Ransomware claimed its first victims when Joseph Popp distributed 20,000 floppy disks with ransomware to AIDS researchers who had attended the World Health Organization’s 1989 AIDS conference in Stockholm.1
Popp claimed the disks contained a program that could analyze individuals’ risk of contracting AIDS. The recipients were unaware the disks actually contained malware that activated itself, hid in their computers and later locked up the data. At that point when the computer was locked, the malware showed a message demanding $189. The malware later demanded another $378. Popp’s message screens described the payments as a “software lease” from an organization called PC Cyborg Corporation. This attack became known as the AIDS Trojan or the PC Cyborg virus.
Ransomware picked up steam in 2005 when Spysherriff, Performance Optimizer, and Registry care2 arrived in the guise of antivirus programs — in actuality these programs held users’ data for ransom.
Unlike early ransomware developers who wrote the encryption code themselves,3 today’s attackers tend to use existing products, which are traded under brand names, like Ryuk — with reputations for effectiveness that malware-coders cultivate like a business cultivates its brand. The cybercriminals sell these as ransomware-as-a-service. This has allowed even attackers with less technical know-how to carry out destructive and profitable attacks. CryptoLocker, CryptoWall, Locky and TeslaCrypt are some of the attacks that have emerged from this new industry.
Ragnar Locker, left,4 is malware that first collects data from infected machines which is then uploaded to the criminals’ servers. Then a module strongly encrypts files on infected devices to prevent users from accessing the files. To obtain a private key to access the files again users must pay a ransom; users are warned of the destruction of their data should they fail to pay the ransom.
The introduction and use of cryptocurrency within the ransomware industry has also made transactions more difficult to trace than conventional ones. The Ragnar Locker scheme, like most others now, provide a bitcoin wallet for payment.
Not Only … But Also
Besides being the reason behind forty-one percent of cyber-insurance claims in the first half of 2020,5 the repercussions of a ransomware attack aren’t limited to just financial loss. In fact a ransomware attack can grind your business to a halt and cause severe damage on multiple fronts.
Should your organization’s data become inaccessible, go missing or be destroyed, the damage can be catastrophic. Once lost, fully recovering data is a giant task. Then getting things back to some state of normal is another enormous job. Consider what happened to these organizations:
An aluminum producer had its computers across 170 different sites hit by a ransomware attack. With no access to its data, its workforce of 35,000 employees had to resort to pen and paper. The company estimated the entirety of the event cost sixty-four million dollars.6
Besides suffering $300 million in business interruption losses due to a ransomware attack, a transportation company experienced a twenty-percent drop in volume due to the downtime of a ten-day recovery effort.7
A Medical Center went through a six-week ordeal of manual operations and a recovery process costing ten million dollars after losing access to its computers due to ransomware.8
As of Q1 of 2020, the average downtime due to a ransomware attack is sixteen days.9 Paying ransom to retrieve data access is one thing but making a full recovery after a ransomware attack also must be grappled with. The downtime following an attack is so profound that it leaves businesses in shambles for weeks and makes recuperation and recovery painful.
Damage to Hostage Systems, Data and Files
Only twenty-six percent of organizations hit by ransomware get their data back after paying a ransom.10 And there’s no guarantee that you will recover your data in its original state even after paying ransom. Crucial servers, data or software may be severely and/or permanently damaged by ransomware and trying to fix these while running daily operations is a mammoth challenge.
The United Kingdom’s National Health Service (NHS) lived through this ordeal when several of its centers had to be shut down during the WannaCry outbreak. Several medical and emergency services were impacted for days.11
For organizations that did pay the ransom, the average cost to rectify the damage was nearly $1.45 million while the average cost for organizations that did not was $732,520.12
With an organization falling prey to ransomware every eleven seconds,13 this cybersecurity threat isn’t getting any weaker. In fact attackers are coming up with newer ways to extort money, such as exfiltrating data and threatening to release it over the internet if the ransom is not paid, also known as extortionware.
Most organizations, especially small- and medium-sized businesses, either assume that they will never experience a ransomware attack or that their cyber-insurance will pay the ransom. While the former is a misconception, as seventy-five percent of ransomware attacks are on businesses with under fifty million dollars in revenue,14 the latter is a possibility, but only if your cyber-insurance covers ransomware. And insurers are getting tougher and tougher as ransoms skyrocket.15
You no longer have the time to put off investing in appropriate cybersecurity strategies that can give you a preventive stance regarding ransomware. There will never be a 100 percent guaranteed protection against ransomware – still there’s a lot you can do to build a strong defense.
Best Practices for Ransomware Prevention
Bryley advocates best practices including threat assessments, a business continuity plan and implementation, a review and improvement of permissions management, endpoint security, identity management, automated phishing defense, Dark Web monitoring and Security Awareness Training.
Start with assessing where you’re most vulnerable, which will likely steer you to a form of business continuity with data recovery (BCDR). BCDR should give you restore-points in time (that, for all intents, undo an attack) to bring your business back with minimal lost time.
Bryley employs the Kaseya technologies that include Microsoft 365 and G-Suite backup solutions and Unitrends’ on-premises appliances and cloud solutions – to provide safe, redundant and available data. These tools bring full and fast recovery from disaster that can make Ryuk and other ransomware attacks a near non-event for most organizations. For more information about Bryley Business Continuity call Bryley at 978.562.6077 or email ITExperts@Bryley.com.
2 academia.edu A Comprehensive Survey, Ransomware Attacks: Prevention, Monitoring and Damage Control
3 Sometimes there was no encryption. In 2004 Policeware or Police Locker malware changed a user’s desktop screen to show a false note that the user was under investigation by the police or the FBI. People panicked and payed — though a reboot would have cleared the screen’s message. The good old days.
4 Screen shots of PC Cyborg (top of page) per Sophos and Ragnar Locker per https://www.cyberdefensemagazine.com/
Lawrence writes about networking and security. He’s written for Bryley since 2015.