Enterprise ransomware attacks: These violent delights have violent ends
TL;DR: Enterprise ransomware attacks are spiralling out of control. Victim companies are compelled to pay, using cyber-insurance as a “pain killer” that relieves the immediate pain but worsens the problem. Soon, regulators would have to step in and stop this vicious cycle and the withdrawal symptoms will be harsh.
Reading business and security news, it seems that there is a sharp increase in enterprise ransomware. The victims are household names (Garmin, CWT, and Cannon to name a few mentioned in last weeks’ news) and ransom payments are in the millions.
Analyzing ransomware incidents’ data reveals that this is not merely a subjective feeling and indeed ransomware payments are increasing in an exponential rate.
In this story, we will look into the root causes of that steep increase and provide predictions on the future of the ransomware business.
Current Enterprise Ransomware Economics
Enterprise ransomware stats, published by Coveware, a company providing ransomware crisis management services to businesses, show a significant increase in all of ransomware’s business indicators.
It’s not just the average payment shown in the graph above, jumping from $10K on Q1 2019, to little less of $100K on Q4 2019, to nearly $200K, it’s also the size of targeted companies.
Coveware explains the increase:
Average ransom payments climbed steadily since 2018, which coincided with the arrival of the first “big game hunting” ransomware variants, BitPaymer and Ryuk. Prior to big game tactics, the ransomware sphere was dominated by opportunistic spray-and-pray threat actors who rarely exercised victim profiling and issued nominal demands that remained constant whether the victim was a 10-person company or a 1,000 person enterprise.
In the next section we will double click on this pivotal change in attackers’ tactics, going from “spray-and-pray” to ״big game hunting” enterprise ransomware.
Enterprise Ransomware: Then and Now
In the past attackers would mostly “spray-and-pray”, launching mass e-mail spam campaigns to infect and encrypt the careless readers’ computers. This crude approach naturally lead to random results, as victims would only pay if the data on the encrypted computer happened to be “interesting”.
Corporates’ security and IT had multiple tools to handle these potential infection cases:
- End-point security solutions: Antivirus are very good in catching massively used malware samples. A malware may infect a few computers in the world, but then antivirus vendors automatically update their solutions to catch these. Therefore having a regularly updated Antivirus would usually protect a computer from getting infected.
- Random targets: in many cases even if the computer got infected it did not contain interesting enough data. In that case, IT would just format the computer to solve the case.
- Using backups: by regularly backing up the data on endpoints, encrypted computers can be easily recovered by formatting and restoring data from backup.
- Decrypting data without paying : in the early days of ransomware, attackers made some basic cryptographic errors in their encrypting malware, that made it possible to defenders to decrypt their encrypted data without paying the attackers.
- Paying: as a last resort, when all previous means failed, the business could decide to pay the ransom to save the encrypted computer data.
But all that had dramatically changed circa 2018. Enterprise ransomware attackers (probably inspired by NotPetya) became targeted, instead of random. Nowadays, attackers are not encrypting the first endpoint they append to land on. Instead, they are applying “lateral movement” techniques originally conceived by advanced attackers, to expand into large portions of the enterprise’ network, including important computers and servers. Once attackers had silently established their presence throughout the network, they encrypt all computers at once, crippling the business and creating a devastating effect.
This new method had rendered most of the aforementioned defense mechanisms obsolete:
- End-point security solutions are less relevant: Since the attack is targeted and pinpointed, attackers can create a modified variant for the specific attack and test it in the lab to make sure it bypasses common antivirus solutions.
- Non-Random targets: targeted attackers can take their time to make sure they encrypt some interesting parts of the network. But even if they do not invest too much resources into understanding their victims’ networks, when they encrypt the lion share of the network, it’s nearly certain crucial parts would be included.
- Using backups: To combat backups, attacker now also exfiltrate (a portion of) the data, threatening to expose it if ransom is not paid. Therefore, even restoring from backup can solve only half of the ransomware problem.
- Ransomware Encryption is now solid: The days of ransomware’s amateurish cryptographic mistakes are mostly gone, as attackers now use standard asymmetric encryption algorithms, that makes it impossible to decrypt the data without the decryption key.
As a result, ransomware victims are left with one tool in their toolbox, which is paying the ransom. However, this options is not too painful as in many cases, the payment is (mostly) covered by victims’ cyber-insurance.
Therefore it should not come as a surprise that in a span of two years time. defenders’ motto had changed from “never pay for ransomware”, to “how do I pay”. This new reality is reflected by the emergence of companies, which their whole business model is based on helping victims to successfully pay ransom and get their data decrypted and not publicly exposed to the Internet. (see “Forrester’s Guide To Paying Ransomware”)
Ransomware’s vicious cycle
When the company is on a full stop on one hand, and on the other hand the norm is to pay the ransom and it’s mostly covered by the insurance company, victims often see paying ransom as a “no brainer”.
As a result, more money is flowing to the hands of cyber criminals (that may be very much related to brick and mortar criminals), which in turn helps them to invest in better infrastructure and encourages them to attack more and increase the flow of money from victims. This vicious cycle propels the ransomware out of control, transferring companies’ wealth to criminals through the channels of cyber insurance and other mediators.
Cyber-insurance companies, will probably not stop this vicious cycle as currently they enjoy the fact that big companies are compelled to take their cyber insurance and absorb its rising costs, as the ransomware risk must be hedged. The rise in ransomware cyber damages paid by the insurance, is compensated by the rising insurance premiums.
Therefore, currently, cyber-insurance may be viewed as more of a part of the ransomware problem than part of the solution. It is used a “pain-killer” to make a severe disease more bearable. While it provides a momentary relief, it enables defenders and law enforcement to remain in denial, and not take the hard measures required to deal with the root cause. These potential measures are both in the law enforcement domain of going after attackers and their money and in the infosec domain, developing new and effective security solutions to combat ransomware.
Therefore, I believe that soon, due to its exponential growth the burden of ransomware on the economy would be so unbearable, that it would force regulators to intervene and forbid ransomware payments.
Parting thoughts
As with many other parasites, ransomware extraordinary success is actually a precursor of their demise, as they threaten the integrity of the host that supports them.
As the burden of ransomware on the economy becomes unbearable (and I believe this point is not too far away), regulators will be forced into taking the hard decisions to abolish ransom payments that will eventually stop ransomware attackers. When that happens, unprepared companies will be left without the only tool they currently have in their toolbox to combat ransomware. Therefore, smart defenders should start looking now for effective ransomware security solutions, sooner rather than later.
