If one thing is clear in the cybersecurity universe, it’s that the prevalence of ransomware attacks is surging. According to the annual Bitdefender Consumer Threat Report, there was a 485% increase in year-over-year ransomware attacks throughout 2020. These strikes have continued apace in 2021, with everyone from law firm Jones Day to the Washington, D.C., police department to the NBA’s Houston Rockets being targeted.
So why are ransomware attacks on the rise versus traditional cyberattacks that look to covertly infiltrate a system to steal personal data or intellectual property? According to Wayne Dorris, a Certified Information Systems Security Professional (CISSP) and business development manager for cybersecurity with Axis Communications, one of the primary reasons is ease of use.
“All you’re really doing is encrypting somebody’s server or data, and then you’re just holding it hostage,” Dorris said. “Now you have a victim that is probably more than willing to pay for that. Compare that to a traditional attack, where the attacker will spend months in your system trying to figure out what is the personal data that I can go and get or intellectual property or what credentials I can get. I then exfiltrate that, I put that on the dark web, dark net, and then I have to find another buyer. That becomes a lengthy process.”
Ransomware has become so prevalent, cyber criminals who want a piece of the action but don’t have the technical skills to develop their own malware can acquire it as ransomware as a service (RaaS). This is where ransomware developers lease their model in the same way legitimate software developers would lease out software-as-a-service (SaaS) products. Studies show the majority of ransomware attacks these days are coming from RaaS.
The other major factor driving the surge in ransomware is profitability. When something is both easy and lucrative, it tends to proliferate.
“If I actually have personal data, individual credentials, on the dark web, that probably gets you $100 to $300 per credential,” Dorris said. “So I’d have to have quite a few credentials, or quite a lot of data, in order to make that viably good for me as an attacker.”
On the other hand, if a bad actor can hold a company’s entire infrastructure hostage, that can result in a quick and large payoff. When beverage-maker Molson-Coors was hit recently with what was thought to be a ransomware attack, they were forced to take their systems offline, resulting in production and shipment delays.
“Ransomware used to start out about $50,000 was the asking price for us to give you the key to restore your data,” Dorris said. “Most data points now show that that starting point is about $250,000. Again, if we go back and compare that to doing individual records, and I have to also find a buyer that is interested, to whereas you already have a business need and you’re shut down, you’re probably going to be well motivated to pay me.”
With ransomware attacks, it’s not just about the cost of the payment; it’s also about how long it takes manufacturers to get their infrastructure back online. That time lag can be very costly in its own right, which is why more and more companies – even ones with good backups – are agreeing to simply pay the ransom. Companies that don’t have a good backup could be forced to rebuild from scratch, which takes significant time and effort.
In recent years, attacks on state, local and school infrastructure have also proliferated. Dorris said that’s because government institutions tend to have outdated systems.
“[Attackers] know that the maintenance for it is not as good as a true enterprise environment,” he said. “Most of these are being funded through taxpayers, so there’s usually a lag in not having cutting-edge equipment, and then even in the number of people that actually keep those patches up to date. That’s really where we see that getting exploited.”
The best way to remediate ransomware attacks is to prevent them in the first place. Dorris recommends always having a good backup that’s tested regularly, so you know you can restore your systems if needed. The other best protections are continued vulnerability scanning on all endpoints and having a good patch management routine and maintenance schedule.
Keep an eye out for Part 2 of our interview with Wayne Dorris, where he will discuss why cybersecurity is becoming more of an operational technology (OT) issue and how manufacturers can help bridge the IT/OT divide. And check out the Industrial Cybersecurity Pulse YouTube page to view previous installments from our expert interview series.