Ransomware attacks are striking at an unprecedented rate, and many businesses are deciding it’s in their best interests to pay—but is it really?
We are in the midst of a growing global crisis that threatens not only the stability of countries’ economies, but also the safety of their citizens. And while its forerunners have been around for decades, these latest versions are even better at infecting their targets while maximizing potency and prolonging recovery. The worst part? This threat mutates and evolves over time, making it a constant battle to protect potential victims from the latest variants.
But this blog post isn’t about the pandemic; we are actually describing the recent blight of ransomware attacks across the globe. A ransomware attack is a specific kind of cyberattack in which the perpetrator holds a company or individual’s data hostage until they pay a ransom to get it back. However, unlike a ransom in the physical world, the main goal of the hackers perpetrating the attack isn’t to steal data from the victim (though they certainly do that as well). Instead, they use strong encryption algorithms to render the information on infected computers inaccessible. In layman’s terms, it scrambles the data on every computer and device it can access on the network. Like any cipher, the encryption algorithms used by hackers can be broken, but the computing power and time it requires usually makes doing this unfeasible. There are some companies that sell decryptors that can crack commonly used ransomware encryptions. But this is also a costly option with no guarantee that it will actually recover all your data.
The Problem Continues to Grow
In 2020, the number of ransomware attacks increased 485 percent over the prior year, and the first three quarters of 2021 have shown a 102 percent increase over that. This surge has resulted in some significant attacks with major repercussions—as outlined in our previous blog: Ransomware on the Rise.
Now, another major attack can be added to this list. On July 2, IT outsourcing firm Kaseya was breached and infected with ransomware. What makes this case unique is that the ransomware was able to spread to the networks of many of Kaseya’s customers via their Virtual System Administrator software. To make matters worse, some of those companies provide services to third parties through the VSA software, causing the attack to snowball into a massive breach that ended up affecting thousands of businesses across the globe—including JBS, the largest supplier of beef in the world. This case reveals how quickly modern ransomware can spread and how many machines they can potentially infect when a service provider is breached. Unfortunately, you don’t just have to worry about your own security, you also need to be able to trust that third parties that have access to your network are also taking security seriously.
The shear scope of the problem is probably best exemplified by the corporatization of hacker groups. Like any good capitalist enterprise, these corporatized groups take advantage of division of labor. This allows both sides to play to their strengths: The organization provides infrastructure and stability, leaving the hackers to focus on infiltrating the target organization. Once the breach is made, the hacker hands it off to the organization, which then oversees the negotiation of the ransom and receipt of payment. The profits are then split between the two parties in a structured manner.
Even when legal action is taken against these groups, they like to play possum. The same principal actors will fold their current operations and then reestablish themselves under a different name. This also has the added benefit of letting them reorganize their structure—determining new targets to focus on and adjusting the terms of the profit-sharing agreements they make with partner hackers. This scenario played out in the wake of the disastrous Colonial Pipeline attack, which stymied the flow of fuel to parts of the East Coast and the South. The company ended up paying the ransom to the tune of $4.4 million, but the disruption was so severe that it prompted a massive response from federal law enforcement. Eventually, the DOJ took decisive action against the group, ostensibly shutting it down through a series of raids and seizures.
However, not long after the group was shut down, a new entity calling itself BlackMatter emerged, which used much of the same code that Darkside had previously used in its attacks—linking the two. And this is no isolated phenomenon; the Kaseya attack was perpetrated by REvil, a ransomware-as-a-service group thought to be based in Russia. It evolved from Grandcrab, which itself has connections to early ransomware-as-a-service group Cerber. The creation of these digital doppelgangers also helps hackers avoid police agencies that have issued bounties on the group or levied a fine on people who pay their ransom. This makes law enforcement efforts to shut down large hacker groups a bit like a game of whack-a-mole, with the victims paying the price.
What Happens When You Pay the Ransom?
So, let’s say the worst has happened and you have experienced a ransomware attack. Your options are to pay the ransom to have your data decrypted or attempt to restore your data from a backup. For those who choose the former pay the ransom (if all goes according to plan), the hackers provide a key that allows the victim to begin the process of decrypting all the affected data and purging their systems of any and all remnants of malicious code. It may also force a company to invest heavily in new security measures in an effort to prevent future attacks.
Unfortunately, the situation described above is a best-case scenario. Even after paying the ransom and receiving the decryption key, the victims are by no means out of the woods. The decryptors the attackers provide are often shoddily written and can take an extremely long time to decrypt. This comes as no surprise, as the hackers’ main goal is to write code that can encrypt data super fast. They are not nearly as concerned with the effectiveness of their decryption software. In fact, some companies have been forced to abandon efforts to recover their data with the keys provided, because waiting for it all to be decoded would result in too much downtime. This was the case for Colonial, which paid the ransom soon after being attacked but had to resort to restoring from backups anyway because it would take less time than the decryptor.
Even if the decryptor is allowed to run its course, there is no guarantee that you will get all your data back. A report from cybersecurity company Sophos reveals 32 percent of businesses in 2021 paid the ransom (up from 26 percent last year). However, of those companies, only 8 percent were able to get back all their data. In fact, 29 percent of the companies that paid were unable to recover even half of the data that had been encrypted. Depending on the importance of this unrecoverable data, a business can remain crippled even after complying completely with the criminals’ demands. Furthermore, these breaches often go hand-in-hand with data theft, so even if a company is lucky enough to restore all its data, it may still have lost control of proprietary or sensitive information, which can have reputational as well as financial repercussions.
Despite so much uncertainty, many companies still determine it is in their best interest to acquiesce and pay the ransom. But even if the exchange goes completely according to plan, simply the act of paying makes your company more likely to be a targeted in the future. A survey reported in Newsweek indicates that of those businesses who pay a ransom, 80 percent were targeted for a second attack. Feeding the beast may seem prudent at the time, but it only serves to show the black-hat hacker community that your company is willing to play ball.
The drawbacks to paying the ransom are just too great, especially when there is no guarantee you will get your data back. After all, these are criminals, and they don’t operate under a strict code of ethics. But the absolute worst thing about paying is contributing to the lucrativeness of their scam—ensuring that we will be dealing with it for years if not decades to come.