Ransomware Sentiment After a Summer of Headlines
The summer of 2019 saw a precipitous rise in ransomware activity across several measurable data points. Attacks against businesses have risen dramatically and, according to Malwarebytes, business detections of ransomware rose 365% from Q2 2018 to Q2 2019. The average ransomware ransom demand has risen from $12,000 in Q1 to over $36,000 in Q2 of 2019. This summer has also seen a dramatic rise in public sector organizations being targeted while media coverage of these events and their implications has also exploded. At Coveware, we firmly believe that debate, discourse and shared data are all healthy ingredients for developing solutions that help businesses avoid and recover from ransomware attacks. We have read plenty of articles and broken down some of the journalism that has helped fuel this debate.
Sentiment on How Companies Can Prevent a Ransomware Attack
Quote: “Making ransomware unprofitable is effectively the only way, short of coordinated global regulation of cryptocurrencies, to stop these criminals.” Josephine Wolff, a Tufts University professor argues that the lack of a centralized organization to assist ransomware victims, which exists in Europe, is leading to ransoms being paid unnecessarily.
Commentary: This is absolutely, unequivocally correct and a very prescient statement. Threat actors that distribute ransomware run their operations like businesses and are profit margin sensitive. Attacks that take too long, require expensive tools to complete or have a low monetization conversion rate are bad. If the average ransomware attack became 10x more expensive to carry out for whatever reason, the volume of ransomware attacks would absolutely decrease. Further in the article, the author contends that law enforcement is not doing enough.
Quote: “For organizations that don't have the will or resources to invest in ransomware defenses now, every day is a gamble that they won't pay for it later.” Lily Hay Newman wrote this in an article in Wired about a ransomware attack on the Georgia Courts system.
Commentary: This is very well said and underscores several important points. The first point is around resources and investment for IT security. It is easy to get lost in the latest threat, vulnerability or security fad. It is hard to distill advice these days, but at a high altitude, consistent annual investment in security is a must. IT security is infrastructure and is no different than a piece of physical infrastructure. If you don’t keep the rust off the bridge, it eventually collapses in a catastrophe. The second point is less clear cut but is worth parsing. If a company chronically underinvests in IT security and gets hit with ransomware, there will be a cascade of costs to recover. It is erroneous to compare the cost of paying a ransom to the total cost of recovery. This is a very common error when highly public ransomware incidents are discussed. When the City of Baltimore was attacked, their total cost to recover was compared only to the $76,000 ransom demand that was not paid. This is apples and oranges. Paying a ransom only gets your data decrypted. It does not solve decades of under-investment in IT security. It just so happens that the ransomware attack is the moment when that accrued liability comes due in full.
Sentiment on How Industry Participants Are Helping or Hurting the Ransomware Problem
Quote: “The most the federal government has done to support these efforts is give an F.B.I. Director’s Community Leadership Award to the creator of the ID Ransomware site” Further in the New York Times article, Josephine Wolfe contends that law enforcement is not doing enough.
Commentary: Michael Gillespie deserved this award first and foremost, but as thousands of victims of ransomware can attest, the FBI and other branches of law enforcement do a lot. Law enforcement rarely publicizes the fruits of their efforts, especially as it relates to an individual ransomware attack. Just because they are not holding press conferences, does not mean that hundreds of agents are not onsite working with victims every day. Additionally, law enforcement often has ways to decrypt certain types of ransomware, but they do not publicize it because doing so would alert the threat actor (who would quickly change their tactics and nullify the advantage). This is truly a challenge and frankly depends on more victims coming forth and reporting attacks to the FBI so that they can be helped. Based on the data reported by IC3, Coveware estimates that only 1/20 ransomware attacks are reported to the FBI. Moreover, not reporting is not a signal of not being aware. Many victims are reluctant because they do not want to create any paper trail or government record of their attack due to reputational reasons. This is a very hard challenge to deal with.
Quote: “But when those payments come from their insurance carriers, the victims become so insulated from those costs, so used to paying for their insurance policies as a regular risk management expense, that ransomware becomes even more accepted and legitimized as a routine cost of doing business.” Josephine Wolfe presents arguments in this Slate article against cyber extortion costs being an insurable event.
Commentary: We don’t feel this is accurate. The analogy would be that a driver of a car would cease stopping at red lights because their auto insurance will just clean up the mess from all the accidents they cause. Insurance is a powerful risk mitigant, but just like in car crashes, it does not lead to behavioral changes that affect the security of your person, or in the case of ransomware, your company. A ransomware attack can easily bankrupt a company. At best it will cause massive disruption and brand damage. No rational business would take a cavalier attitude towards security purely based on insurance being a safety net.
