Surviving the Other Pandemic: What’s Ransomware, Who’s at Risk, and Why?
April 15, 2021
There’s only one word on everyone’s mind lately when it comes to cybercrime and that’s ransomware. The last three years have witnessed the resurgence of ransomware campaigns in full force, with a huge boom following the coronavirus pandemic. Attacks rose by 25% between Q4 2019 and Q1 2020, as cybercriminals pivoted to take advantage of changes in operating procedures and the widespread adoption of new technologies by organizations worldwide.
Hackers have gotten more aggressive, the demands higher, and remediation costs greater than ever. Attacks are also increasingly involving data theft and threats to post sensitive information online, combining the disruption of a ransomware event with the long-term impact of a privacy breach. Without backups or a decryption key, victims risk losing permanent access to mission-critical data, incurring steep financial losses, and suffering tremendous reputational harm.
Nothing and no one is truly secure. Businesses large and small, profit and non-profit, across every industry have been targeted, with SMBs, medical facilities, third-party suppliers, and government agencies bearing the brunt of the fallout.
It’s imperative for all companies to recognize the threats posed by ransomware, prepare themselves, and develop a plan to prevent attacks. Keep reading to learn more about what ransomware is, who’s at risk and why, and how you can protect your business.
Disclaimer: Please note that the information provided herein offers guidelines only. It is not exhaustive and does not constitute legal, insurance, or cybersecurity advice. For more guidance, please consult a lawyer, a licensed insurance representative, and/or a cybersecurity specialist.
What is ransomware?
Ransomware is a malicious software that infiltrates systems, encrypts data, and disables user access to their data until a sum of money is paid to a threat actor. The idea behind ransomware is simple: hold data hostage and demand payment for its safe recovery—it’s cyber extortion at its finest. Unless the ransom is delivered within a set period of time, usually in an untraceable digital currency, like Bitcoin, attacks can bring businesses to a complete standstill or hamper efficiencies for months on end.
Telltale signs of a possible attack include:
An unrecognizable extension on files;
Files that can’t or won’t open;
Applications that won’t run;
Lost file and/or folder permissions;
Devices on your network that are running slower or displaying abnormal behaviour;
An urgent, foreboding, or threatening message explaining that your files are inaccessible. Many ransom notes try to replicate or imitate the style of a trusted source, like a government, law enforcement, or public health agency, and collect a fine by alleging your computer was used for illegal activity.
Why is ransomware so common?
Ransomware operators have historically been more opportunistic, targeting consumers to obtain financial information and commit identity fraud. But with limited funds to meet ransom demands, the return on investment for consumer attacks was quite poor. Between 2016 and 2017, only 4% of affected users reported paying, at an average amount of $530.
As a result, cybercriminals have gotten more strategic and shifted attacks to private and public companies to maximize their gains. Here’s why:
They’re easy to stage.
Although ransomware is one of the most sophisticated and harmful threats businesses face today, it requires minimal expertise to set up. Even amateur hackers with little technical know-how can purchase login credentials and “Ransomware-as-a-Service” (RaaS) on the Dark Web from more skilled cybercriminals. RaaS Kits are cheap, compact, and contain all the ingredients needed to launch a successful infection. And because they’re so accessible, a good chunk of RaaS attacks still hit people at home, on their personal devices and computers, in addition to private and public companies.
Threat actors want to make money quickly. And unlike most cyberattacks, where criminals must first steal information and then find willing buyers, ransomware paydays are more or less instant since most organizations can’t function without their data.
Prosecution almost never happens.
Most cybercriminals operate across borders and jurisdictions. And law enforcement simply doesn’t have the resources necessary to identify these criminals or prosecute them across international borders, which is a time consuming and complicated process. This allows them to continue to operate with impunity.
How has COVID-19 increased the risk of ransomware?
The outbreak of COVID-19 and the resulting digital revolution has led to a surge in malicious online activity. Between January and June of 2020, the ID Ransomware database logged over 100,000 incidents aimed at companies and public sector organizations, with a new event occurring every 14 seconds. In fact, ransomware was the number one cyber claim in Canada last year, surpassing credit card theft to become the most common type of cyber threat.
Some of the biggest risk factors are:
Since the beginning of the crisis, hackers have capitalized on heightened anxieties and concerns over public safety to trick unsuspecting users, infiltrate networks, and compromise valuable data. From fake websites to bogus contract tracing apps to financial aid scams, cybercriminals are mining all opportunities to exploit users looking for pandemic-related information or advice.
