The FBI has warned of a staggering increase in ransomware attacks against businesses since the start of the COVID-19 pandemic. Here’s what business owners and managers should know about these attacks to help prevent them — and manage an attack if preventive measures fall short.
Cybercrime reports to the FBI have quadrupled in 2020. The FBI Internet Crime Complaint Center currently logs in between 3,000 and 4,000 calls a day. Ransomware attacks in particular have increased by seven-fold since 2019, and the estimated global cost of ransomware attacks for 2020 is $20 billion, according to cybersecurity firm Bitdefender. This is from a recent report from insurance provider Beazley:
In 2020, we have seen significant changes to the cyber risk landscape. Ransomware has grown in frequency and severity, and extortion demands have risen. The threat of data exfiltration and consequent release of confidential information has increased, and the resulting business interruption of all these events has become a regular occurrence.
The average ransom payment grew to $178,254 in the second quarter of 2020, up 60% from the first quarter of 2020, according to the Q2 2020 Ransomware Report published by ransomware consulting firm Coveware. And the percentage of ransomware incidents where data had been “exfiltrated” — meaning it’s withdrawn from the victim-organization’s network — grew from 7.8% in the first quarter of 2020 to 22% in the second quarter of the year.
No one is immune: Ransomware attacks have been launched against large and small organizations, including public and private businesses, educational facilities, health care providers, government agencies and non-profit entities.
Important: On October 28, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Department of Health and Human Services (HHS) issued a joint cybersecurity advisory. It describes the tactics, techniques and procedures that cybercriminals are currently using against hospitals and health care providers to infect systems with encryption ransomware, notably Ryuk and Conti. The alert recommends specific measures for hospitals and other health care entities to consider to prevent such attacks.
Anatomy of Ransomware Attacks
Ransomware is malware designed to prevent access to a computer system or files until the user meets the perpetrator’s payment demands. It’s as if your entire computer network is being held for ransom — and neither your employees nor your customers can access the data.
Back in the 1980s, when ransomware was introduced, attacks typically targeted individuals, and payment was made through the regular U.S. mail. Today, high-tech crooks usually go after deeper pockets and often require the ransom to be paid with credit cards or cryptocurrency, such as Bitcoin.
It doesn’t take much to be infected. Typically, the malware takes root when a malicious email is sent to an employee of a company and may utilize phishing or spear phishing techniques. The malware may be embedded in attached Word files or PDFs, or the email might contain a link to a website that will install the malware on the user’s computer and, from there, infiltrate the network.
Why would anyone open an unsolicited email and then open an attachment or click a link? Looks can be deceiving. Frequently, the email appears to come from a legitimate business partner or from a friend or relative. In other cases, perpetrators pose as law enforcement officials or representatives of agencies, such as the FBI, IRS or Department of Labor, to scare victims into paying up. (See “Three Types of Ransomware,” at right.)
Another threat is the use of “malvertising,” malicious advertising that hooks recipients with little or no interaction on their part. For example, if you’re simply browsing the web and come across malvertising, it can infect your computer, even if you don’t click on the ad. This may deliver the ransomware directly or be used to launch an attack against a targeted user.
Once a user’s device has been compromised, the perpetrator has a foothold in your entire IT environment. Before your IT department detects the breach, the hacker is free to explore your network for vulnerable systems and sensitive data and encrypt data indiscriminately. Then the hacker can demand a ransom for the decryption key needed to restore your access to the network.
Three Types of Ransomware
Here’s an overview of three basic types of ransomware and how they can potentially damage your business.
1. Scareware. Despite its ominous-sounding name, scareware is the least dangerous type of ransomware. It might feature a pop-up that demands that you pay up to delete it. If you do nothing, your information won’t be accessed, but you’ll continue to get annoying pop-ups. Usually, inexpensive, off-the-shelf antivirus or Internet security software programs can eliminate these intrusions.