Quote: The Slate article goes further to state: “But it makes insurance companies and their customers complicit in supporting criminals and ensures the stability of those criminals’ profits for years to come.”
Commentary: This quote feels very much like victim shaming without considering the consequences of the other side of the coin. If a hospital gets attacked, and human life is at risk, should the hospital be labeled a complicit supporter of cybercriminals? When a small business must choose between going out of business, laying off their employees, losing health care, or paying a ransom, do they really need more guilt and stress? Moreover, the only thing providing “stability” to cybercriminals are the physical and technical jurisdictions that provide them safe residence and services, beyond the reach of Western law enforcement and subpoena power. In order to break the stability of these groups, the countries that support them should be pressured to act, and the service providers that host their activity should be targeted for takedown. Aiming for the insurance company or the victim misses the root of the issue.
Sentiment on the Role of Backups in Recovering from a Ransomware Attack
Quote: “But ransomware victims who don’t have offline backups of their data do have options. Many common strains of ransomware have, in fact, been reverse engineered by software engineers and security firms that provide decryption tools.” This New York Times article contends the decryption is possible if only victims knew where to find the right tools.
Commentary: This is not factually correct. Most current victims of ransomware are impacted by ransomware variants that have no known way to decrypt them (why would a threat actor use a ransomware variant that can be decrypted easily?). No More Ransomware is a fantastic repository for decryption tools and works seamlessly across its partners to aggregate them. That being said, these tools take a long time to build and are typically utilized by victims of ransomware that have properly archived their encrypted data and waited (sometimes months or years) for the free option. For the marginal company hit by ransomware tomorrow that has no backups, there is almost no chance that a free decryption tool will be available to help them in the time frame they need. This is sad, but it is the reality.
Quote: “Insurance companies are “both fueling and benefiting from” ransomware attacks by opting to pay ransoms, in some cases “even when alternatives such as saved backup files may be available,” as [Propublic] previously reported in May.” Gizmodo published an article titled “Ransomware Attackers and Insurance Companies Are Forming a Human Centipede of Profits.”
Commentary: First and foremost, conjuring memories of the movie Human Centipede is wrong on a lot of levels. Not cool! Second, the idea that a ransomware attack creates profits is fundamentally a misunderstanding of how insurance works. By definition, a ransomware attack creates a claim, which results in a loss. Insurance companies don’t like products whose loss curves develop adversely. It’s bad for profits.
There are two other conjectures made that, based on our experience managing ransomware incidents, are inaccurate. First, cyber insurance comes into play at the very end of a given incident. It is far fetched to claim that cyber insurance fuels ransomware. Ransomware attacks happen because there is a large population of enterprises with extremely weak security defenses. Conducting a ransomware attack against weakly secured firms is cheap and easy. The prevalence of open RDP ports, easily phished employees, and marketplaces, where stolen credentials can be purchased, is what fuels ransomware attacks. The number of targets is large, and the cost of conducting an attack is extremely low.
The second inaccurate conjecture is that insurance companies “opt” to pay ransoms vs. restoring from backups. The decision to pay vs. restore from backups is the choice of the company, not the insurance company. Imagine if you had a small house fire. Your insurance policy states that they will both cover the cost to remediate the damage and the cost to put you in a hotel while construction takes place. If the insurance company subsequently decided that it would just be cheaper to knock your house down vs. remediate the damage more slowly, YOU would have to approve that decision. The insurance company couldn’t just wheel the wrecking ball onto your property. The same is true with cyber insurance. The business leaders make the call based on what is best for them. The insurance company has no say in this decision outside of providing the details of how their policy works in each scenario. Moreover, it is a common misperception that paying a ransom results in the immediate recovery of both encrypted data and the network that was attacked. This is wrong. Regardless of how data is recovered (from backups or by paying the ransom), the computers and networks that were affected will have to be heavily cleaned and possibly rebuilt anyway. The malware that precedes the ransomware attack can heavily compromise a network, making the only prudent path to restoration a rebuild.
Overall, we view this discussion as positive. More voices and opinions create awareness of the Ransomware problem, which is valuable in and of itself. Too many companies still believe they are too small to be targets, which could not be further from the truth. Ransomware is a global industry, and it does not discriminate against targets.