Spotlight: (almost) everything you need to know about ransomware

In brief

Almost half of all companies experienced at least one cyber ransom incident in 2016 – either a ransomware attack or a ransom denial-of-service attack. That same year, ransomware attacks cost businesses more than US$1 billion worldwide,¹ a figure expected to reach US$5 billion in 2017 and exceed US$11.5 billion by 2019.² Despite the recent surge of high-profile ransomware attacks, and the fact that the potential financial and operational costs mean that a ransomware attack is no longer a remote possibility worth chancing, many businesses are still unprepared. We look at what ransomware is, how it works, what it might put at risk and how much it costs.

Key takeaways

• Don't be fooled by the poor grammar. The ransomware economy has developed into a lucrative and sophisticated industry. Over the past 12 months, the total value of ransomware software sold has soared from $250,000 to more than $6 million,³ as emerging ransomware-as-a-service (RaaS) business models provide malware vendors with an opportunity to share in the profits earned from malicious campaigns.
• Plan for a ransomware attack. Almost half of all companies experienced at least one cyber ransom incident in 2016 and the growing number of attacks in 2017 demonstrated that this trend is not abating.⁴ Considering this reality, ensure that ransomware preparations are at the forefront of your company's risk assessment agenda. Your data breach response plan should specifically contemplate ransomware attacks, and identify which stakeholders should be notified and which issues considered when managing your response to ransomware demands. Given the short deadlines imposed for compliance with ransomware demands, we recommend running through these considerations before any ransomware attack.
• Regularly back up your files. Quite simply, if critical data affected by a ransomware attack is backed up, then there may be no reason to pay the cyber ransom to regain access to your files. Furthermore, you will be better positioned to quickly restore your files and mitigate the risk of any business interruption. It is a good idea to keep multiple backups of your data in different locations. The Netherlands' police initiative known as the 'No More Ransom Project' recommends having one backup copy stored in the cloud and another kept physically.
• Ensure that your operating systems and software are up to date. A large number of ransom attacks take advantage of existing vulnerabilities within outdated software and operating systems. By choosing not to regularly update your systems, you are effectively leaving a spare key out for cyber criminals. Keep your anti-virus software current, fully patch your network as soon as updates are released and ensure that emails are being screened for malware.
• Train and educate your staff. Ransomware operators are turning back to email as the key delivery mechanism for malware and these malicious programs (often masquerading as emails from companies or people that you regularly interact with online) rely primarily on human error to enter your company's servers.⁵ This means that your employees are the first and last line of defence when it comes to protecting against a ransomware attack. Educate your employees on ransomware: how to identify it and what to do if they spot it. Even basic awareness training on recognising suspicious mail and not clicking links or opening attachments from unknown sources can go a long way.
• Is it notifiable? Consider whether the ransomware incident constitutes a notifiable data breach under the incoming Notifiable Data Breaches scheme and/or the EU's GDPR, and whether, if your business is listed, it needs to be disclosed to the ASX under your continuous disclosure obligations. Immediately getting your general counsel or legal advisers involved will assist you in assessing the situation and ensuring that you respond appropriately within the boundaries of the law.
• Know your insurance policy and notify your insurers. If you have an insurance policy that covers cyber extortion, your ability to claim under the policy may be contingent upon immediately notifying the insurer that an incident has occurred, taking steps to verify that the attack is genuine and reporting this to the authorities, among other things.
• For key considerations to keep in mind when determining whether to pay a ransom, please refer to our article Should you pay a cyber criminal's ransom?.

What is ransomware?

Ransomware is a malicious software that prevents access to a device, or holds files on a device hostage, unless a ransom is paid.

Ransomware achieves this by either encrypting files on a device or infecting a device's operating system to prevent a user from accessing the device and any files. Attackers normally request a ransom, preferably to be paid in Bitcoin or other digital tokens, in return for a decryption key to recover files or unlock the device.

Of course, there are no guarantees that the attackers will not strike again, or that the files will be unlocked or recoverable, even if the ransom is paid. Many victims of ransomware who do pay the ransom never regain access to their files: one report indicates that this occurs in 20 per cent of cases, whereas other sources suggest that this figure could be as high as 47 per cent.⁶ While there are a number of ways to remove ransomware, it can be nearly impossible to recover encrypted files if the malicious software uses complex levels of encryption.

How does ransomware infect devices?

Attackers have used a variety of measures to trick users and infect devices, including:

• deceiving people into downloading the ransomware from a fake attachment or link that appears legitimate, such as a fake bill sent by email or an attachment in a message sent from a Facebook friend whose account has been compromised;
• purchasing advertising spaces on popular websites and uploading advertisements that appear to be legitimate but instead link the user to ransomware; or
• exploiting vulnerabilities and security holes in software systems that have not been patched or updated either by the user or supplier.

