Ransomware: New targets, bigger ransoms

While COVID-19 has been sweeping across the globe, a parallel pandemic of ransomware has been occurring at the same time—and they might be interconnected.

Researchers at Barracuda Networks say the number of major ransomware attacks (those aimed at enterprises) is up 64 per cent from this time last year. The global report suggests hackers are shifting their ransomware targets, getting greedier, and exploiting the pandemic era work-from-home (WFH) trend.

Although public agencies like the Washington, D.C. police department and dozens of U.S. school districts have been hit by ransomware, the private sector has become the main target. Fifty-seven per cent of all ransomware attacks in Barracuda’s report were directed against corporations, up from just 18 per cent in last year’s survey.

Attackers are also asking for more money (cryptocurrency, actually), with the average ransom demand now topping $10 million. In 30 per cent of cases, the ransom demand was higher than $30 million.

The WFH link

Has the mass exodus of workers from office to home contributed to the rise of ransomware?

Yes, according to the Financial Stability Board (FSB), an international body that monitors banking practices and trends worldwide. It concluded in a recent report that “the rapid move to WFH arrangements increased the scope for cyber threats and for dependencies on third-party service providers.”

FSB added that across all verticals (not just finance), “cyber activities such as phishing, malware and ransomware … grew with the spread of the pandemic, from fewer than 5,000 per week in February 2020 to more than 200,000 per week in late April 2021.” It did not break down how many of those incidents involved ransomware, however.

Read more:

5G: New (and inherited) security and privacy risks
Beef up your SD-WAN security with zero trust
Looking ahead: Top IT security priorities for 2021

Then there’s the whole VPN drama surrounding the Colonial Pipeline ransomware attack, which shut down oil supplies to the entire southeast United States in May.

The cause? A legacy VPN system Colonial had set up long ago so staff could work remotely. According to Colonial’s internal investigation, the DarkSide gang hacked into the archaic VPN (which only featured one-factor authentication) using a Colonial employee’s password, which was possibly stolen from the dark web.

“It was a complicated (VPN) password, I want to be clear on that. It was not a Colonial123-type password,” Colonial CEO Joseph Blount reassured a U.S. senate committee hearing on the incident.

So although a VPN was the conduit for the attack, the incident had nothing to do with pandemic-related WFH. Colonial had already stopped using that particular VPN way before COVID-19 ever emerged.

Still, the incident shows how easily ransomware can be deployed through a WFH VPN.

Paying ransom

Should you ever pay cyber ransom? Here’s some of the most recent news and thinking surrounding that.

No: The FBI advises ransomware victims not to pay up. Many cybersecurity vendors give the same advice. They point out there’s no guarantee that hackers will return your data after being paid. Another argument is that if you pay ransom once, the hackers will just hit you up for more. Again. And again.

Maybe: Gartner Research makes the case that paying ransom might actually make sense, depending on the circumstances.

“Ultimately, this has to be a business decision. It needs to be made at a board level, with legal advice,” Gartner analysts wrote in a November 2020 research note, even suggesting payment mechanisms be established in advance: “Setting up a cryptocurrency wallet can take time, so if payment is a possibility, then making the necessary preparations will speed up the time to recover.”

Only after negotiating: In its ransomware report, Barracuda notes some companies have negotiated much lower payment amounts with cyber crooks. JBS, the world’s largest meat supplier, bargained a $22.5-million ransom demand down to $11 million; German chemical company Brenntag paid $4.4 million after haggling with its attackers over an initial demand for $7.5 million.

It might be illegal: The U.S. government issued a warning last fall that facilitating payments to ransomware perpetrators could break federal law. It says the advisory applies to “companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response.”

Now we’ll leave you with this parting piece of data.

A Sophos study found that a measly eight per cent of victims who pay ransomware end up getting all their data back. On average, Sophos says victims who pay cyber ransom recover only two-thirds of their data from the thugs who took their digital assets hostage.

In other words, when it comes to ransomware, it actually doesn’t pay to pay.

Images: tommy/iStock; PonyWang/iStock