In a decentralized environment, companies have significantly less visibility over a wider attack surface. The number of entry points for malware has increased exponentially, amplified by: growing reliance on employees’ personal devices, weak organizational controls on home IT, a lack of cybersecurity awareness training, and human error, as well as family access to corporate machines and personal devices for work or study.
With the mass exodus of employees from offices worldwide, organizations were forced to implement various digital response measures to ensure business continuity, including remote systems, third-party applications, cloud computing, online payment forms, and more. But in the rush to digitize their operations, many companies prioritized immediate results over lasting security, simultaneously creating new cyber vulnerabilities and widening existing gaps in protection.
Over the years, we’ve seen the disturbing rise of malicious ransomware families that employ a network of top-tier cybercriminals, each with their own speciality, like surveillance, software development, managing botnets, or more. Working as a unit allows individual hackers to compile their resources, be more strategic in operation, and stage more complex, destructive, and successful ransomware events. Notable gangs include: DoppelPaymer, REvil, NetWalker, RobbinHood, DarkSide, and the notorious Maze.
How do attackers gain access?
Hackers distribute ransomware through a variety of methods, such as:
Phishing and email intrusion are by far the most widely used—and most effective—conduits for ransomware delivery. The majority of attacks, about 54%, spread via email, which has long been the primary communication tool for most organizations. Cybercriminals use misinformation campaigns to pose as government authorities, security vendors, and business leaders, and coax people into clicking a fake link or opening an attachment that unleashes malware.
2. RDP Attacks
To remotely access Windows workstations, companies are relying on Microsoft’s proprietary Remote Desktop Protocol (RDP). Consequently, attacks on RDPs have skyrocketed, with hackers attempting to enter victims’ networks through misconfigured servers and unpatched systems. These vulnerabilities are exacerbated by poor password etiquette, old software, and general misuse of computers and emails.
3. Third-Party Compromise
If a cybercriminal can’t get past an organization’s defences, they’ll turn to a less secure outside partner, provider, or other third-party with access to their systems. This way, hackers can infiltrate large enterprises through the weak links in global supply chains, like smaller, resource-poor distributors and suppliers. Cybersecurity firm BlueVoyant even reports that 80% of organizations have had a breach that was caused by one of their vendors.
Third-party compromise also allows cybercriminals to double up on attacks and boost their takeaway. A major company might be hit with a $1 million ransom, while affiliated clients and partners are extorted for anywhere between $5,000 to $10,000 at the same time.
Who’s at risk (and why)?
Ransomware infections rarely happen at random; they’re clever, calculated, and well-planned. And no business is immune. Cybercriminals go after organizations of all shapes, sizes, and industries; whoever they think can—and is more willing—to pay. This usually includes organizations that:
Hold sensitive data;
Need immediate access to their files and cannot tolerate a sustained disruption;
Would suffer the most harm from data leakage and will pay to keep the news quiet;
Are perceived to have weak or limited security defences; and
Are likely to have bigger payouts (such as corporate entities based in Western markets, like US, UK, and Canada).
Throughout the COVID-19 crisis, attackers have ramped up their efforts against the below groups given the likelihood of high impact and financial gain.
While attacks on big companies like Canon, Brookfield Residential Properties, and Luxottica drive headlines, SMBs continue to be plagued by ransomware behind the scenes. 55% of enterprise attacks in Q2 2020 took place on companies with less than 100 employees. 75% hit companies with less than $50M in revenue, particularly affecting businesses in the professional services, like law and accounting firms.
Large corporations may have insurance policies or pockets deep enough to pay ransoms, recover data, or even swallow a loss, but cybercriminals know that small companies have poor security and backup practices. Current research shows that nearly half of private-sector SMBs spend less than $5,000 per year on cybersecurity, creating a huge window for threat actors to exploit.
SMBs may also be newly targeted for amassing large amounts of PHI on clients, vendors, and other visitors for contact tracing or other COVID-19-related work protocols. Until small businesses can harden their security defences to prevent future attacks, these alarming trends will persist.
2. Healthcare Organizations
Comprising a whopping 29% of ransomware events, the health sector is a frequent and favoured target of attackers, who know that providers will acquiesce to protect their patients. With increasing dependence on technology to provide care, the loss of patient data for an extended period of time—15 days on average for emergency health records—can bring a facility to its knees, delaying swift medical response and endangering human lives.
