Has ransomware gone respectable? It’s more criminal than ever, says new report!

07 Feb 2020

Ransomware, we’re all told, is perpetrated by unprincipled crooks who take data hostage and don’t give it back even if you pay the ransom. End of.

But this is seriously at odds with a fascinating new report from anti-ransomware specialists Coveware, which paints a picture of more sophisticated protagonists with an apparently respectable customer service ethic!

Confused? Don’t be. Ransomware is a business – criminal, but a business nonetheless. And like many businesses, it has discovered that slick professionalism can be put to effective use on the dark side too.

Here’s how ransomware is changing – and why it’s not for the better.

Respectable ransomware reels victims in

The report tells us that increasingly professional ransomware approaches are merely a calculated ploy to enhance the ‘reputation’ of the strain in question, simply to achieve better long-term returns.

For example, many attackers have invested in developing better decryption tools, and are also becoming more selective about the ‘distribution affiliates’ they work with, and their deployment tactics.

Ultimately, both these initiatives aim to prevent corruption of the ransomed data – not for anyone else’s benefit, but to convince victims that the ransom will deliver their data back to them in good order - and thus to part with their cash.

Indeed, the report shows that in Q4 of 2019, 98% of the companies that paid the ransom received a working decryption tool, and those tools successfully decrypted 97% of the ransomed data – an increase on the previous quarter.

Ransomware costs are doubling!

Indications are that this more sophisticated ransomware culture is gaining significant traction, especially when you look at the spiralling costs involved.

These include not just the cost of the ransom itself, but the parallel costs of reinstating networks and hardware, plus the loss of productivity and revenue whilst systems are offline (just ask Travelex!)

In Q4 of 2019, the average ransom payment alone increased by 104% (according to the report’s US data) to the equivalent of £64,844.

That’s a nifty return on investment for the attackers!

Downtime is on the up

At the same time, ransomware now takes businesses down for longer, with the average downtime in Q4 2019 increasing to 16.2 days, from 12.1 days in Q3.

What’s interesting is that this is in part driven by not by the attack itself, but by the time-devouring challenge of accessing and restoring data that has been backed up in order, supposedly, to combat the effects of just such an attack. Indeed, it seems that the cure can be as painful as the disease.

It’s a sober reminder of the importance of choosing a backup solution that does not wait for the entire backed-up data set to download before anybody can start using the data again.

Where’s it coming from, how’s it spreading, who’s it hitting?

Some interesting subtleties emerge here. Firstly, it seems that ever-smaller businesses were more likely to be hit by relatively unsophisticated ransomware in Q4 2019, compared to Q3 (Phobos and Sodinokibi are the cited examples).

Exposure to these low-end ransomware strains also means, as mentioned above, that businesses of this size are more likely to find some part of their data, when returned to them, irreversibly corrupted.

For larger businesses, a more developed strain of ransomware is the norm. Unsurprisingly, the strain cited, Ryuk, is responsible for the extortion of much higher sums (almost £602,000, on average). Its high-end ‘reputation’ perhaps suggests victims will get most of their data back, uncorrupted – but it’s an expensive way of doing it!

Mapped to a few other factors, these figures make for even more alarming reading:

  • If your business is software services, professional services or health care, you’re in the top 50% of the most-targeted industries for ransomware.
  • If you use email (who doesn’t?), email phishing attacks account for well over a quarter of all ransomware attack sources.
  • If you don’t patch your software vulnerabilities, you could join the 1 in 8 companies who got hit by ransomware this way.
  • And if you or your employees use Microsoft’s Remote Desktop Protocol (RDP) to access business PCs and devices from other machines, that’s well over 57% of all ransomware entry points, right there.

    What can you do?

    All that said, take heart – because no matter how sophisticated (or unsophisticated) ransomware is, the ability to rapidly access backed-up data, instantly restore it into your systems, and immediately continue using it, renders it toothless. Attackers can’t take data hostage when you can easily get to it from somewhere else - as long as the backups themselves, of course, cannot be infected or corrupted!

    Make the right choice of backup solution on all these fronts and you’ve got ransomware licked. Get it wrong and, as the report describes, you could be left licking your wounds.

    And that’s not a very respectable position to be in.