I recently talked with a friend about using anti-virus software. The topic of conversation was ransomware and how we could protect ourselves against it. When I suggested he try some free antivirus software, his response was surprising to me: “I don’t believe in that stuff.” He explained that he didn’t understand the software and didn’t believe it did anything truly useful. Sadly, this has become the opinion of the average person (1): bias against this kind of technology simply because they understand little about it. This “attitude of ignorance,” however, is hurting those same people who employ it. Because of their ignorance, people and organizations are unknowingly supporting the ransomware industry.
Those who choose to disregard ransomware and other cybersecurity threats as real threats will eventually find their computers hijacked and all their data encrypted, tricked by a specially-designed spam email or some other malicious ploy. It should be and is our job to build up defences against such attacks. By doing so we will be protecting ourselves and others around us.
The Economics of Ransomware
Ironically, this is where the ransomware problem originates. Companies who, like my friend, disregard warnings to take action to protect their data are the ones who pay to get their data back when they eventually become victims. People with misinformation or no information unknowingly create a demand for ransomware by showing hackers that they are willing to pay the ransom. It is as simple as the economic principle of supply and demand—the more demand there is for a commodity, the more people are willing to pay a higher price for that commodity.
Victims are Reliably and Increasingly Paying Ransoms
What other factors are contributing to the demand for ransomware? Current cybersecurity research shows that hackers are becoming better at getting encrypted data back to the user after the user makes the ransomware payment. CyberEdge Group, a leading research and marketing company for the high-tech industry, reported that of the companies surveyed, the percentage that paid the ransom but still lost their data decreased almost 12%, from 50.6% to 38.8% (2). Other sources report that 22% of those surveyed never recovered their data (1). As hackers become more accurate decrypting user data, users are becoming more confident that they will get their data back if they pay the ransom. Consequently, users are more willing to pay to get their data back, and the data reflects that, with an increase in the number of organizations paying the ransom demand (2).
Like my friend, many users are grossly underprepared for malicious events. When an event does occur (to their surprise and chagrin), they are left with few options: either pay the hacker or permanently lose their data. However, most users do not realize that by paying the ransom the first time, they are inviting the hacker to come back again. Surprisingly, many victims are not just attacked once, but twice. Why would a hacker bother hitting someone multiple times? Under the false impression that a ransomware attack is a “one and done” situation, many do not make much more of an effort to increase their security infrastructure after the first attack. This idea is false because the hacker is now familiar with their system, and making a second attack is marginally easier. Additionally, once the attackers know the victim is willing to pay the ransom, there is no reason to find another source when revisiting the same victim means lower risk and lower costs.
Ransomware Operators are Making a Killing
When a hacker is paid, they gain the cash flow to support additional attacks, leading to more victims, which leads to more cash flow—and the cycle perpetuates. We are now seeing the effects of this cycle in the price of ransom payments reported in 2019. Coveware, a ransomware response and analytics company, reported that ransom payments in quarter four of 2019 doubled from the previous quarter, from $41,198 to $84,116 (3). This huge jump in ransom payments reflects the dramatic increase in ransomware attacks across all industries in 2019.
In some cases, the ransom and risk associated with losing the data was so high that the ransomware attacks made headlines throughout the year. Two cities in Florida fell victim to ransomware within a short period of time last summer. One of the cities, Riviera Beach, elected to pay $600,000 in bitcoin to the people who illustrated the attack in order to get back their cities data. Lake City paid just under $500,000 (4).
Not only is the pay great, but it turns out that the cost of ransomware is low. In Q4 2019, over half of the ransomware attacks recorded by Coveware used Remote Desktop Protocol credentials, which can be purchased for under $100 on the dark web (5). With few other pieces of equipment needed, a hacker can recover their costs 800 times over from the average $84,000 ransom demand.
Bill Siegel, CEO of Coveware, speaking about the low cost of ransomware attacks said, “This will continue until the profit margins go down for these cheap and simple attacks. As of right now, the margins are great for cybercrime, so it marches on” (6). So with the increase in ransomware attacks in the last year, why isn’t the trend in ransom payments following Siegel’s statement? The key is the inelasticity of data.
The demand for data directly affects the demand for ransomware. The demand for ransomware is high because the demand for data is high. The demand isn’t very elastic, meaning that demand isn’t as volatile when the price changes because it is difficult to replace someone’s data. What is the consequence? People are willing to pay a very high price to retrieve their data.
The Movement to Stop Ransomware
Some people have recognized this vicious cycle and are taking steps to fight back. Most notable is the No More Ransom Project, started by Europol and other cybersecurity companies. No More Ransom provides tips, suggestions, and decryption tools for people and organizations whose data is encrypted and held for ransom.
Others are trying to do their part by making pacts to not pay ransoms. In 2019, the U.S. Conference of Mayors made a pact to not pay ransoms if their cities are hit with ransomware (7). Local and state governments have been especially targeted starting in 2019 because of their commonly out-of-date IT infrastructure, and the valuable data that they keep. The difference between saying you won’t pay the ransom and then actually doing so is very challenging, however. Due to data privacy and security laws, cities and companies are contractually obligated to keep citizen/customer data, and in the event of ransomware, paying the ransom may be the only option that prevents them from being fined or worse—after all, they were under-prepared for an attack.
As a Member of the Community, You Can Fight Against Ransom Payments
The first step in taking action against this cycle of ransom payments is to educate others and help people recognize the real issue. Without an understanding of what they can do to fight against the ransomware operators, those who are unaware will continue to fuel ransomware operators. As an employee or member of an organization, you are the first line of defense when it comes to protecting your organization against ransomware. When individuals are working to protect themselves, the organization as a whole will be more immune to the ransomware attacks against them. This will then pay dividends to the communities we are a part of and the cycle of ransom payments will diminish.
- Proofpoint, Inc., Ransomware is Big Business, Retrieved from https://www.proofpoint.com/us/threat-reference/ransomware
- CyberEdge Group (2019), 2019 Cyberthreat Defense Report, page 14, Retrieved fromhttps://cyber-edge.com/wp-content/uploads/2019/03/CyberEdge-2019-CDR-Report.pdf
- Proofpoint, Inc., State of the Phish: An in-depth look at user awareness, vulnerability and resilience, Retrieved from https://www.proofpoint.com/sites/default/files/gtd-pfpt-us-tr-state-of-the-phish-2020.pdf
- Mazzei, Patricia (2019), Hit by Ransomware Attack, Florida City Agrees to Pay Hackers $600,000, Retreived fromhttps://www.nytimes.com/2019/06/19/us/florida-riviera-beach-hacking-ransom.html
- Ransomware Costs Double in Q4 as Ryuk, Sodinokibi Proliferate, Retrieved from https://www.coveware.com/blog/2020/1/22/ransomware-costs-double-in-q4-as-ryuk-sodinokibi-proliferate
- Viljayan, Jai, Average Ransomware Payments More Than Doubled in Q4 2019, DarkReading, Retrieved from https://www.darkreading.com/risk/average-ransomware-payments-more-than-doubled-in-q4-2019/d/d-id/1336893
- Kamp, Jon (2019), U.S. Mayors Unite Against Paying Ransom to Hackers, Retrieved from https://www.wsj.com/articles/u-s-mayors-unite-against-paying-ransom-to-hackers-11562774950