2. Screen locks. These attacks are a step up from scareware. Essentially, a screen lock freezes you out of your computer, rendering it unusable. Typically, you’ll see a full-size window, purportedly authorized by the FBI or another law enforcement entity, stating that illegal activity has been detected on your computer and you must pay to have it removed. This kind of message is a hoax.3. Encryption ransomware. In this worst-case scenario, the perpetrator attacks your files and encrypts them. So, security software can’t help you recover the files at this point. As a result, you can’t restore your system until you pay the ransom and obtain a decryption key from the attackers. Furthermore, you still might not get the files back even if you meet the demands. If you do nothing, the crook usually vanishes without a trace.
Ransomware is a growing threat, especially as more people are working, learning and interacting with organizations remotely during the COVID-19 pandemic. It’s important for your organization to take steps to protect your networks from these attacks. Generally, this requires people who access your network to identify ransomware before it infects their computer.
Consider implementing the following best practices:
Train users to recognize red flags. Employees and other users who access your network should understand how ransomware attacks happen and why it’s smart to exercise caution when opening unsolicited emails and searching the Internet. For example, before clicking on a link or opening a file, they should be trained to verify the sender’s email address.
Require your staff to participate in regular cybersecurity awareness training sessions. Consider testing methods that simulate actual ransomware attacks to help improve awareness and test whether your training program is effective.
Install the latest IT security products. Take advantage of the advanced technology at your disposal. Examples include antivirus software, firewalls and email filters designed to keep outsiders at bay.
Stay current on updates.Ensure that all operating systems and applications are updated on users’ computers. If not, secure the latest patches from verifiable sources. Criminals launching ransomware attacks are known to prey on those with vulnerable systems and applications.
Back up files. Perform frequent backups of your system and other important files. If a computer becomes infected with ransomware, you can restore your system to its previous state using backups — as long as you catch the attack before the perpetrator has a chance to encrypt the data. Store backups in a device that’s separate from the network, like an external hard drive or in the Cloud.
Many organizations also buy cyber liability and breach response insurance to fortify their defenses against losses from breaches and ransomware attacks. Professional and general business liability insurance policies generally don’t cover losses related to a hacking incident. Cyber liability insurance can cover a variety of risks, depending on the scope of the policy. It typically protects against liability or losses that come from unauthorized access to your company’s electronic data and software.
Instead of purchasing a standalone cyber liability policy, you can add a cyber liability endorsement to your errors and omissions policy. Not surprisingly, the coverage through the endorsement isn’t as extensive as the coverage in a standalone policy.
Business owners and managers should carefully read their policies to understand what types of incidents are specifically excluded from coverage. And, remember, no type of cyber liability insurance is a suitable replacement for sound cybersecurity policies and procedures. Other well-resourced preventive measures can also reduce your premiums for cyber insurance.
Unfortunately, preventive measures aren’t foolproof. If your organization falls victim to a ransomware attack, what should you do?
You may be tempted to pay the ransom immediately, hoping the threat will go away quickly and with minimal harm. But paying ransom can be costlier than restoring data from backup files or other means. The average cost to remediate an encryption ransomware attack is $1,448,458 for victims that paid the ransom, compared to only $732,520 for those that didn’t ante up, according to “The State of Ransomware 2020” published by IT security firm Sophos.
Why does paying ransom roughly double the cost of a ransomware attack? First, you must pay the ransom. From there, you must restore the data and get your network back up and running after an attack. Plus, there’s no guarantee that your data will be fully restored even if you’re able to obtain the decryption key from the perpetrator.
If your organization has insurance coverage against ransomware attacks, your insurer can help guide you through the process of reporting the incident to law enforcement, restoring your systems and communicating the effects to stakeholders. Your financial and legal advisors can be valuable resources, too.
On September 30, the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center released a joint Ransomware Guide. It provides best practices in preventing and responding to a ransomware attack.
For more information on how to safeguard against these attacks — or how to respond if your network had been breached — contact your legal and financial advisors.