The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.
The threat of ransomware attacks continues to strike organizations, government institutions, individuals, and businesses across the globe. These attacks have skyrocketed in frequency and sophistication, leaving a trail of disrupted operations, financial loss, and compromised data. Statistics reveal that there will be a new ransomware attack after every two seconds by 2031 while the companies lose between $1 and $10 million because of these attacks.
As the security landscape evolves, cybercriminals change their tactics and attack vectors to maximize their profit potential. Previously, ransomware attackers employed tactics like email phishing, remote desktop protocol vulnerabilities, supply chain issues, and exploit kits to breach the system and implant the ransomware payloads. But now attackers have significantly changed their business model.
Organizations need to adopt a proactive stance as more ransomware gangs emerge and new tactics are introduced. They must aim to lower their attack surface and increase their ability to respond to and recover from the aftermath of a ransomware attack.
How is ransomware blooming as a business model?
Ransomware has emerged as a thriving business model for cybercriminals. It is a highly lucrative and sophisticated method in which the attackers encrypt the data and release it only when the ransom is paid. Data backup was one way for businesses to escape this situation, but those lacking this had no option except to pay the ransom. If organizations delay or stop paying the ransom, attackers threaten to exfiltrate or leak valuable data. This adds more pressure on organizations to pay the ransom, especially if they hold sensitive customer information and intellectual property. As a result, over half of ransomware victims agree to pay the ransom.
With opportunities everywhere, ransomware attacks have evolved as the threat actors continue looking for new ways to expand their operations' attack vectors and scope. For instance, the emergence of the Ransomware-as-a-service (RaaS) model encourages non-technical threat actors to participate in these attacks. It allows cybercriminals to rent or buy ransomware toolkits to launch successful attacks and earn a portion of the profits instead of performing the attacks themselves.
Moreover, a new breed of ransomware gangs is also blooming in the ransomware business. Previously, Conti, REvil, LockBit, Black Basta, and Vice Society were among the most prolific groups that launched the attacks. But now, the Clop, Cuban, and Play ransomware groups are gaining popularity as they exploit the zero-day vulnerability and impact various organizations.
Ransomware has also become a professionalized industry in which attackers demand payments in Bitcoins only. Cryptocurrency provides anonymity and a more convenient way for cybercriminals to collect ransom payments, making it more difficult for law enforcement agencies to trace the money. Though the FBI discourages ransom payments, many businesses still facilitate the attackers by paying ransom in bitcoins.
What’s the worst that can happen after a ransomware attack?
A ransomware attack can have consequences for businesses, individuals, and society. Since these attacks are prevalent there are privacy risks in almost every activity online. These attacks are not only a hazard to organisations but they also carve pathways that disrupts every associated client, customer and partner’s online anonymity. Here's a brief insight into the worst outcomes that can occur following a ransomware attack:
No data recovery and repeated attacks
Ransomware attacks can result in significant data and financial loss. Despite promises, paying a ransom ensures no guarantee that the cybercriminals will return or delete the data they already have compromised. A study finds that nearly 200,000 companies fail to retrieve data after paying the ransom. Besides this, businesses willing to pay the ransom make them a more attractive target. The same study also finds that a ransomware attack hit 80% of companies for a second time, with 68% saying that the second attack happened in less than a month - and the attackers demanded a higher amount.
The most significant impact of ransomware attacks is the devastating financial losses. These attacks will cost victims around $265 billion annually by 2031. The victims are usually organizations that will likely incur the costs associated with customers' data, investigating the attack, restoring the systems, and deploying robust security measures to avoid such attacks. In addition, if an organization fails to recover the data, it may experience long-term financial instability due to operational disruptions, reduced productivity, revenue loss, and legal liabilities.
Lawsuits and regulatory fines
Cybercriminals exfiltrate valuable data in ransomware attacks. This can result in lawsuits being filed by the affected parties whose data was compromised. Equip Systems, US Fertility, TransLink, and Canon, are some companies that faced lawsuits due to ransomware attacks. Additionally, most businesses are subject to industry regulations like HIPAA, GDPR, and CCPA to maintain data privacy. Suppose the attackers exfiltrate data that includes personally identifiable information and financial or medical records. In that case, the organizations face regulatory fines, losing customers' trust and causing significant reputational damage.
Ransomware attacks paralyze the organization's everyday operations, resulting in significant downtime and productivity losses. Stats reveal that, on average, organizations experience almost three weeks of downtime in the aftermath of a ransomware attack. When a critical infrastructure, network, or system is compromised, businesses fail to provide services, and this downtime significantly impacts their profits and earnings.
Breaking down the ransomware business model
The risk of ransomware attacks is bigger than many organizations might realize. However, the good news is that there are plenty of measures that businesses can take to mitigate these attacks:
- Use data backups: Regularly backing up the data helps recover data during a ransomware attack. Businesses must ensure that all critical business data is backed up and stored in a location inaccessible to attackers.
- Upgrade, update, and patch systems: The older an operating system gets, the more chances of malware and other threats targeting them. Therefore, retire legacy devices, hardware, or software the vendor no longer supports. It's also crucial to update the network software with fixes as soon as they are released.
- Reduce the attack surface: Organizations with clearly defined rules have been able to mitigate the impact of attack during the initial stages. Hence, create attack surface reduction rules to prevent common tactics that attackers use to launch an attack.
- Network segmentation: Develop a logical network segmentation based on least privilege that reduces the attack surface threat and limits lateral movement. If by any means the malicious actor bypasses your perimeter, network segmentation can stop them from moving into other network zones and protects your endpoints.
- Have a handy incident response plan: A survey finds that 77% of people say their businesses lack a formal incident response plan. A well-informed incident response plan can help businesses manage ransomware attacks better, minimize impacts, and foster fast recovery.
- Deploy XDR and SIEM tools: These tools provide holistic insights about emerging threats and enhance the security professionals' detection and response capabilities for ransomware attacks.
- Employee education: Humans are an organization's weakest link, and ransomware groups use this loophole to launch attacks. To close this gap, businesses must educate their employees about the latest trends, hackers' tactics, and ways to respond promptly.
Over time, the ransomware business model is becoming sophisticated and evolving through double extortion, the RaaS model, and the emergence of new ransomware gangs. As these attacks are unlikely to go away anytime soon, businesses must educate their staff about this lucrative attack and the consequences it presents to the company. Organizations must prioritize basic cybersecurity measures like regularly backing up the data, segmenting the network, and patching the systems. Additionally, they must invest in endpoint protection tools, have an incident response plan handy, and invest enough in security awareness programs to minimize the impact of ransomware attacks.