The pandemic makes matters even worse. Hospitals, health and wellness centres, and healthcare practices around the world are already strapped for resources as they work non-stop to fight COVID-19. Still, medical facilities remain at the mercy of ransomware gangs, who have been steadily releasing patients’ personal health information (PHI) online, like SIN numbers, medical histories, diagnostic codes, health insurance information, and more, to coerce a payment.
Canadian victims in 2020 included: Vancouver Coastal Health in May, the BC Cancer Foundation in July, and the Medisys Health Group and its affiliate Copeman Healthcare in August, who paid to retrieve the stolen data of some 60,000 clients.
Hackers have also directed their attention towards clinical research and biopharmaceutical companies, in search of intellectual property related to COVID-19 tests, treatments, and vaccines. Examples include: ExecuPharm in Pennsylvania, 10x Genomics in California, and Hammersmith Medicines Research out of the UK, among others.
3. Manufacturing Companies
Amid rising global needs for medical supplies, office equipment, and operational technology, hackers’ focus on manufacturing companies is unsurprising, with most networks infiltrated through spear-phishing and Internet-facing equipment controllers. The industry saw a 156% spike in attacks from the previous quarter in Q1 2020, leading to severe losses in production, disjointed operations, and infrastructural damage.
The number of organizations that have publicly acknowledged attacks or data leaks has grown considerably, including steel maker EVRAZ, office furniture giant Steelcase, and the two largest electronics manufacturers in the world, Foxconn and Compal, who make products for Apple, as well as other well-known brand names, like Sharp, Belkin, Acer, Lenovo, Dell, Toshiba, HP, and Fujitsu. The Foxconn and Compal events were both carried out by the DoppelPaymer gang, with the attack on Foxconn seeking $34.7 million in Bitcoin.
4. Government Agencies
While large enterprises and the private sector have worked to improve their security posture, tight budgets limit modernization for municipal governments. With outdated operational technology, inadequate safeguards, and little IT support, local governments make up about 15% of ransomware events and are among the most desirable targets for attackers. They’re also the most likely to give in to ransom demands; even before the pandemic, municipalities across the US paid out at least $1.8 million in ransoms in 2019, compared to less than $60,000 in 2018.
As a critical infrastructure, local governments simply can’t afford, both financially and civically, to suspend valuable public services, from policing to transit to water and waste management, much of which is now managed digitally. Moreover, government agencies face added media scrutiny in a way that private companies and SMBs don’t, forcing them to take urgent action.
Various cities throughout the US have been hit in recent years, including the City of Albany in New York, Lake City in Florida, Baltimore in Maryland, and over 22 different cities in Texas. In Canada, the city of Stratford in Ontario, St. John in New Brunswick, the Northwest Territories Power Corporation (NTPC), and the PEI government have all compromised in the last two years. The attack on PEI cost over $900K in remediation and although the government didn’t end up paying the ransom, hackers still made off with 200GB of data.
The Key Takeaways
1. Ransomware isn’t going anywhere.
Cybercriminals are developing and launching attacks at an alarming pace, with global damages from cyber extortion projected to reach $20 billion by the end of 2021. As companies pursue digital transformation, we will continue to see a steady and aggressive influx of increasingly sophisticated ransomware infections.
2. Most organizations are unprepared to deal with the repercussions of an attack.
The reality is, most companies don’t view themselves as a target and are reluctant to part with legacy systems and antiquated software, leaving massive security potholes for threat actors to gain a foothold. Alternatively, they have neither the resources, nor the patience, to implement extensive controls. Either way, ransomware will persist as a worrying and costly exposure for businesses as long as they undermine the risks posed by cybercriminals.
Keep in mind: it only takes one—one password, one click, one employee—to have a cascading effect across the whole network. Ultimately, organizations have a simple choice to make: prepare now or pay later.
3. It’s not too late to take action.
The good news? The root causes of most cyberattacks are largely known and thus, preventable. Instead of relying on insurance or simply hoping for the best, the optimal solution is to keep attacks from happening in the first place. All organizations must adopt a proactive approach to cyber risk management to address their exposures, keep up with emerging threats, and stay ahead of the ransomware curve.
Security is not, and should not be viewed as, an unnecessary expense. Even basic measures, the majority of which are low-cost or no cost, can help avoid a majority of losses. And while no prevention is absolute, you can still bolster your defences enough to reduce the likelihood and impact of a ransomware attack and recover your business that much sooner.
PROLINK’s blog posts are general in nature. They do not take into account your personal objectives or financial situation and are not a substitute for professional advice. The specific terms of your policy will always apply. We bear no responsibility for the accuracy, legality, or timeliness of any external content.