Interestingly, the increasing regularity of security updates in modern operating systems has meant that cyber criminals are turning (back) to email as a means of delivering ransomware quickly and cost-effectively.⁷ By inviting users to interact with malicious software through the use of advanced social engineering techniques, malware is able to evade a system's technical defences and effectively given a backdoor entrance into local networks. For more information on social engineering techniques, please see our article The Australian Cyber Security Centre's 2017 Threat Report.

What devices are at risk?

The types of devices that a virus can hold to ransom are limited only by their capacity to connect to the digitised world around them, including everything from mobile phones to videogame consoles.

Of particular concern, medical devices with Bluetooth and internet connectivity are also vulnerable to ransomware attack. Often designed for functionality, rather than security, medical devices are an easy target for perpetrators of ransom-related cyber crime. Cyber criminals are also well aware that healthcare facilities are likely to submit to a ransom demand, as any delay or refusal has the potential to affect the lives of patients in their care. Ransomware attacks on the healthcare industry are expected to quadruple by 2020.⁸ For more on the risks associated with medical devices in the digital age, please see our article Unexpected risks of the IoT revolution.

What are the costs?

Recent outbreaks of ransomware have shown that the costs associated with this species of cyber attack are not limited to payment of the ransom. A successful ransomware incident has the capacity to interrupt ordinary business operations and cause significant reputational damage. These direct and indirect costs include:

• Financial – ransom payments: Thirty-four per cent of ransomware victims worldwide end up paying a ransom in order to regain access to their data. In 2016, this amounted to a total cost of US$1 billion in ransom payments.⁹ Startlingly, this figure doesn't include the additional costs that a company faces in the aftermath of a ransomware attack. For more information on whether to pay a cyber ransom, please see our article Should you pay a cyber criminal's ransom?.
• Financial – associated costs: The British insurance company Lloyds estimates that cyber attacks cost businesses as much as $400 billion a year.¹⁰ This cost is principally associated with the destruction of data, lost productivity, post-attack disruption to business, investigation, attempted restoration and recovery of computer systems, employee training, legal costs and more. In the US, a law firm held to ransom by a malicious program for $25,000 lost a further $700,000 in potential earnings in the time it took to resolve the issue.¹¹ More significantly, the NotPetya cyber attack on TNT Express cost FedEx US$300 million, resulting from the business interruption caused by the ransomware incident.¹² This was in addition to a 79 per cent fall in the international delivery company's share price – almost 40 times more than the 2 per cent fall brought about by the impact of Hurricane Harvey.¹³
• Inability to provide services: Ransomware attacks have also halted the provision of critical services to citizens. For example, in the United Kingdom, the National Health Service was forced to cancel more than 6,900 patient appointments as a result of the WannaCry attack, which prevented access to patient files.
• Reputational damage and contractual ramifications: Ransomware attacks tend to reveal which organisations continue to run outdated software systems, and which have weak prevention and response plans in place. Loss of business is a natural consequence of customers questioning whether to trust such companies, especially when they are marketing services that rely on the use of an individual's personal, sensitive or financial information. Similarly, legal disputes will inevitably arise in relation to contractual obligations within supply contracts to keep computer systems up to date and secure, if ransomware attacks reveal that those obligations aren't being met.

Ransomware is big business

Cyber criminals traditionally sought financial gain from their victims by stealing data. Significantly, this process was reliant on the stolen data either being valuable to a wider audience (eg credit card details or passwords) or itself open to exploitation by the cyber criminal.

Modern-day ransomware operators are now finding it more lucrative to sell data back to its original owners. This development rests on the generally accurate presumption that data holds significant value for the individual or company to which it relates. By transitioning from theft to extortion, cyber criminals have simplified their digital business model, while greatly increasing their chances of financial return. Most remarkably, the growth of ransomware has led to the development of the RaaS business model.

As ransomware is relatively easy to develop with the right skills, program developers are turning to the dark web to sell their malware products. Over the past 12 months, the total value of ransomware sold has soared from $250,000 to more than $6 million.¹⁴ In return, malware vendors generally require that customers provide them with a share of the profits earned from their malicious campaign. For $175, customers can purchase an easy-to-use ransomware kit on the dark web marketplace, with a number of cheaper cloned models selling for as little as $1. In this way, the ransomware economy is quickly evolving into a goods and services industry.

Until the trend is taken seriously and viewed as a real threat to businesses and individuals alike, the ransomware market is unlikely to slow down. Generating US$1 billion in profits during 2016, and expected to have broken $5 billion in 2017,¹⁵ ransomware looks to become an ever more significant drain on the global economy.

For more on the history of ransomware and some of the more infamous attacks of 2017, please see our article Ransomware: the year in review.