Zeki Turedi, CTO EMEA at cyber security product company CrowdStrike, takes a dive into the dark economics of cybercrime.
Over the last couple of years, many organisations around the globe have experienced significant changes in how they work, but one thing that has remained constant is the persistent threat posed by ransomware attacks. This malicious form of cyberattack has been around for over 20 years. It’s only becoming more sophisticated, and payouts and extortion fees are consistently on the rise. Understanding the ecosystem of cybercriminals is the first step to mitigating these attacks.
Ransomware is not letting up
Ransomware is the most successful type of cyberattack. In recent years, cybersecurity teams have had to adjust their entire stacks, as they’ve aimed to secure hybrid working environments for the future, with varying degrees of success. Therefore, it’s entirely unsurprising that cyber-criminals continue to see high levels of success.
Not only that, but data has also revealed that enterprises’ IT security teams are finding it increasingly difficult to defend against ransomware compared to 12 months ago. Almost two-thirds (66pc) of those surveyed admit that their organisation has experienced a ransomware attack in the last 12 months – a notable rise from the 56pc in 2020. And new methods are proving highly successful. Research shows that 77pc of respondents report that their organisation had experienced a supply chain attack, for example, in the past 12 months, increasing from 66%pc in 2018.
Threat actors have also significantly improved their extortion techniques from just locking up company data and collecting a ransom, to threatening to leak and sell vital company information obtained through the company systems or even sell access to the companies critical assets to other criminals. So it’s no surprise that companies are drawn towards paying up.
But the costs are growing heavier. Ransoms paid over the last 12 months have dramatically increased by nearly 63%. In 2020, on average, respondents’ organisations were forced into paying around £1.1 million, whereas, across 2021, the average payment was £1.5 million. So what is the solution?
To pay or not to pay?
Ransomware is a vicious cycle. When an organisation is infiltrated and extorted, the cyberattack is often widely publicised. This means that more cybercriminals are able to witness the success of their peers and are therefore encouraged to commit these crimes themselves. A ransom payment thus affects the future risk levels of businesses, hospitals and schools everywhere — paying up might be described as socially irresponsible in this context.
Also, in many cases paying ransoms is often an ineffective solution anyway. There’s absolutely no guarantee that criminals will honour their side of the bargain when businesses pay up — they’re criminals, after all, and ‘not honouring deals’ comes with the territory. For the vast majority of companies who ended up paying their attackers, the saga didn’t end there. Many were also forced into paying additional extortion fees, equating to around £700,000 on average. These are known as “double extortion” fees. On top of an already hefty ransom payment, it is a devastating blow for many organisations, particularly during economic uncertainty.
So, it makes sense that some experts have even called for the criminalization of ransomware because if the victim is unable to pay, then putting time and effort into sophisticated ransomware attacks should surely become significantly less appealing. But it’s not that simple.
Ransomware threat actors aren’t basement-dwelling teenagers. They’re sophisticated organisations with complex, ever-evolving tools and are sometimes even backed by whole nations. If their tactics aren’t producing income, the reality is that they’ll change those tactics and shift attention elsewhere.Criminals already possess incredibly advanced software such as ransomware-as-a-service that allows criminals to purchase all the necessary tools to commit a ransomware attack in an all-inclusive package, along with dedicated websites to disperse leaks and even customer service agents to ‘help’ victims carry out the payments through cryptocurrency.
If ransomware payments are made illegal, adversary groups will just set up an ecosystem of brokerages and shell businesses to negate the problem of making payments for victims. They’re already experts at money laundering. A simple act of legislation will not phase them in the slightest.
Unfortunately for some companies, the only way out is paying the ransom. Although not the ideal outcome, making ransomware payments illegal will further victimise the victims who are just trying to recover from a ransomware attack.
The only real solution
Regardless of whether or not the ransom is paid, cyberattacks are a drain on company resources, have significant negative impacts on brand reputation and personally affect all employees involved with fending off these never-ending barrage of attacks. So, what’s the solution?
There is no ‘quick fix’ to the ransomware problem, but developing and maintaining cyber maturity through adopting the best cybersecurity solutions is any company’s biggest chance of survival.
Next-generation antivirus (NGAV), accompanied by other cybersecurity solutions, have the ability to protect against known and unknown threats, which is increasingly important as ransomware gangs continue to increase. NGAV enables both types of threats to be exposed in near real-time and is much more effective at helping organisations block these threats at a far greater speed than in the past. The best NGAV solutions on the market will also offer specialised human threat hunting teams that work to detect attacks and new extortion methods that may have been missed during the automated process.
Staying vigilant
Cybercrime, especially ransomware, has evolved and become stronger over time, and the reality is that it is not going away anytime soon. Criminalising ransomware payments is far from the right call. Developing resilience and becoming stronger than the ‘low-hanging fruit’ among your competition is. Companies need to stay alert to the current threat landscape, understand what they’re up against, and crucially adopt the best cybersecurity defences that will provide them with long-term security and resiliency practices.
