Your computer system has been taken over, and the culprits are demanding millions of dollars in cryptocurrency for the key to unencrypt the data they now control, or to erase the data they possess. If you fail to pay the ransom, theyll release your customers and employees private data into the wild. In the meantime, your systems are useless. You cant pay your employees because the payment system has been corrupted and locked.
Sound familiar? This scenario and dozens of others like it have been all over the press as of late.
Even as this is being written, UnitedHealthcare, the largest health insurance player in the United States, is recovering from a ransomware attack that hit its Change Healthcare unit. More than 100 platforms operated by Change Healthcare, including claims management services, were offline for weeks following a ransomware attack by the ALPHV/BlackCat gang on 21 February, leaving hospitals, small medical practices, pharmacies, and everything in between unable to collect payment for services rendered. This has led to reputational damage control for UnitedHealthcare, in addition to the 350 bitcoins, now worth about $22 million, it allegedly paid for its systems to be unlocked.
Last year, hackers made off with a record of about $1.1 billion from ransomware attacks, according to a report from cryptocurrency tracing firm Chainalysis, about double the tally from 2022. Ransomware attacks were carried out by a variety of actors, from large organized criminal outfits to individuals, and experts say their numbers are increasing. A major thing were seeing is the astronomical growth in the number of threat actors carrying out ransomware attacks, Allan Liska, an analyst at cybersecurity firm Recorded Future, said. Recorded Future reported 538 new ransomware variants in 2023.
To Pay or Not to Pay
Fewer ransomware victims are paying up when faced with a ransomware attack, according to a January report from ransomware negotiation firm Coveware. About 29% of organizations paid a ransom in the last quarter of 2023 to get their stolen data back and unlock their systems, according to Coveware's report. This is compared to the 85% who were paying in the first quarter of 2019. The average ransom payment in the fourth quarter of 2023 was about $568,000, a 33% decrease from the third quarter.
Coveware attributes the quarterly drop to several factors, including better cyber defenses and a lack of trust that hackers will keep their promises and delete stolen data. And organizations have a right to be mistrustful. Some 78% of organizations that paid a ransom demand were hit by a second attack, often by the same perpetrator, according to Cybereasons Ransomware: The Cost to Business Study 2024. Adding insult to injury, 63% of these organizations were asked to pay more the second time their systems were breached. The average ransom demand for U.S. businesses has risen to $1.4 million, the highest cost among the nations surveyed. This was followed by France ($1 million), Germany ($762,000), and the United Kingdom ($423,000).
The ransom often pales in comparison to the true costs involved in recovery. Some 46% of ransomware victims estimated business losses to be $1-10 million as a result of the attack, with 16% reporting losses of over $10 million.
A study from researchers at University of Twente in Enschede, Netherlands, analyzing 481 mostly local ransomware attacks, found 28% reported paying a ransom, with the average amount just over ‚¬431,000 and the median ‚¬35,000. On average, companies with insurance paid significantly higher ransoms of ‚¬708,105, compared to ‚¬133,016. Perhaps this is due to exposed moral hazard: since someone else is paying for the victim, the victim is willing to pay a larger amount, the authors wrote. Companies with backed-up data were less likely to pay a ransom but, when they did, on average paid more than those with no backups. This is likely because businesses holding data considered valuable enough for ransom payments are generally more likely to employ backup systems, compared to those with less valuable data.
In cases where data was exfiltrated, companies were much more likely to pay ransoms. The average payment in those cases was more than 13 times higher, at approximately ‚¬1.2 million. Companies who hired incident response firms were significantly more likely to pay a ransom, at just over half of those surveyed, compared with just 21% of companies who only reported incidents to the police.
Government Reactions
The Counter Ransomware Initiative (CRI), a U.S.-led group of 50 countries, pledged to sign an international agreement last October stating that their governments would never pay ransomware to cyber criminals. Of note, the pledge is a commitment from governments, not private-sector organizations. Though the CRIs cybersecurity efforts should be helpful, the private sector is still mostly on its own in the battle against ransomware.
Under requirements from the U.S. Securities and Exchange Commission (SEC) that went into effect in December 2023, listed companies must disclose how they manage cyber risk in 10-K reports. Companies will be expected to detail how they assess threats and protections, and to what degree their boards exercise oversight on cyber issues. Annual filings must also describe the potential material effects of a successful attack. When hackers strike, companies must report the cyberattack to the SEC no later than four business days after they determine the incident will have a material impact on operations.
How Secure Is Your Company?
The U.S. National Institute of Standards and Technology (NIST) has issued a draft update to a publication that offers guidance on how organizations can measure the effectiveness of their data security programs. The two-volume document offers guidance on developing an effective program and a flexible approach for developing data security measures to meet an organizations performance goals. The first volume, written mainly for information security specialists, provides guidance on how an organization can prioritize, select, and evaluate specific measures to determine the adequacy of security that is already in place. The second is aimed primarily at the C-suite and outlines how an organization can develop a data security measurement program, offering a multistep approach for implementing it over time.
Getting it right is important, as companies have seen again and again. A failure to do so not only risks the downing of corporate systems and the loss of millions, which can be fixed and recovered, but also the loss of reputation, which is often irreversible.