Data encryption — and ensuing operational dysfunction — is only a modest element of a ransomware attack. In the last year, ransomware operators have tried their hand at data exfiltration, and it's working.
"The calculus that the attackers are counting on, is these businesses want to keep it quiet. They want to get back to normal operations as quickly as possible and so they're willing to pay," said Chris Hallenbeck, CISO for the Americas at Tanium.
Manufacturers, professional services and government organizations are the sectors most targeted by ransomware this year, according to IBM's Security X-Force. It indicates cybercriminals' preference for victims with "a low tolerance for downtime" because the industries are only as valuable as their uptime.
Ransomware catches victims unaware, putting organizations in a chokehold before they know an attack has occurred. Squeezed from the inside out, ransomware victims experience attacks in different ways: halted operations, breached data, ransom payment, recovery costs, legal ramifications, and a damaged IT infrastructure.
Depending on the effect of the attack, extraneous costs outlive technical remediation.
No matter what a company does, ransomware attacks are expensive. The costs manifest internally and throughout the economy at large. In 2019, ransomware attacks cost the U.S. economy upwards of $7.5 billion, according to Emsisoft.
"Even if human lives are not at risk, if your production line outputs $3 million per day, and it will take three weeks to restore services, and the ransom is only $5 million, financially it makes business sense" to pay, said Bill Swearingen, security strategist at IronNet.
Somebody's going to pay
Some of the most destructive and costly ransomware attacks originate from the actors that introduced data exfiltration to the malware's M.O.
Since April 2019, the REvil ransomware strain, also known as Sodinokibi, has hit at least 140 organizations, with more than 80 of those organizations in the U.S. IBM estimates more than two-thirds of REvil's targets paid the ransom, while 12% of targets had their stolen data auctioned off on the dark web.
"The attack resulted in unauthorized access to certain data and caused significant disruption to our business," the company said. The initial cost of containment, investigation and overall recovery threatens to "exceed our insurance policy limits or may not be covered by insurance at all."
Cognizant said its adjusted operating margin was down 2%, or 200 basis points year over year because of "a 140 basis point impact," or 1.4% from Maze, according to its Q2 2020 earnings call.
Maze and REvil pioneered the "blended extortion-ransomware attacks," according to IBM Security X-Force. In 2020, REvil accounted for 29% of ransomware "engagements," while Maze accounted for 12% and Snake accounted for 6%. The remaining 53% were other strains of ransomware.
Snake was designed "to terminate the named processes on victim machines," according to a study of the malware from Dragos. The ransomware was unique because, while ransomware has previously targeted ICS environments, "prior events all feature IT-focused ransomware that spreads into control system environments by way of enterprise mechanisms," said Dragos.
Snake's operators want to disturb ICS operations and often target organizations in energy, architecture firms, healthcare, transportation and manufacturing, according to Palo Alto Networks' Unit 42. LockerGoga also favors organizations responsible for critical infrastructure.
When the LockerGoga ransomware hit aluminum producer Norsk Hydro in March 2019, it cost the company between $70 million to $80 million by the end of the year. In a study of LockerGoga, Dragos found Norsk Hydro's attack "incorporated unique disruptive characteristics calling into question whether the attackers ever intended to decrypt systems after infection."
"They know that if word gets out that they're not good to their word, it doesn't actually unlock, then people will start to do a different calculation."
security strategist at IronNet
There isn't enough evidence to prove that the attack was state-sponsored with the sole intention of disrupting operations, but it is reminiscent of the chaos caused by NotPetya in 2017.
NotPetya was ransomware disguised as wiperware. It left a wake of collateral victims, including shipping giant A.P. Moller - Maersk. In 10 days, Maersk reinstalled more than 4,000 servers, 45,000 PCs and 2,500 applications, with recovery costs mounting to $300 million — and it wasn't the intended victim of the malware.
FedEx lost about $400 million from a NotPetya attack. By June 2018, the company still anticipated between $250 million and $300 million left in integration costs for flexible IT and more cyber solutions. Pharmaceutical company Merck lost about $670 million because of NotPetya in 2017 due to disrupted sales and research operations. Food manufacturer Mondelez International is still locked in a legal battle with its insurer for NotPetya-related damages.
Press 1 for a customer service representative
While NotPetya fooled the victims that paid, ransomware operators have since adjusted their business practices.
"The weirdest, strangest thing is the business [of ransomware]," said Hallenbeck. Ransomware operators pride themselves on their customer service. "They know that if word gets out that they're not good to their word, it doesn't actually unlock, then people will start to do a different calculation."
Emsisoft anticipates more than $25 billion paid in ransoms this year with the overall global economic impact reaching nearly $170 billion. "And these are extremely conservative estimates," the cybersecurity company said.
Between January 2013 and July 2019, more than $144 million in ransoms were paid, according to Joel DeCapua, an FBI supervisory special agent in the global operations and targeting unit, from the RSA Conference in February. Examined by bitcoin, the FBI found the most profitable ransomware in recent years.
Most profitable ransomware
|Ransomware strain||Money generated|
|Ryuk||$61M between February 2018 and October 2019|
|Crysis/Dharma||$24M between November 2016 and November 2019|
|Bitpaymer||$8M between October 2017 and September 2019|
|SamSam||$6.9M between January 2016 and November 2018|
Ransomware started to really commercialize in tandem with bitcoin and cryptocurrency's popularization, according to Hallenbeck. Cybercriminals found this "perceived ease in which you can transfer out, relatively untraceable … those two things kind of got cobbled together" and accelerated ransomware's spread.
IBM determined that REvil's operators calculate their ransom based on their target's annual revenue. The ransomware is said to have earned its operators $81 million so far this year.
When hit by REvil on Dec. 31, 2019, Travelex paid a $2.3 million ransom, according to reports in April. The company's financial records list have not yet addressed the response or mitigation cost of the cyberattack.
The average ransom demand is between $150,000 and $250,000, up from about $5,000 in 2018, according to Emsisoft. $42 million is the highest known asking ransom, likely linked to REvil, according to IBM.
A new line of business
The limbo between paying and not paying a ransom created a new line of business: ransom negotiators. Garmin allegedly paid hackers after ransomware triggered a global outage. The company tapped Arete to negotiate the ransom, Sky News reported in August. "Neither Garmin nor Arete IR disputed that the payment was made when offered the opportunity to do so," according to the report.
But Garmin's alleged attack was from WastedLocker. The ransomware is linked to Russia-based Evil Corp, a group sanctioned by the Treasury Department. If Garmin paid a ransom to a sanctioned group, the fitness wearables company could face federal fines. Arete has previously argued against WastedLocker's relationship to Evil Corp, dismissing the possibility of penalties.
"By threatening to impose fines for ransom payments, the Treasury Department is looking to find ways to encourage companies to take IT and security seriously, and invest in capabilities now, before they are faced with a scenario where they are forced to pay. However, this is victim blaming, and kicking them when they are down," said Swearingen.
An operationally disruptive cyberattack sometimes only gives victims a couple of hours to pay an extortion or not, said Allan Liska, senior security architect at Recorded Future. Organizations outside of critical infrastructure might have five to seven days to decide.
Paying a ransom might lead to a fine from the Treasury Department's Financial Crimes Enforcement Network (FinCEN) or Office of Foreign Assets Control (OFAC), but a data breach will fall under the purview of the CCPA or HIPAA.
Because of ransomware's modern duality — encrypted and stolen data — "you get fined either way," said Liska. "Especially when you're a healthcare provider, you're kind of stuck."