Most cyber security experts recognize ransomware attacks as the most prevalent form of cyberattack directly threatening companies, NGOs, and even governments around the world. In the past, these activities generally targeted individuals, however, in recent years their potential for large scale destruction greatly grew.
We should keep in mind that most ransomware attacks today are, in fact, two pronged extortion attempts. Hackers not only prevent the owner from accessing their data through encryption, they also exfiltrate copies of that data in advance. This allows them to extort greater pressure on the owner by threatening to publically release that data if they refuse to pay up.
It is this characteristic that makes ransomware such a great problem for companies. The damage to a company’s reputation often ends up being far greater than infrastructural damages incurred in ransomware attacks. What makes matters worse is that there is no guarantee that the cybercriminals will not publically release the data, despite getting the ransom.
No honor among some thieves, apparently.
In terms of statistics and trends, 2020 brought us the following:
- 51 percent of businesses were targeted by ransomware.
- The average ransomware payment demand was approx. USD 233,817 in Q3 2020.
- 1 in 5 SMBs and 4 in 5 MSPs were targeted by ransomware attacks.
- We saw a 40% surge in global ransomware, reaching 199.7 million hits.
- By the end of 2020, ransomware costs reached USD 20 billion for all businesses.
Ransomware during COVID-19
Cybercriminals did not hesitate to make the most of the uncertainty and instability brought on by last year’s pandemic. In fact, the work-from-home policy practiced by most businesses provided a number of weaknesses in companies that were not prepared to deal with the remote set-up.
Generally, the circumstances of last year provided an ideal environment for hackers looking for ever-increasing compensations for their activities. In fact, criminals hid ransomware in COVID-19 materials, trying to get people visit fake websites and download malicious content.
According to researchers, the pandemic caused a 72 percent increase in ransomware attacks. For instance, in one of the worst hit countries by the virus – Italy, we saw the rise of a ransomware software called [F]Unicorn which spread through a contact tracing app. The fake app led users to believe that it offers real-time updates pertaining to new infections.
However, after installing it, people started noticing that their data was now encrypted and finding ransom notes demanding they pay EUR 300 within 3 days. Luckily, [F]Unicorn was created by a relatively inexperienced hacker, using code from already known ransomware.
Grubman Shire Meiselas & Sacks
Damages: greater than USD 1 million
In May last year, a well-known entertainment and media law firm Grubman Shire Meiselas & Sacks got hit by an attack using REvil ransomware. The company proudly lists some of the most prominent celebrities and companies as their clients.
In a typical double extortion attack, the cybercriminals stole 756GB of sensitive data before encrypting it. Allegedly this data contained sensitive info of celebrities like Madonna, Elton John, Lady Gaga, Mariah Carey, Barbara Streisand etc. The attackers even claimed to have something on Donald Trump – though, he was never a client of the firm.
Initially, the cybercriminals asked for USD 21 million after publishing Lady Gaga’s data to prove their seriousness. However, the firm staunchly refused to pay – which led to the ransom going up to USD 42 million. And the lawyers still would not pay.
In the end, the stolen data went to auction, with Madonna’s info reaching USD 1 Million. The company suffered even more with its reputation in ruins.
University of California San Francisco
Damages: USD 1.14 million
The University of California, San Francisco (UCSF), one of the world’s best medical research university in the world, got an infection itself. They got hit with NetWalker ransomware in June 2020. The attack first began at the servers of the School of Medicine.
Luckily, the university managed to stop it from spreading by separating the rest of the network. But the criminals still got their hands on a number of databases. With an even greater stroke of luck, the attack did not cause any damage to university hospitals and their COVID-19 research facilities.
However, as the compromised databases contained some priceless academic research work, the university eventually paid USD 1.14 million in ransom.
Damages: USD 2.3 million
In the very beginning of 2020, a Sodinokibi (REvil) ransomware variant found its way to Travelex’s servers. This forced their website offline and hit its bricks-and-mortar stores and banking services for more than two weeks. This, along with the effects of COVID-19 on air travel, eventually led the company into bankruptcy.
The Sodinokibi criminals claimed to have accessed and then copied and encrypted 5 GB of data from Travelex’s network. Initially, they requested USD 6 million to decrypt the information. Travelex agreed to pay a USD 2.3 million ransom after several weeks of negotiation.
Ransomware: Ragnar Locker
Damages: USD 4.5 million
The U.S. travel management firm CWT paid USD 4.5 million in Bitcoin, to hackers who stole reams of sensitive corporate files and said they had knocked 30,000 computers offline. The cybercriminals used a strain of ransomware called Ragnar Locker – this encrypts computer files and renders them unusable until the victim pays for access to be restored.
The hackers and company officials chatted online in a public chat room. CWT reported the incident immediately to US law enforcement and EU data privacy agencies.
Allegedly, the criminals stole over two terabytes of data, including financial records, security documentation, and personal details of employees such as email addresses and salary information. Originally the criminals set the price at USD 10 million to recover the stolen files. However, the company could afford 4.5 million, due to the pandemic.
Damages: USD 10 million
Fitness brand Garmin paid millions of dollars in ransom after an attack took many of its products and services offline. Reportedly, Garmin paid through a ransomware negotiation company called Arete IR, in order for Garmin to recover data stolen in the attack.
Garmin employees let it slip that the attackers want a staggering USD 10 million in ransom. The company declined to comment on whether or not they paid the ransom, but most experts are of the opinion that Garmin must have paid since its services were restored within days.
WastedLocker is a ransomware strain famous for having no vulnerabilities in its encryption algorithm. Its reputation furthers the narrative that Garmin had to pay up in order to get the decryptor.
Ransomware attacks leave no organization behind it seems. Regardless of whether it’s an industry leading corporation with offices around the globe or a small NGO minding its business, it is apparent that no one is off limits or immune to these attacks.
As a rule, prevention is much better and easier than the cure. Fortunately, there are steps that you can take to prevent ransomware attacks. Some of the things you can try are:
- keeping backups,
- performing regular patching,
- using multi-factor authentication and strong passwords,
- introducing programs for your employees’ education, and,
- utilizing the appropriate cybersecurity tools.
Also, check out our article Easing the Headache of Cybersecurity Attacks for more information on the topic.