The Statistics and Costs of Ransomware
Ransomware is a significant risk to all businesses, and I think it deserves a larger audience. The information below is gleaned from recent security reports and my own experiences with Ransomware. This is a three-part series on Ransomware.
As always, I’ll keep the technical jargon to a minimum and will do my best to define terms when needed.
So what is Ransomware?
Ramsomware is a unique type of computer virus that is sent out over the internet to infect computers and take specific actions:
It encrypts files, making them unreadable by the owner of the computer
It assigns a password to the encryption
It demands a ransom in exchange for the password
Because of these specific actions, this type of virus is known as Ransomware. As this type of virus is now incredibly easy to develop, simple to deploy, extremely profitable for the criminals involved and unfortunately difficult to prevent, it has quickly become the most talked about type of cyberthreat. Consequently, it has generated an entire industry specifically for addressing this issue at large corporations.
Ransomware makes use of modern technologies designed for convenience and security, but it uses them against the owner of the files. For example, it uses the operating system’s ability to encrypt files with a password. It also makes use of convenient online payment processing to extort exorbitant amounts from victims desperate to have their files back.
So what are the risks?
According to a broad study completed by Verizon called the 2019 Data Breach Investigation Report,
https://enterprise.verizon.com/resources/executivebriefs/2019-dbir-executive-brief.pdf
This report is about all computer security breaches, but it points to some disturbing statistics:
43% of data breaches targeted small businesses
34% involved employees, but 69% were perpetrated by people outside the company
39% involved organized crime groups and 23% involved foreign states
C-level executives were twelve times more likely to be the target
28% involved malware and 24% of malware attacks employed Ransomware (so Ransomware was about 7% total security breaches)
Just 7% you might say, that’s not so bad. First of all, let’s not forget that 43% of total data breaches involve small businesses. Yes the risk is small overall, but for small businesses, entrepreneurs and gigsters (our typical audience), the risk is much bigger.
Let me put that last statistic in a different context. This past year, I provided ongoing security and technical support for about 40-50 computers. In that time I removed well over 3000 malware applications from these systems. Statistically that means that 720 of those (24%) could have been Ransomeware. While I haven’t analyzed every line in my logs, I do know that Ransomware descriptions came up many times as I was running the scans.
We should also consider that there are automated filters on most email systems. If you use commercial email service from a companies like Microsoft for example, chances are their systems are already filtering email before it even gets to your company’s computers. Your computing staff (if you have such staff) is likely managing this for you as well. However, smaller businesses, especially one-person operations may not have those filters in place. Even when they do, is it set optimally? This could open the door to Ransomware infecting your company’s computers.
The bottom line is that it only takes one single Ransomware application to get through. Once it is on your computer or your network, the spread will likely be rapid – it is designed to be. It could also happen at night while a computer is left on for backups. Once the files on that computer are encrypted there is little that can be done to decrypt them without paying the ransom.
So what does it really cost?
Ransomware attacks are very expensive to remediate. Typically most small businesses just pay the ransom and move on. If they are not required to report it, the embarrassing episode is quickly glossed over and forgotten. For those attacks that have been reported the statistics are staggering. According to the SafeAtLast website:
In 2018 Cybercrime generated about $1.5 Trillion in revenue for criminal entities, and cost businesses $6 Trillion to remedy.
It is estimated that world-wide over $1 Billion was paid in ransoms
In the US, $25 Million was paid in ransoms
The average cost of a ransom to businesses in the US is $133,000
Over a quarter of all companies would pay between $20,000 and $50,000 to hackers to recover their data (which is significantly less than what businesses have had to pay)
The average cost of a ransom for an individual or a small business in the US is $500-2500
Obviously, Ransomware is expensive. For small businesses who can’t always afford the best protection, a portion of the budget should be reserved for preventing Ransomware attacks. Likewise Insurance policies should include some language about the threat. Finally, if there are funds available, some money should be put aside each year for the eventuality that the company is attacked. The amount is different for everyone, but it is a good investment to make in any case.
Why not just pay the Ransom?
That is actually what most small businesses and individuals do. According to the SafeAtLast website, only about ¼ of small businesses report a Ransomware attack. Businesses have to consider the biggest risk in reporting the attack: it could scare customers and clients away. It is an embarrassment suggesting that they did not have adequate security measures in place. However, there are some very good reasons not to sweep the attack under the rug.
It may be illegal to not report it. Also, if there is another security breach in the future, the business could be liable for failing to adequately warn its customers and clients
The odds of a repeat attack are high – if it was possible before, it is likely possible again. Sometimes hackers will target businesses a second time just to point that out
Cybercriminals share their successes – a paid Ransom is an advertisement about the vulnerability of a business
All computer viruses, including malware and Ransomware are notoriously difficult to remove completely from computers – unless the systems are completely wiped or renewed, it is likely some remnants of the software are still present
Paying the ransom legitimizes the efficacy of Ransomware and encourages others to copy the crime
The revenue of cybercriminals further finances their crimes – they can use the money to buy better equipment and better code from fellow cybercriminals.
If you are the victim of Ransomware, before you pay the ransom, consider hiring a capable company that deals in these issues. It won’t be inexpensive, but there is a small chance that they may be able to recover your files without paying the ransom. Alternately, they can assist in making the payment (this usually involves an unfamiliar currency like Bitcoin), and they can help advise on proper reporting requirements.
Keep in mind that a well-orchestrated Ransomware attack is likely not originating from some the stereotypical hacker-teen in a garage. It is much more likely from an experienced team of criminals you do not want to have any more interaction with than necessary. It is a serious crime and there have been instances of physical harm as well.
Conclusion
Ransomware is a significant threat to businesses, and should be handled by experts. Many small businesses believe that they will be one of the lucky ones or that they can hide in a crowd of thousands of small businesses just like them. Unfortunately, the statistics don’t bear that out.
Cybercriminals do not discriminate between large and small companies. Their livelihood depends on searching for weaknesses wherever they may be. Because small businesses do not have big budgets to protect themselves, weaknesses in computer security are more common. Hence, they are an easier target for cybercriminals.
In the next issue of the Gigster ‘Zine! I will describe the ways that Ransomware will change in the coming years, the trends of the past year, and my own thoughts on where things may be headed. I hope this is a relevant topic, not just for the techy readers out there, but for all business owners big and small.
