Understanding the true, hidden costs of ransomware attacks on the business

Paying the ransom is just the tip of the iceberg

by James R. Slaby

Ransomware, one of the fastest-growing malware hazards of the 21st century, threatens businesses and public institutions around the world. A particularly virulent and fast-evolving species of malicious software, it infects computers and mobile devices, often spreading across networks to other devices. Once it compromises a system, it quietly encrypts every data file it finds, then displays a ransom note to the user demanding an online payment of hundreds or thousands of dollars (to be paid in cryptocurrency like Bitcoin) in return for the decryption keys needed to restore the user’s locked files.

A notorious example of a ransomware attack that hit companies worldwide was the spring of 2017 WannaCry outbreak, which afflicted over 200,000 computers in over 150 countries. Its global costs have been estimated to total a whopping $8B. In the summer of 2017, the NotPetya ransomware variant ensnared thousands of business and public institutions in a global net, and despite letting victims pay a ransom, wreaked essentially unrecoverable damage.  The autumn of 2017’s Bad Rabbit ransomware outbreak disrupted thousands of systems across Russia, Ukraine, and the European Union.

In planning defensive strategies, IT security professionals must recognize that the cost of a ransomware attack goes far beyond the extortion payment. A steadily growing list of victimized companies have reported  that other costs associated with an attack – downtime, lost sales opportunities, angry customers, the expense of attack mitigation and recovery, damage to company brand reputation, penalties for unmet contractual obligations to customers, and fines for non-compliance -- make the cost of the ransom look trivial.

Ransomware attacks have wreaked extensive downtime and economic harm on many industries, including police departments, local governments, automotive manufacturers, logistics companies, financial services institutions, healthcare providers, and transportation systems around the world. Hardly a week goes by without news of another successful and costly ransomware attack. Here are just a few examples:

• The United Kingdom’s National Health Service (NHS). The global WannaCry outbreak of 2017, which afflicted over 200,000 computers in over 150 countries, brought hundreds of NHS facilities to a standstill for several days, resulting in the cancellation of thousands of operations and appointments and the frantic relocation of emergency patients from stricken emergency centers.
• Erie County Medical Center (New York, USA), which lost access to 6000 computers, requiring six weeks of manual operations and a recovery process that ultimately cost US$10M.
• Danish transportation and logistics giant Maersk suffered $300M of business interruption losses due to a ransomware attack. The downtime forced a 20% drop in its shipping volume when it had to fall back to manual operations during the recovery effort, which required Maersk to re-install 4000 servers, 45,000 PCs, and 2500 applications over ten days.
• Tech vendor Nuance recently reported that a ransomware attack it suffered in the fall of 2017 cost it $68M in refunds to customers for service disruptions and another $24M in cleanup costs.
• British pharmaceutical and CPG maker Reckitt Benckiser estimated that its victimization by the NotPetya ransomware cost it $140M dollars in disrupted production, goods it could not deliver to customers, and cleanup and recovery costs.
• At France’s Renault and its Japanese partner Nissan, so many computers were brought down by the WannaCry ransomware epidemic that both were forced to idle some of their plants in Europe. Facilities in France, Slovenia and Romania were hit so hard that Renault shut down industrial activity at them; at least one facility remained offline for days.
• South Korean web hoster Nayana was laid low by the WannaCry outbreak, and ended up paying $1M in Bitcoin ransomware to regain access to 150 servers and restore web services to 3400 customers.
• The aggregate dollar value of ransoms that criminals have successfully collected from victims shows an alarming trend. Total ransoms surged from $325M in 2015 to $5B in 2017, and are projected to reach $11.5B by 2019.

Industry researchers have compiled some scary facts and statistics about the cost and frequency of ransomware attacks:

• According to the Tech Transformers, ransomware attacks costs smaller companies an average of $713,000 per incident, a combination of the expense of downtime and lost business due to reputational harm.
• Law enforcement and security experts agree that paying the ransom is a very poor defense: over half of ransomware victims who pay do not successfully recover their files, either because the extortionists fail to deliver the promised keys, or have implemented the encryption/decryption algorithms so poorly that the keys don’t work.
• Recovering files from backup and restoring encrypted systems is often easier said than done. According to Intermedia research, nearly three out of four companies infected with ransomware suffer two days or more without access to their files. Around 30% go 5 days or longer without access. The recent ransomware attack on the City of Atlanta (Georgia, USA) found it unable to access its systems after nearly two weeks.
• As more ransomware victims heed the experts’ advice not to pay the ransom, the rate of total ransomware attacks keeps rising, with criminals turning their sights on verticals like healthcare and law enforcement that tend to be more willing to pay because of the life-and-death consequences that can result from computer downtime in their fields.
• Ransomware is projected to attack one business every 14 seconds by the end of 2019, up from every 40 seconds in 2018. According to other statistics, 71% of companies targeted by ransomware attacks have actually been infected, and half of successful ransomware attacks infect at least 20 computers in the company.

The reasons for the rapid growth of this particular category of malware are mostly attributable to its evolution from a one-time cottage industry to a modern, criminal version of the software-as-a-service business. Ransomware gangs copied the model of tech vendors like Salesforce.com, continually and rapidly developing and improving their product and relying on a network of Internet-based “distributors” – lower-level, relatively-unskilled criminals willing to push the malware onto as many machines as possible in return for a cut of the ransom – to get their product into the marketplace.

These criminal front men use a variety of techniques to propagate ransomware attacks, including blasting out phishing emails with infected web links or attachments, placing bogus online ads that lead users to fake websites that invisibly download malware to anyone that visits them.

Meanwhile, the highly-skilled back-end developers labor to create new variants that can exploit operating system and application vulnerabilities, take advantage of unwary end-users, and evade anti-virus software and other defenses created by the IT security industry. They also build sophisticated distribution, monitoring, notification and payment infrastructures which they make available to their “distributors” for free. All anyone needs to get into the ransomware distribution racket is moral flexibility, a browser, and an Internet connection to access these easy-to-use tools, start spreading ransomware around, and begin extorting cash from victims. It’s called ransomware-as-a-service.

In the face of this rapidly-growing threat, businesses and public institutions can take concrete steps to protect their systems from the operational disruptions and high costs of ransomware attacks. Step one is to start educating employees on the techniques that ransomware distributors use, teaching them to be cautious about the online advertisements and email links they click on, the websites they visit, and the attachments they open.

Good network and security hygiene measures remain important, like segmenting networks to make it harder for ransomware to spread from system to system, keeping endpoint anti-malware software up-to-date, and patching known vulnerabilities in operating systems and applications as quickly as possible.

Finally, given the high success rate of ransomware attacks, it is imperative to institute a rigorous backup regimen and keep multiple copies of critical business and patient data both locally, offsite and in the cloud.  Routine, frequent backup remains the most foolproof defense against ransomware: if your systems are compromised, you can simply identify the onset of the attack and restore your systems from clean backups created before the incursion.

To avoid becoming victims of the next widespread ransomware attack, businesses and public institutions will have to deploy the basic measures outlined above, and consider deploying leading-edge technologies for ransomware defense like Acronis Active Protection, a free extension to Acronis Backup and Acronis Backup Advanced that uses machine learning to identify ransomware attacks in progress, instantly terminate them, and automatically restore any damaged files.

For case studies of enterprises that have used Acronis Active Protection to effectively protect themselves against ransomware attacks, see these stories on auto dealership Ready Honda, electronics manufacturer Johnson Electric, and aluminum refining giant Hydro Alunorte.

For details on how Active Protection works, see: https://www.acronis.com/en-us/resource-center/resource/276/