Ransomware has become a staple of Organised Criminal Groups’ (OCGs) revenue streams. Being able to affect a broad spectrum of targets, ranging from large businesses through to individual end users allows for a range of different monetisation models, from ‘spray-and-pray’ to targeted ‘big game hunting’. The sheer number of criminals focusing on ransomware, and the low barriers to entry, ensure that very large numbers of targets can be infected.
The cost of launching an attack has reached the level where only a tiny proportion of victims need to pay in order for the criminals to reap significant returns on investment. It has become a very efficient, if illegal and unethical, way to earn a living these days.
In this blog post we will look at what factors organisations should consider when assessing a ransom demand, and whether paying up could ever be justified. To do this we’ll review the basic history of ransomware as a concept, examples of some recent incidents and where ransomware operations are headed.
Ransomware can be traced back to 1989 when a computer virus, the ‘PC Cyborg virus’ aka ‘AIDS trojan’, was developed by an evolutionary biologist, Dr Joseph Popp. It was spread by the posting out of infected floppy disks to AIDS researchers through a mailing list, with the disks purporting to contain AIDS education software. Since then, the threat of this type of malware has increased exponentially, with numerous different versions appearing over the years.
The rise in this threat can be linked to increased adoption of crypto currencies around 2010-2012. Now threat actors did not have to request payment to be sent to them in cash through the post (as Popp was forced to do). Instead, (nearly) anonymous transactions could help keep their identity a secret and, as crypto currencies are based solely online, transactions and payment could occur quickly and avoid international borders. Due to this, crypto currencies are now the default method of ransom payment employed. Encryption is the other factor that has contributed to the rise in these attacks.
Developments in this field have enabled threat actors to adopt powerful encryption ciphers that are much harder to crack. With the added pressure of deadline-based payment schedules and threats of permanently deleting the encrypted data, there is increasing pressure on victims to quickly pay up to avoid data loss. Ransomware attackers increasingly know what they’re doing!
Ransomware can commonly be divided into two main types: ‘locker’ ransomware in which the malware locks users out of their physical device without affecting the underlying integrity of files on the system (this can also include the posting of extortion messages accusing the user of inappropriate behaviour); and crypto ransomware, which encrypts files, folders and storage devices. Both are used by threat actors in order to extort money from victims in exchange for unlocking the device or decrypting the data.
The following are examples of ransomware attacks and their estimated cost to those organisations.
In February 2016 the Los Angeles hospital began experiencing issues with its computer network. It was the result of a ransomware infection which caused disruption affecting emergency rooms, treatments, fax lines and email. The ransomware disabled the hospitals network and prevented administrative functions. After ten days, access and functionality of the network was restored when the hospital paid the ransom demand of 40 Bitcoins, worth an estimated USD 16,700 at the time of the attack. Details on the cost of other remediation activities have not been made publicly available.
The City of Atlanta was the subject of a ransomware attack involving the Samsam malware which began in March 2018. This attack caused large service outages involving utilities, parking and court services resulting in city officials having to complete paper forms by hand and write with pen and paper in lieu of using infected computers. At the time of the attack the hackers responsible demanded USD 50,000 in Bitcoin to provide access to the decryption key. The city refused to pay the ransom. This attack affected an approximately 6 million people and has been estimated to have cost as much as USD 17 million to remediate.
In December 2018 a ransomware attack involving the Ryuk ransomware strain was carried out in the US against Tribune Publishing’s network. Ryuk is a dangerous strain of ransomware that can disable the Windows System Restore option on infected systems. This increases the difficulty of retrieving encrypted data without paying the ransom.
Demands have ranged from USD 57,000 to USD 190,000 to be paid in Bitcoin. Systems were infected that were crucial to the news production and printing process affecting the L.A. Times, the San Diego Union, papers in Florida, Chicago, and Connecticut as well as the West Coast editions of the Wall Street Journal and the New York Times.
This was due to them sharing the same production platform causing disruption to the distribution of these papers. The Ryuk ransomware was reported to have made its masters over USD 600,000 USD within its first two weeks of use.[caption id="attachment_1347" align="aligncenter" width="300"]
A ransomware attack hit Jackson County computers in March 2019 severely impacting public activities. The ransomware Ryuk was the malware used and infected all county departments including computer systems used for emergency services and email. Networks servicing medical emergencies were minimally affected due to them operating on a network provided by a third-party. Due to the county having no backups in place that were separated from the infected network, government officials caved to ransom demands and paid the demand which cost the county USD 400,000.
