Here’s an apocryphal story from our social media-frenzied world. Desmond’s daughter Dolly sent her father this text message: “Dear Daddy, I’m so excited to tell you that I’m getting married to this gorgeous guy, LOL! As you know, I’m in Sydney and he’s in San Francisco. We met on Tinder, became BFFs on Facebook and had long chats on WhatsApp. He proposed to me on Skype, and we’ve had a two-month relationship on Zoom. Dad, I need your blessings, your credit card and cash for our wedding! Love you!”
Desmond was despondent but texted her this delightful reply: “Dear Dolly, Wow! Cool! Whatever. I suggest you and your BFF get married on Twitter, have fun on Tango, buy your wedding dress on Amazon, make some freelance dough on Fiverr and pay for the wedding using PayPal. And when you get fed up with this new husband, you can sell him to the highest bidder on eBay! Delighted, Dolly! Love, Dad.”
You wouldn’t be amiss if you thought that sounded like a ransomware attack. You may have noted three salient points: One, the “attacker” and the “victim” shared an emotional bond. Two, no specific demand for a ransom was made, leaving room for negotiations. Three, despite the risks, the victim refused to pay any ransom at all.
Is that true in the real world as well? Not quite. As ransomware continues to top the list of cyberattacks, impacted organisations face the ultimate question: To pay or not to pay? An International Data Corp (IDC) survey published at end-July noted that almost half (44%) of the respondents indicated a willingness to pay the ransom — directly or through an insurance payout — to retrieve encrypted files. About 60% of respondents in Australia and 49% in Singapore said they would be willing to pay a ransom to recover their locked files.
“Ransomware attacks significantly hinder operations as files are encrypted, compromising the availability of critical resources to carry out daily business processes,” IDC reported. “This is a key factor that forces victim organisations, especially ones with no incident management or contingency plans. The choices are limited — either rebuild affected parts, which usually results in prolonged disruptions, or pay the ransom in the hope of receiving the decryption keys to restore files promptly.”
The problem? Fuzzy regulations and guidelines.
“While most regulators in Asia-Pacific discourage ransom payments, there are no laws particularly restricting the transaction,” IDC noted. “In a separate study, 49.4% of companies that encountered a ransomware attack chose to pay, and 82.4% of those who paid got a working decryption key. Almost 20% paid the ransom but got nothing in return.”
Covid-19 has complicated this cancer. The worst-hit sector? Banking, where real money resides. According to a Trend Micro report, the banking industry experienced a 1,318% year-on-year increase in ransomware attacks in just the first half of 2021.
“Ransomware remained the standout threat in 1H2021 as cybercriminals continued to target big-name victims,” said Jon Clay, Trend Micro’s vice-president of threat intelligence. “Working with third parties to gain access to targeted networks, they used Advanced Persistent Threat (APT) tools and techniques to steal and encrypt victims’ data. The first step towards mitigating cyber risk is understanding the scale, complexity and specific characteristics of the threat landscape.”
The threat landscape is a moving target — and so are the sums demanded. The average ransom demand in 2021 is US$5.3 million (RM22.3 million), up 518% from an average of US$847,000 in 2020, according to data collated by Palo Alto Networks’ Unit 42. “The highest ransom demand of a single victim was US$50 million in 1H2021, up from US$30 million last year,” Unit 42 reported. “The largest confirmed payment so far this year was US$11 million that meat processor JBS SA disclosed after it was hit by an attack in June.”
The extortion techniques have also evolved. There are now four. The most common is data encryption, where victims pay a ransom to regain access to scrambled data and compromised systems. Two, data theft, where the attackers release sensitive information if the ransom is not paid. Three, DoS (denial of service), which sees the attackers launch DoS attacks to shut down a victim’s websites. And four, harassment — the attackers contact the victim’s customers, business partners, staff and the media to tell them the company has been hacked.
“While it’s rare for one organisation to be the victim of all four techniques, this year, we have increasingly seen ransomware gangs engage in additional approaches when victims don’t pay up after encryption and data theft,” Unit 42 noted.
“Put simply: ransomware is a lucrative business. With new tactics like double extortion, this will only continue to rise.”
The worry? Repeats. A survey of 1,263 companies by Cybereason found that 80% of victims who paid a ransom experienced another attack soon after; 46% got access to their data, but most of it was corrupted. About 60% said they experienced revenue loss, and 53% stated their brands were damaged as a result.
A new threat? The rise of RaaS (Ransomware as a Service). This occurs when less tech-savvy attackers buy ransomware programmes outright or offer a percentage of the ransom to the software developers. RaaS attacks are high-volume, low-ransom events, with the hope that some of those attacked will pay.
What about Malaysia? About 60% of companies worry about being hit by ransomware either now or in the future, according to the Sophos State of Ransomware 2021 report. About 30% of Malaysian organisations experienced a ransomware attack in 2021, compared with 60% in 2020.
“This bucks the global trend where, on average, countries saw an increase in ransomware attacks,” said Wong Joon Hoong, country manager at Sophos Malaysia. “The cost of recovery from a ransomware attack decreased in Malaysia from US$1.06 million in 2020 to US$744,000 in 2021. That is also in sharp contrast to the global average, which saw the average cost of recovery more than double in a year.”
Is buying cyber insurance the answer? Maybe. IDC believes that the rise of cyber insurance products in Asia-Pacific also contributes to the willingness to pay during a ransomware attack. “The insurance payout balances out the financial liability of the payment,” IDC noted. “Coupled with the potential resolution of disrupted activities with minimal resources, one can understand why the sentiment to resolve a cyberattack of this nature via cyber insurance is preferred.”
So then, what preemptive steps can companies take? Here are three tips from McKinsey.
• Map interdependencies: Companies need to truly understand the interdependencies of the network environment, including core systems and apps. They need to discover the connections and overlaps between IT and operational technology (OT) environments. IT systems are used for data-centric computing whereas OT systems monitor events, processes and devices in enterprise and industrial operations. This mapping will help companies grasp the full implications of a ransomware attack against any part of the organisation.
• Conduct simulations: Companies can continue to rehearse and improve cyber crisis and response scenarios, including ransomware attacks. Simulations are usually most effective when they include third parties such as law enforcement, public-sector industry groups, and critical customers and suppliers. The simulations should include core decisions, especially when to isolate or shut down network parts and whether to engage or negotiate with the attackers.
• Make changes: The goal is to achieve cyber resilience. Mapping and simulations can help companies improve their operating model and governance structure. Both activities will aid in identifying and implementing refinements to attain cyber maturity across the integrated IT and OT architecture. Companies can gain greater clarity on the roles, responsibilities and decision-making that will form the core of their response in the event of a ransomware event or other cyberattacks.
The bottom line: Should you pay a ransom? The jury is divided on this question. If companies didn’t pay, as a rule, ransomware would not be the super success that it now is. Being better prepared is the best bet. That means having a sound and effective business continuity, disaster recovery (BC-DR) process in place and having the tools and technologies to monitor malware. But then, that’s easier said than done.
Since we started with a short story, let’s end with one. “Last week, my company was hit with ransomware by a kind-hearted hacker,” my friend, who runs an SME, told me. “The hacker sent us a message stating that if we paid the ransom quickly, he would send us a big, expensive hamper for Christmas!