What is Ransomware?
Understanding Ransomware is easy enough since its meaning lies within its name. Without getting too deep in the technical rabbit hole, Ransomware is simply a type of malware that blocks access to data or even whole computer systems until a ransom is paid. This type of malware is a huge issue that will detriment anyone that isn’t properly prepared. In the past, it has impacted all industries from government agencies to hospitals and commercial businesses. Today, it is more or less the same if not worse.
Ransomware can be traced back to the late eighties and has only become more sophisticated as time has gone on. Not only that, demands for payments have dramatically increased as well. Back in the mid 2000s if a company were to be hit by a ransomware attack they’d be expected to pay around $300. Now this number has skyrocketed to about $312,493 on average in the past year. Even despite considering inflation, this is a huge jump. In 2019, the average payout of a ransomware attack was $115,123 meaning the ransom increased 171% from 2019 to 2020. It remains to be seen how much this number will change this year but given recent events it is possible that this number continues to grow.
Bad actors are becoming smarter and subsequently greedier as well since they know many of these companies cannot afford to have their system down for an extended period of time. As a business, they must leverage their options. Either they pay out obscene amounts to potentially get their data back or risk precious system downtimes that will result in both disastrous financial and public image damage. More often than not, companies will opt for the former. According to Proofpoint’s State of Phishing 2020 report, more than 50% of those with a ransomware infection will end up paying the ransom.
Speaking of financial and public image disaster, Colonial Pipeline unfortunately has been the latest and arguably the most high profile target yet.
The Colonial Pipeline Disaster
Colonial Pipeline, one of the largest oil refinery pipelines in the U.S., made headlines this month when it was announced that they had suffered a ransomware attack that impacted gas pipelines to multiple different states. The company contributes about 45% of the East Coast’s fuel supply.
More news began to circulate and it was eventually revealed that the company had to pay a ransom of $4.4 million dollars. This act surprised many because paying the ransom to bad actors is generally looked down upon.
According to the FBI, paying the ransom does not guarantee that the organization will get any data back but it does, however, encourage the cybercriminals to continue to attack the sector. This was exactly the case for Colonial Pipeline. While the company was able to get a decryption tool to unlock their systems, they were ultimately not able to immediately restore their pipeline systems as they had hoped. Therefore, it comes as no surprise that the FBI does not support paying the ransom for a ransomware attack.
Statistics reveal that while 70% of organizations do end up getting their data back after paying ransom, 30% either never received access or were demanded to pay an additional ransom.
When it was all said and done the Colonial Pipeline would end up being shut down for six whole days. This sent a shockwave throughout much of the east coast states and left thousands of gas stations without fuel, spurring gas prices to record highs. Some states in particular, such as North Carolina, Virginia, and South Carolina, were considerably affected. At its pinnacle, about 71% of gas stations in North Carolina had no gasoline at all. This in turn prompted a mania to ensue in which people began panic buying and hoarding gas. Opportunists capitalized on this and began reselling their hoarded gas for absurd prices on places like Amazon and eBay.
Colonial Pipeline CEO Responds
Though it was a controversial decision Joseph Blount, CEO of Colonial Pipeline Co., revealed why he had to pay the ransom. He disclosed that he initially did not want to make the payment but ultimately decided to do so citing that it was “the right thing to do for the country.”
This is the reality for many of these companies that have been a target of ransomware. Even though they may know that they should not pay the ransom in good conscience, oftentimes these groups leave them no choice but to.
The group in question in the case of the Colonial Pipeline attack seems to call themselves “DarkSide” according to recent reports from the FBI. The organization is believed to originate from Eastern Europe and has had a history of over a dozen ransomware cases in the past nine months.
It was later announced that this group would be shutting down, potentially from rising pressure from U.S. officials. However, the problem still remains. Even if this hacking syndicate were to be taken down there would just be multiple more ready to take its place. Changes must be made from the top down and these concerns would later be addressed by President Joe Biden.
A National Response Is Prompted
Ransomware worries escalated to the point of national attention when President Joe Biden had to sign an executive order to strengthen U.S. cybersecurity.
Though the order had long been in progress, a ransomware attack on Colonial Pipeline Co. may have played a hand in speeding up the legislation.
Recent statistics reveal that the annual number of ransomware attacks has increased year after year from 2017 to 2020 so perhaps this may have been an issue that has been gradually ballooning out of proportion.
This past year, it is estimated that over 304 million ransomware attacks occurred with the Colonial attack being one of the latest and most high profile due to its effect on oil prices. Other notable attacks include the United Health Services, Argentina’s leading telecom provider Telecom Argentina, and many other colleges and institutions.
Surely it is only the medium to large businesses that get targeted by these ransomware attacks given the number of big names that have been hit in recent memory? Well, according to the department of homeland security, not necessarily.
Why Small Businesses May Be Affected Too
The U.S. secretary of homeland security spoke just last week in front of over 1,500 small business owners and informed them that they were a target.
Alejandro Mayorkas, secretary of homeland security, explained “We recognize and appreciate the fact that small businesses comprise the backbone of our nation’s economy – It is for that very reason that individuals who pose a threat to our nation – who employ cyber tools and particularly ransomware – target small businesses as extensively as they do.”
According to senior executives, 46% of all small businesses have been a target of ransomware attacks. Of these businesses, about three-quarters will end up paying the ransom which will only serve to encourage bad actors to keep going.
Small businesses are most at risk due to the lack of investment or even knowledge of disaster recovery and cybersecurity.
According to Hiscox, an insurance carrier that specialized in the small to medium business market, these cyberattacks on average cost up to $200,000. As a result of these attacks, 60% of these businesses will go into bankruptcy.
What Steps Should Small Businesses Take?
No business can guarantee your safety from ransomware attacks, however, there are measures that you can take to reduce your chances of being targeted.
Here are just a few:
- Make sure to keep regular backup copies of all critical information and files
- Have a tested disaster recovery program
- Make sure there is a plan in place in the event of a ransomware infection
- Require all employees to use multi-factor authentication
- Report suspicious activity immediately
- Educate staff on proper cybersecurity awareness habits
All of the above listed are areas that we can assist in but you should start with an in-depth risk assessment.
At Tiro Security, we offer cost effective, quality, comprehensive assessment services, targeted phishing simulations, and online security awareness training that can help mitigate the risk of a ransomware attack.
If you are a business, contact us now to schedule a comprehensive assessment or learn more about our services.
A Word About Our CEO
Tiro Security’s CEO Kris Rides is one of the most experienced cybersecurity staffing specialists in the industry.
He is a founding board member of the Southern California Cloud Security Alliance Chapter and serves as an advisory board member to the National Cybersecurity Training & Education Center (NCYTE). With his many years of experience, Kris has spoken at some of the most prestigious conferences in the field including DEFCON, BSidesL, ISC2 Congress, and RSA.
Kris is looking forward to speaking at Wild West Hacking Fest’s Way West conference in Reno, Nevada in June. He’s extra excited as this will be his first in-person talk since the pandemic hit.