A new report looking at the behavior, market conduct and outcomes of ransomware attacks, suggests that there is not only honor among cyber thieves, but that the ransomware market is becoming efficient, even automated. Coveware, a company that specializes in cyber incident response and successfully negotiating ransomware attacks, sheds light on this frequent scourge in the cyber risk landscape, which has moved “down market” as larger and more valuable targets harden their virtual defenses. Not unlike the other dark recesses of the internet, the world of cyber threats is not only misunderstood, it is woefully under-reported because of the twin stigma victims carry. The first being the potential embarrassment and business backlash of having to report compromised systems or a breach of privacy. The second being the broad misunderstanding that paying a cyber ransom or extortion fee may itself be illicit, which it is not.
While the stigma of a ransomware attack (and the cleansing or decryption process) only adds insult to injury, the world of ransomware, like other questionable activities on the web, plays to the psychology between the keyboard and the chair. A confession that a firm, employee, computer endpoint, database or network may have been compromised by ransomware begs many questions about cyber hygiene and online conduct in the first place. Add in the trepidation and complexity of paying a ransomware attack, which sadly is often the first-time people directly interact with bitcoin, the favored thrift of cyber ne’er-do-wells, and the recovery process cannot only paralyze decision making, it can grind operations to a halt. This is where second order costs begin to mount, and the real business continuity threat rears its ugly face. Cyber attackers know this harsh reality and they play to the psychology of fear and the almost certain risk of bankruptcy if a small firm does not comply with payment or restore systems on their own.
As with any chain of resilience, an economy is as strong as its weakest link. When it comes to cyber risk, small to mid-sized enterprises are not only massive points of vulnerability, they are often facing the crippling effects of cyber-attacks, for which they are easy prey. This exposure in turn can have a knock-on effect even on larger companies that rely on smaller players in their supply chains. The backdoor into Target’s system, for example, was via a connected heating and cooling vendor that had access to their networks. According to Coveware’s new report, the average cost of ransomware incidents they have responded to and surveyed comes out to $36,586. To large firms, this figure may be a mere rounding error that can either be absorbed by their balance sheets or a cyber insurance policy, which enjoys wider adoption up market. However, to small and mid-sized enterprises parting ways with $36,586 may not only be the cost of a full-time employee, it may be the sum of financial reserves on hand. This, following the payment of cyber ransom and extortion costs, which averages around $5,000, payable in bitcoin in 98% of the cases Coveware surveyed.
What is more damaging than the increasingly efficient ransomware and cyber extortion market, is the operating reality that this threat is deliberately designed to wreak maximum havoc on affected computer systems and data. Herein lies the leverage that cyber attackers exploit, which is pay up or risk shuttering your business, which is a stark choice victims are growing all too familiar with. Interestingly, suggesting that ransomware attackers and cyber extortionists are really in the pursuit of quick money, Coveware is reporting 100% success rate in instances where ransoms are paid. Indeed, the market has become so efficient, and attackers have become so “customer” friendly, that automated payment and service websites are being set up to ease the payment process, commerce, and the exchange of money for decryption tools. It would appear these attackers are aiming to stay below a certain criminal radar by not only targeting a wide surface area of small enterprises, but by exacting costs around $5,000 dollars, which while damaging to some, may be of nuisance value to law enforcement.
For far too many people and organizations that are falling prey to these types of cyber-attacks, it is also their first introduction to the world of cryptocurrencies, and bitcoin in particular. Erroneously, ransomware attacks that rely on bitcoin as a means of payment, are exposing cyber criminals to an increasingly efficient forensics and criminal dragnet. This is emblematic of the relatively small financial haul of the WannaCry ransomware attack of 2017, which despite the fact that it spread to more than 150 countries affecting thousands of organizations around the world, only managed to retrieve $64,000 in bitcoin payments. While these first order costs are only one part of the economic harm caused by the ransomware scourge, the real issues posed are business continuity risks and data integrity risks. For this, groups that rely on information and data access as the lifeblood of their operations, where in some cases lives are literally at stake such as hospitals, ransomware poses a much bigger risk than the noisome $36,586 average costs. Attackers exploit this psychology and as we saw with the shift in physical kidnap and ransom events, which went down market when desirable targets hardened their security. This in turn lead to the spread of express kidnappings. Cyber ransom and extortion attacks targeting small firms are mirroring this market dynamic. The more efficient the dragnet and the speedier the payment, firms are let go, but with some virtual bumps and bruises, much like an express kidnapping.
Similar market dynamics are taking place in the fact that small to midsize enterprises are increasingly the targets of choice for “express” cyber extortion. This suggests that large enterprises have not only successfully hardened their perimeter to these risks, pushing the risk downstream, they have also made their payments and the public discovery process of any paid ransom something that is not widely disclosed. As with shifts in physical kidnapping and ransom threats, another likely development that should worry national security and cyber security leaders is the growing specter of cyber and ransomware attacks with political, military, or terrorist motives. This much is outlined in the book Virtual Terror, which chronicles the rise of cyber terrorism for which there is no economic remedy save for prevention, good cyber hygiene and data recovery plans.
Offsetting this increasing measurable risk through insurance markets or other hedging mechanisms is not readily adopted by small to midsize firms. Many wrongly believe that they do not face a cyber risk like large firms in part because they may not store private information. Therefore, the perception that they have a lower compliance obligation to their customers or stakeholders. Nothing could be further from the truth and all firms should view cyber threats as a business continuity risk. Additionally, small firms may not buy stand-alone cyber insurance because of the phenomenon of “Frankenstein” insurance policies that create the placebo of safety but may in fact offer a very thin layer of coverage with many holes in it. The more market insights that become available about the threat landscape and economic impacts of ransomware attacks, the more insurers and risk-transfer providers can evolve their solutions, while firms review their cyber hygiene and defensive posture.