In May 2019 the City of Baltimore suffered a ransomware attack in which the RobbinHood ransomware was used. The attackers demanded 13 Bitcoins, worth around USD 76,000 at the time. If after four days the ransom was not paid, the price for the decryption keys would rise. The data which was encrypted would be permanently lost after ten days if no ransom payment was made.
Systems that were affected included; voicemail, email, parking fines database, utilities payment systems, property taxes, vehicle citations, hospitals, factories producing vaccines, airports, ATMs & the majority of the cities computer servers. Emergency services were unaffected and personal data was not compromised. The city refused to pay the ransom demand and the attack ended up costing USD 18.2 million, including the price of remediation and lost or delayed revenue due to the attack.[caption id="attachment_1345" align="aligncenter" width="300"]
A common theme of ransomware attacks is the targeting of organisations that can ill afford any downtime. In this day and age, that effectively means everyone. Additionally, ransomware attacks are becoming increasing tailored for specific targets and run by controllers in real time.
Information on private companies suffering attacks or paying ransoms is harder to come by due to these organisations not reporting the attack to the public in an attempt to safeguard their reputation. Attacks on individuals still occur; however, these attacks are the result of exploiting a vulnerability affecting multiple users of the same platform and not likely to be cyber-criminals spitefully targeting an unlucky soul.
Targeted attacks affect fewer organisations but incur a higher cost to them. The ransom demanded by the attackers is often estimated by the attackers as to what the targeted organisation or individual can afford. This is demanded in crypto currencies, most commonly Bitcoin. The demand typically includes a time limit. Failure to pay within this time limit will result in the ransom demand increasing and if still not paid will result in the loss or deletion of the encrypted data, encryption key or both.
It is advised publicly not to pay the ransom, due to it encouraging the activity. However, many security firms suggest paying it behind closed doors. This is due to it being the fastest way to regain access to the encrypted data. Many organisations have done this. However, this leads us to the question set forth at the beginning…
Historically, paying a ransom has regularly been associated with increasing the incentive for threat actors to conduct ransomware attacks. However, this point is now somewhat moot given the widespread availability of ransomware-as-a-service offerings, leaked source code (which can be used to develop one’s own strains), or malware samples available for sale. The resources required to get an extortion operation off the ground are now within the reach of many hackers who do not necessarily need a large return to make it worth their while. Ransomware operations are so commonplace that the payment or withholding of one individual ransom is unlikely to influence the thriving underground ecosystem.
It should also be noted that if the ransom is paid there is no guarantee that the victim will receive a decryption key, or that said key will work and decrypt all the affected data. This adds complexity to the decision to pay or not. Some attacks are hoaxes with the perpetrators possessing no decryption key at all. To show victims that the attack is real, and a decryption key exists, attackers will often decrypt a limited number of files to show they have a working key. Even so, just because they have a working key, organisations should not automatically assume that they should pay the ransom. The attackers may still not relinquish the key after payment.
Delays to paying the ransom typically increase costs incurred on top of remediation costs and damage to reputation. Even if the ransom is paid and access to the data is restored, remediation must still occur effectively resulting in a similar amount of money spent. The main reason to pay the ransom is often the quick retrieval of the encrypted data. This is usually to limit the costs arising from operational needs to have access to the encrypted data or due to the organisation not maintaining backups.
Organisations should ensure that they have appropriately maintained backup systems that are stored offline and follow a robust backup procedure to effectively mitigate the threat of ransomware. The rule of three two one is a good example of this: Three copies of the data stored in two different formats e.g. Dropbox and DVDs or hard drive and memory stick. One off-site backup location.
Ultimately there is no one size fits all rule. Organisations must assess their own risk appetite for such things and integrate backup procedures and infrastructure to the best of their ability. Paying the ransom may aid organisations that have no backups or need access to mission critical data in a time period shorter than what remediation will provide.
In these instances, paying the ransom may be the prudent course of action, only if the attackers have demonstrated the ability to decrypt the data. Organisations should take note that these costs are on top of what needs to be spent on remediation, patching vulnerabilities, filling gaps in security as well as costs incurred due to reputational damage.
Payment may not result in the data being decrypted either. The cost of implementing data protection and backups within organisations is trivial in comparison to the effect a ransomware attack can have, as the examples above have demonstrated. Should an incident occur, organisations with robust backup implementations in place need not pay the ransom demanded and should be affected with minimal downtime whilst they restore from good backups.
Tristan Wright
Cyber Threat Intelligence Analyst
