely to be valuable to the intended victim(s)
After the initial attack, many ransomware variations will try to propagate to additional systems. This vulnerability is the primary infection method for WannaCry, although many contemporary versions will search for portable media (i.e., USB drives), attached devices, or file servers to spread their infection.
It then displays a ransom note to the user. An example of this is seen in the image above; however, the specifics will vary from one version to the next. For the user’s decryption key and software, these messages generally demand a ransom in Bitcoin.
Ransomware-as-a-Service has also contributed to the expansion of the ransomware industry (RaaS). Users who are less technically savvy can purchase ransomware-related services or kits from ransomware developers and then use them to launch ransomware attacks against targets of their choosing.
Ransomware writers profit from this since it allows less competent crooks to carry out assaults.
What Factors Contribute To The Success Of A Ransomware Attack?
Ransomware attacks are so successful because they are so simple and have a clear psychological impact on their target. They have the ability to infect any type of computer (laptops/desktops, mobile devices, IoT, routers, cloud storage, and so on) and deny the owner access to the data stored on these systems.
Considering sophisticated ransomware kits are freely available on the dark web, this form of attack is very profitable for threat actors. Healthcare providers are one of the most susceptible and worst impacted sectors for two reasons:
1. Personal health information (PHI) may be traded for hundreds of dollars per record and is frequently resold to a variety of threat actors.
2. Health-care system security is often driven by compliance rather than appropriate security hygiene.
Running vulnerability scans, for example, will report on Critical, High, Medium, and Low vulnerabilities. While Critical to High vulnerabilities are frequently prioritized, it is the Medium or Low vulnerabilities that might prove to be a great threat. Overlooking these vulnerabilities on devices such as a printer, medical equipment, or other connected devices allows threat actors to get access to the network.
Looking ahead to 2021, there are no signs of ransomware stopping off. Indeed, anticipation is high on the development of new tailored versions with the objective of infecting certain industries, such as education, mining, transportation, and energy, to mention a few.
Who Are Most At Risk Of A Ransomware Attack?
Previously, ransomware attackers chose a “quantity over quality” strategy. WannaCry ransomware outbreaks attempted to infect as many machines as possible and demanded a modest payment from each.
However, attackers discovered that this technique was not cost-effective. The procedure of acquiring and delivering Bitcoin to pay a ransom is beyond the ordinary user’s comprehension.
As a consequence, hackers either did not get ransoms or were forced to spend time on customer service, which reduced their earnings.
The current ransomware threat mostly targets larger businesses and demands higher ransom payments from each target. Typical objectives include:
• Transportation: the trucking industry has been a significant target of ransomware because it cannot afford ransomware-related delays
• Legal Firms: Following a ransomware assault, a Providence-based law company lost access to data for three months
• Dental Practices: In addition, approximately 100 dental clinics were affected by a ransomware assault on a seller of IT services
• City/Municipal Administrations: In 2019, ransomware struck over 70 state and local governments
• Hospitals: Ransomware attacks cause hospitals to turn away patients
• Industrial Sectors: The Snake ransomware version targets the industrial sector particularly
Ransomware Assault On A German Hospital Results In The First Death
In the first known case of a death directly connected to a cyber attack on a hospital, the ransomware assault took place at the Duesseldorf University Hospital. The woman has been transported to a clinic about 20 miles away since the hospital couldn’t accept emergency patients due to the attack, the Associated Press reports.
A report from the German news channel RTL claims that the hospital was not the target of the attack. A local university was the intended recipient of the message. Assailants halted their attack after officials informed them that their strike had shut down the hospital they were targeting.
Prevention Of Ransomware Attacks
Educating the users, automating backups, minimizing attack surfaces, establishing a plan for incident response, deploying endpoint monitoring and protection throughout the network, and securing ransomware insurance are all ways to minimize or avoid a ransomware assault. After infecting backups, ransomware might take over the computers. As an extra layer of protection, physical and offsite backups might be performed in this situation.
An infected PC can no longer be saved after the ransom notice appears. A cyber assault can be prevented by taking precautions in advance.
It is estimated that in 2017 and 2018 the vast majority of ransomware attacks were not specifically targeted. Higher companies with the ability to pay larger ransoms have been targeted by ransomware methods in 2019.
