- Built on the success of ransomware in recent years, bad actors are focusing on the development of new ransomware variants, forgoing other types of malware, according to Val Cofield, deputy assistant director of the FBI's cybersecurity division, during a webinar hosted by the Cybersecurity & Infrastructure Security Agency (CISA) Tuesday.
- "Attempts to quantify the impacts of ransomware attacks are difficult," said Cofield. Adjusted losses for the "American public" mounted to more than $29 million, though the total is not reflective of lost business, time, wages, files, equipment, or cost of third-party remediation. Because some incidents go unreported, the estimated overall ransomware loss is "artificially low," according to the agency's annual Internet Crime Report released in March.
- The FBI recorded 2,474 ransomware incidents in 2020, up 21% year over year, according to the FBI report. There were 2,047 ransomware incidents in 2019 and 1,493 incidents in 2018.
Security experts recommend prioritizing network segmentation and critical data identification instead of propping up more choke points. Organizations need to make sure their backups are inaccessible to bad actors, otherwise payouts become inevitable.
The main barriers to increasing cybersecurity maturity is accessibility and bandwidth for small- to medium sized businesses, said Megan Stifel, executive director, Americas at the Global Cyber Alliance, during the webcast. "I don't mean the speed at which they receive data across the internet. But rather, they're managing so many different constraints on their time, especially during the pandemic."
More actors are "exploiting that seam between public and private entities to, among other things, launch ransomware attacks," she said. Data exfiltration and ransomware have become virtually synonymous.
Defense contractor Communications & Power Industries (CPI) was hit by ransomware in March 2020 with a reported $500,000 extortion that the company is said to have paid, reported TechCrunch. Babuk ransomware actors stole more than 700 GB of data from a defense and aerospace company.
While the FBI encourages a relationship with a victim organization, some businesses are hard pressed to involve law enforcement when fines could follow an attack.
In October, the Treasury Department threatened sanctions against organizations in cases where ransomware victims pay extortionists. The department's Office of Foreign Assets Control (OFAC) included cyber insurers, digital forensics and incident response into the mix of possible penalty recipients.
Companies typically tasked with response and recovery are prime candidates for fines if OFAC determines the companies violated regulations. Organizations with limited resources to mitigate or recover from attacks lean toward paying the fine, sometimes on the advice of third parties.