Ransomware attacks are on the rise — it’s a multibillion-dollar criminal enterprise that’s only going to get worse. Because it’s a case of when, not if, a firm is affected, Baker Tilly’s cyber security specialists outline typical flaws and how to effectively prepare for the inevitable.

It’s the customer service story you never want to tell.

Locked out of their critical IT systems, facing the loss of important corporate and customer data, the Kenyan business could only speak glowingly of the call centre offering support. Within a matter of minutes, a helpful operator was able to guide the business through the process of making a payment so they could get their files restored.

But the catch is this, it wasn’t an IT help desk on the phone. It was one of the well-staffed, smoothly run ransomware call centres that allow people to negotiate and pay the criminal enterprises that have encrypted their data in the first place.
Ransomware is now one of the world’s most profitable (and seemingly low risk) criminal enterprises — with an underground network estimated to cost legitimate business around USD20 billion this year alone.

While that sum is 57 times the amount collected by ransomware gangs only a few years ago, the worst is yet to come, and some experts suggest that within a decade, USD265 billion will be stolen and extorted annually through ransomware crime. And with that growth in revenue has come remarkable sophistication as crime gangs efficiently target victims, with an estimated 150% surge in attacks in the past year.

“What we say is it’s not a question of if you’re going to be hit someday with ransomware, but when. If you choose that state of mind, then you have to do something about it. Prevention is important, but so is your response. What are you going to do? What kind of plan do you have to get your company back in business again? When you have those plans, you can sleep a little better.”

A simple crime with a sting in the tail

What sets ransomware apart from many other kinds of cyberattacks is the simplicity of the crime, which combines both technological and psychological attacks on the victims.
Unlike malware that might corrupt files, ransomware uses encryption tools to lock them so they are just out of reach of a business that desperately needs its systems and data to be able to continue shipping goods, paying staff, responding to customers, or delivering on contracts.

While it is relatively easy to enact this encryption — some ransomware tools trade on the dark web for as little as $70 — the lock is also very difficult to undo. Some groups, such as the No More Ransom project, involving a range of cybersecurity and international policing partners, make decryption software available for free, but these address only a fraction of the tools commonly used. This is where the second psychological nudge is used to get companies to pay.
For many companies, the cost of paying the ransom is relatively small: a median $47,008 in the first quarter of this year, according to Coveware.

Although some targets are hit with ransoms significantly higher, that kind of price is in the reach of many businesses, according to Baker Tilly experts, making it more tempting to authorize the Bitcoin or other cryptocurrency commonly used to make the transaction untraceable. And the more people pay, says Partner at Baker Tilly KE Ranga Komanduri, the higher the stakes, the more likely criminal gangs will go all-in.

“The bad guys are making money doing it, with the proportion of organisations who are paying ransom. There’s been so much financial reward for the people doing the ransomware that the groups are now well-funded, with far more resources and the ability to come after organisations.”
But the cost of ransomware goes far beyond the ransom payment. Besides an average downtime of three weeks, 80% of ransom attacks now include the threat to leak company data, which can trigger its own crisis in terms of loss of trust (reputational risk) and breach of privacy.
Then there are the recovery and business interruption costs, even if a ransom is paid. In fact, a survey by cybersecurity group Sophos of more than 5400 companies earlier this year found that of those who were attacked and paid up, only 8% recovered all their data, and on average only two-thirds of files were restored.

“The bad guys may know how much somebody has in insurance and use that when they’re figuring out how much they’re going to charge, or they may know how much somebody has in the bank, and use that to set the pain point on paying the ransom. Ask almost anybody who got hit with ransomware if it was worth not having done some of the good hygiene things they could have done to protect their business and I suspect virtually all of them will say, ‘we really wish we had taken that step’.”

Risks of ransomware

Although the average payout for ransomware might be small, there is huge potential for high yield returns.
Not only has the volume of attacks scaled dramatically, to one every 11 seconds, but as their techniques and tools improve, gangs are changing tactics. Ransomware first responder Coveware suggests that the size of companies who fall victim to ransomware is growing, with half the victims in Q2 this year having 200 or more staff.

Although experts are divided over how closely ransomware attackers consider the industry of their victims, some groups are over-represented, in part because the software they use has been exploited or because they hold sensitive data and are more likely to pay.
The public sector, for example, is the single biggest target, followed by professional services including law firms, accounting firms, and financial groups, and health care. And with an attack in May that brought down Colonial Pipeline, a major US oil and gas pipeline responsible for supplying nearly half of the East Coast’s petroleum, the energy sector has suddenly realized its exposure as well.

“It always starts with a risk assessment, understanding your risks, how important they are, the criticality and the impact,” he says.
“Then you need to prepare to manage the risks and respond effectively to them. That means different measures, securing the systems, educating the users, frequent awareness programs, and applying all the latest security updates to the systems.”
Email phishing attacks and compromised remote access remain the key vectors for ransomware, with malware introduced into a network that can initiate an attack.
“In most cases, end-users are the ones who, because to a lack of awareness, simply click a link and download something.” Mr. Ranga says.

“So you start by safeguarding your endpoints and systems, and you focus on backups and incident response plans, as well as how you might use them to recover if necessary.”

Putting together a game plan

“A basic initial step is to maintain all systems up to date with the most recent versions and updates. The vast majority of ransomware takes advantage of known security flaws in popular operating systems and software like Microsoft Windows, Office, and Acrobat Reader. Fixes and upgrades are typically already available from these software vendors, and it is up to enterprises to ensure that these patches and upgrades are applied as promptly as possible in their IT infrastructure.”

One of the biggest fallacies in resolving ransomware attacks, according to Mr. Ranga, is paying the ransom.

“It’s believed that a third to half of infected organizations pay a ransom to criminals holding their data hostage,” he says, “but there’s no assurance you’ll get your data back.”
The real cost, regardless of whether you pay, is correcting the vulnerabilities in your system in the first place, which is estimated to cost 10 times the typical ransom.

“Educated employees are less likely to open infected attachments, putting the company at risk,” Mr. Ranga added.
“Educating employees about ransomware and security hazards reduces the probability of infection significantly.” Phishing emails and malicious content, such as ransomware, can be taught to users.”

There are also a number of technical solutions that may be implemented in an organization’s IT system to prevent ransomware from being executed or propagating once it has been discovered.
Many solutions on the market are continuously updated by their suppliers, but there is no guarantee that they will detect the latest ransomware threats.
Mr. Ranga, on the other hand, believes that organizations must be proactive in order to limit the impact of a prospective ransomware assault.

“Organisations must always have recent and complete backups, which will be a lifeline if they are targeted and want to recover data without paying the ransom.” Not only should you back up your data, but you should also test it on a regular basis to verify that it is comprehensive, accurate, and relevant. Organizations frequently learn that the backups they thought they had were partial or ineffective, putting them in the precise scenario they hoped to avoid.”