As a result, attackers were able to infect and encrypt endpoints and propagate over the network, often causing hundreds of thousands, if not millions, of dollars in damages to businesses.
Education and Training for Users
Many malware kinds, including ransomware, are propagated by phishing and other forms of social engineering. Infection risk can be reduced by training users to detect these risks.
Backups that are Automated.
Ransomware attacks require victims to pay a fee to gain access to encrypted files. There is no reason to pay the ransom if recent backups are available. It’s crucial to remember that offline and offsite backups can be utilized as an extra layer of security if backups get contaminated.
Reduce the Attack Surface
Malware frequently exploits existing vulnerabilities, unsecured services (such as RDP), and tools such as PowerShell. The attack surface is reduced by keeping vulnerabilities patched, antivirus up to date, and superfluous services deactivated.
Incident Response Plan
Responding quickly and appropriately in the aftermath of a ransomware attack is critical. Having a strategy in place ensures that the IT/security team tackles a possible issue appropriately.
Monitoring and Protection for Endpoints.
It is feasible to stop a ransomware outbreak before too much harm has been done by detecting the virus early. Monitored endpoints should be able to detect possible infections and stop them in their tracks.
Insurance coverage for ransomware.
Bringing business back up and running after a ransomware attack may be quite expensive. The expense of ransomware can be minimized if a company has insurance in place.
How Can databrackets Help You In Mitigating The Threat Arising From Ransomware?
Our mission is to assist organizations in developing and implementing practices to secure data and comply with regulations.
With several years of experience in IT and industry verticals, databrackets is your perfect partner for your Cybersecurity, audit, and compliance needs.
databrackets maintains an educational and transparent approach to our customers’ data security and compliance obligations. Using our safe and user-friendly platform, our team of specialists assists you in understanding your choices and developing a bespoke solution tailored to your business’s needs in the most effective manner. We invest in your long-term success so you may run your business without stress. Some of our programs and services, mostly in the Cybersecurity and Privacy Audit, Compliance, Certifications & Attestation Areas, include CMMC, SOC 2, and MFA, which are outlined below and will assist clients in combating threats and preventing attacks by keeping systems safe and secure.
Security Standards Can Be Enforced by CMMC
As a compliance standard, the Cybersecurity Maturity Model Certification (CMMC) has been under development for a long time. As part of DFARS and NIST 800-171, CMMC will require DoD vendors to implement and maintain a variety of security measures based on the type of data they store or access.
In the last several months, a new criterion was introduced, requiring businesses also to certify that they’re striving toward CMMC certification. This situation has arisen due to the fact that these security best practices were not being adopted honestly by organizations.
A more uniform security standard in the United States is the goal of the CMMC.
Services for Security Operations Centers (SOC) Will Mitigate Cyber Attacks
In order to mitigate or prevent cyber assaults when they occur, Security Operation Centers (SOC) provide real-time monitoring, detection, and response services. Benefits from a SOC offer businesses a comprehensive approach to security, according to the report.
As a result, centralized asset displays, cross-departmental collaboration, and maximum awareness are used to save expenses.
Due to the rapid development of cloud services in recent years, SOCs are more accessible today than in the past. Another reason for its rise has been the continual need to bring security down to smaller business models, which has been a significant factor in its rapid expansion.
With our trained privacy and security specialists, together with our CPA partners, we can assist your business meet Security Operation Centers (SOC 2) audit certification criteria in an efficient and cost-effective manner.
Multi-Factor Authentication Use Will Step Up Security
Multi-factor authentication (MFA) is generally considered the gold standard when it comes to authentication. Authentication can be through SMS or phone calls.
Microsoft recommended customers cease utilizing MFA through mobile phones in early November and instead advocate using app-based authenticators and security keys.
One-time passcodes are stored in plain text. As a result, the messages sent are not encrypted, even though SMS has some security built-in. This implies that threat actors can use an automated man-in-the-middle attack to obtain the one-time passcode in plain text.
Online banking is one of the most vulnerable sectors because authentication is generally done by SMS. According to a recent study, a huge financial fraud operation infiltrated 16,000 devices, incurring over $10 million in losses.
Given this danger, companies will increasingly opt for application-based MFA, such as Google Authenticator. We also strongly advise utilizing a hardware MFA device such as the YubiKey.
To learn more about the services, please visit www.databrackets.com.