In a cyber risk environment growing riskier by the day, ransomware is one of the threats most likely to keep business leaders awake at night.
What is ransomware?
Ransomware is a form of malware that enters a corporate or institutional network and blocks access to the corporate network until a ransom has been paid and a decryption key has been provided.
How do ransomware attacks work?
The most common mode, or “vector,” of ransomware attack is delivery via a malicious email carrying an infected attachment or link. If the attachment or link is opened, the user’s network can be infected. Once an infection occurs, payment is usually demanded in bitcoin or another cryptocurrency, allowing criminals to hinder detection.
Some ransomware vectors masquerade as emails from known and trusted senders whose identities have been stolen, making it more likely attachments will be opened. Network infiltration can also occur when employees click on infected websites or internet ads. After the initial infection, ransomware will attempt to spread to connected systems, including shared storage drives, other accessible computers and industrial control systems.
Organizations of all kinds are at risk from ransomware
Ransomware intrusions have been particularly effective against organizations lacking the resources and technologies prepared corporations can bring to bear to defend against cyber attacks. This is particularly worrisome for government entities, educational institutions and healthcare organizations depending on older, legacy computer systems that are not regularly updated.
According to a December 2019 report by the New Zealand-based cyber security firm Emsisoft, the U.S. was hit by a barrage of ransomware attacks last year affecting at least 948 government agencies, educational establishments and healthcare providers, at a potential cost in excess of $7.5 billion. This occurred due to increasingly sophisticated types of ransomware specifically designed to exploit network security weaknesses. A report issued by the State Auditor of Mississippi was sharply critical of many state entities that did not have formal security policies or disaster recovery plans in place, were not performing legally mandated cyber risk assessments, and were not encrypting sensitive information.1
But while governments and institutions remain easy targets of cyber security threats, most ransomware attacks target businesses of all sizes and in all industries. According to one estimate, in 2018 ransomware attacks hit businesses around the globe for more than $8 billion.2 A report by the SonicWall organization noted that during the first three quarters of 2019 there were more than 151.9 million ransomware attacks.3 Not all were successful and the number of ransomware attacks was down slightly over prior year. However, the financial toll is growing exponentially as cybercriminals focus on high-value targets, such as large corporations and financial institutions. According to Coveware, a ransomware research organization, the average ransomware payment more than doubled in the fourth quarter of 2019, jumping 104% from $41,198 in Q3 to $84,116 in Q4.4
For mid-sized and smaller businesses, ransomware and other forms of cyber attacks can be especially devastating. According to one report, cyber attacks now cost companies an average of $200,000 per event, for all remediation and related expenses, with up to 60 percent of smaller businesses going out of business within six months of being victimized.5
Further complicating the risk environment is a related technique called “data exfiltration.”6 In this scenario, an individual or group of cybercriminals penetrates a network and copies a large quantity of proprietary and sensitive data. The victim is alerted that content will be publicly released if a ransom is not paid. In this case, the threat is the potential for reputational damage to a brand rather than delivery of a decryption key to regain control of a network. Some cyber attackers are combining aspects of both conventional ransomware and data exfiltration to multiply the damage they can inflict. Compounding the impacts of data exfiltration attacks is the heightened sense of urgency experienced by organizations when cybercriminals set short, non-negotiable deadlines for payment under threat of the release of sensitive information.
Ransomware and related threats such as data exfiltration are not going away and are likely to evolve and become even more dangerous over time. But while all businesses are vulnerable, there are a variety of actions companies can take to reduce the risks of a successful ransomware attack and build cyber resilience.
Protecting against ransomware
Here are some tips for protecting against ransomware from the Cybersecurity and Infrastructure Agency (CISA), a division of the U.S. Department of Homeland Security:
“What can I do to protect my data and networks?”
- Back up your computers – Perform frequent backups of your system and other important files and verify backups regularly.
- Store your backups separately – Best practice is to store your backups on a separate device that cannot be accessed from a network, such as on an external hard drive.
- Train your organization – Provide mandatory cyber security awareness training to employees regularly.
- Update and patch your computer – Ensure your applications and operating systems have been updated with the latest patches. Vulnerable applications and operating systems are the targets of most ransomware attacks.
- Use caution with links and when entering website addresses – Be careful when clicking directly on links in emails, even if the sender appears to be someone you know. Attempt to independently verify website addresses (e.g., contact your organization's help desk, search the internet for the sender organization’s website or the topic mentioned in the email).
- Open email attachments with caution – Be wary of opening email attachments, even from senders you think you know, particularly when attachments are compressed files or ZIP files.
- Keep personal information safe – Check a website’s security to ensure the information you submit is encrypted before you provide it. (See Protecting Your Privacy.)
- Verify email senders – If you are unsure whether an email is legitimate, try to verify the email’s legitimacy by contacting the sender directly. Do not click on any links in the email.
- Inform yourself – Keep yourself up to date on recent cyber security threats and ransomware techniques. You can find information about known phishing attacks on the Anti-Phishing Working Group website. You may also want to sign up for CISA product notifications.
- Use and maintain preventative software programs – Install antivirus software, firewalls, and email filters, and keep them updated to reduce malicious network traffic. (See Understanding Firewalls for Home and Small Office Use.)
What to do if you get a ransomware email
- Isolate the infected system – Remove the infected system from all networks and disable the computer’s wireless, Bluetooth, and any other potential networking capabilities. Ensure all shared and networked drives are disconnected, whether wired or wireless.
- Turn off other computers and devices – Turn power off and segregate (i.e., remove from the network) the infected computer(s). Turn power off and segregate any other computers or devices that shared a network with the infected computer(s) that have not been fully encrypted by ransomware.
- Secure your backups – Ensure that your backup data is offline and secure. If possible, scan your backup data with an antivirus program to check that it is free of malware.
For more information about tools and insights designed to help customers build cyber resilience, visit Zurich’s Cyber Insurance page.
1. “The State of Ransomware in the US: Report and Statistics 2019.” Emsisoft Malware Lab. 12 December 2019. https://blog.emsisoft.com/en/34822/the-state-of-ransomware-in-the-us-report-and-statistics-2019/
2. Morgan, Steve. “Global Ransomware Damage Costs Predicted to Exceed $8 Billion in 2019.” Cybercrime Magazine. 28 June 2018. https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-exceed-8-billion-in-2018/
3. “SonicWall Sees Dramatic Jump in IOT Malware, Encrypted Threats, Web App Attacks through Third Quarter.” SonicWall. 22 October 2019. https://www.sonicwall.com/news/dramatic-jump-in-iot-malware-encrypted-threats-web-app-attacks-third-quarter/
4. “Ransomware Costs Double in Q4 as Ryuk, Sodinokibi Proliferate.” Coveware. 22 January 2020. https://www.coveware.com/blog/2020/1/22/ransomware-costs-double-in-q4-as-ryuk-sodinokibi-proliferate
5. Steinberg, Scott. “Cyberattacks now cost companies $200,000 on average, putting many out of business.” CNBC. 13 October 2019. https://www.cnbc.com/2019/10/13/cyberattacks-cost-small-companies-200k-putting-many-out-of-business.html
6.“The Marriage of Data Exfiltration and Ransomware.” Coveware. https://www.coveware.com/blog/marriage-ransomware-data-breach