The
How big a threat is ransomware?
A good starting point is to look at the prevalence of ransomware attacks on business. According to Symantec, (see link below) one of the world’s leaders in cyber-protection, ransomware has changed its nature in the last few years. About ten years ago, ransomware were simple scams based on fake antivirus apps leading to a payment to ‘fix’ the problem. Then, the fashion changed to ‘blockers’ or ‘lockers’ that locked the user out of their computers. You pay to be unlocked. Now, the fashion is for ‘crypto-ransomware’ that not only locks you out of your files but also encrypts your files. You pay a ‘ransom’ (usually in bitcoins) to get your files back.
Crypto-ransomware is very effective. It generally uses unbreakable encryption and if the user has no file backups then the only solution maybe to pay the ransom. Even if you pay you may not get your files back – don’t forget you are dealing with anonymous criminals!
Generally, crypto-ransomware, usually delivered by a bot-net, is a ‘quick in and out’ crime designed as a quick payback for the criminal. Accordingly, the ransoms are generally low. For example, the average ransom in 2016 was about $750. But, as I will explain later, the ransom is a very small loss compared with the other costs you face to get back operations and business.
Also, a new trend is emerging where specific companies are researched and targeted. Here, the goal is to deeply infiltrate the company’s IT operations seeking to maximise damage and disruption.
Special Report – Ransomware and business 2016, Symantec.
© Neil Gurnhill, Node International, 2017. All rights reserved.
Foreword
In this series of three articles Neil Gurnhill looks at the main issues affecting businesses due to the rise in ransomware over 2016 and 2017.
This first article looks at the state of the threats posed by ransomware. The second article, Ransomware – coping with the threats, develops the actions required to reduce the threats and the third article, Ransomware – the role of cyber- insurance, outlines the important benefits that cyber-insurance brings in the event of a successful attack.
The third article may be obtained by contacting Node International on the contact detail provided at the end of the article.
The articles are mainly focused on the USA and Canadian readers, both countries accounting for over 44{d8b66277a7518e4eec372fc66ba9c89064d9fca13d781d7d97b205a7ede9dbc0} of the world’s attacks. However, its points are relevant to any reader in any developed economy.
Also, these articles are primarily aimed at brokers and senior corporate managers in North America who need greater familiarisation with cyber-insurance.
The articles were written in 2017 based on research focused mainly in late 2016.
Neil Gurnhill, CEO of Node International, is one of the world’s leading experts on cyber-insurance.
Node International is an international, specialist cyber-insurance brokers and underwriters at Lloyds of London.
These ransoms are generally larger, about $15,000 to $20,000. The disruption costs can run into many $000,000’s.
Ransomware has been described as ‘’a billion-dollar nightmare for businesses’, (see link below), and this is not far from the truth. The FBI estimates that there are 4,000 ransomware attacks per day in the USA and that the cost of ransomware in the first three months of 2016 was $209m, a growth from $24m for the whole of 2015.
However, cyber-security researchers and practitioners believe this is be grossly underestimated. For example, Datto, (see link below), based on their survey of 1,100 IT professionals found that about 92{d8b66277a7518e4eec372fc66ba9c89064d9fca13d781d7d97b205a7ede9dbc0} had suffered ransomware attacks in 2015/16 including 40{d8b66277a7518e4eec372fc66ba9c89064d9fca13d781d7d97b205a7ede9dbc0} that had suffered at least six attacks. Importantly, only about 25{d8b66277a7518e4eec372fc66ba9c89064d9fca13d781d7d97b205a7ede9dbc0} reported the attacks to the authorities, (hence the FBI probable underestimate). Datto goes on to state that ransomware costs about $75bn each year (and growing), of which, only $375m is the cost of the actual ransom, a miniscule percentage!
Who are the victims?
Ransomware is an international phenomenon. The USA is the country most affected, accounting for 28{d8b66277a7518e4eec372fc66ba9c89064d9fca13d781d7d97b205a7ede9dbc0} of attacks. Then in descending order, Canada at 16{d8b66277a7518e4eec372fc66ba9c89064d9fca13d781d7d97b205a7ede9dbc0}, Australia at 11{d8b66277a7518e4eec372fc66ba9c89064d9fca13d781d7d97b205a7ede9dbc0}, India at 9{d8b66277a7518e4eec372fc66ba9c89064d9fca13d781d7d97b205a7ede9dbc0}, Italy and Japan each at 4{d8b66277a7518e4eec372fc66ba9c89064d9fca13d781d7d97b205a7ede9dbc0} and the UK at 3{d8b66277a7518e4eec372fc66ba9c89064d9fca13d781d7d97b205a7ede9dbc0}. Other remaining countries around the world account for 25{d8b66277a7518e4eec372fc66ba9c89064d9fca13d781d7d97b205a7ede9dbc0}.
Based on these figures, North America could account for 44{d8b66277a7518e4eec372fc66ba9c89064d9fca13d781d7d97b205a7ede9dbc0} of all attacks, costing (using Datto’s research) about $118bn a year. Clearly, bearing in mind the business disruption costs and delays in time of business output, ransomware has a huge effect upon a country’s economic productivity and wealth.
Consumers are the most likely victims of ransomware attacks, accounting for 57{d8b66277a7518e4eec372fc66ba9c89064d9fca13d781d7d97b205a7ede9dbc0} of all attacks between January 2015 to April 2016 compared to 43{d8b66277a7518e4eec372fc66ba9c89064d9fca13d781d7d97b205a7ede9dbc0} for organizations. In January 2015, there were about 85,000 consumer attacks per month compared with about 37,000 organizational attacks per month. However, in October 2016, saw just over 100,000 attacks per month (a trend peak) for organizations compared with about 50,000 attacks per month for consumers. The overall trend for corporates is one of growth.
Not all organizational and business sectors are affected equally. The services sector accounts for about 38{d8b66277a7518e4eec372fc66ba9c89064d9fca13d781d7d97b205a7ede9dbc0} (mainly due to its high level of integration with Internet services). Manufacturing accounts for about 17{d8b66277a7518e4eec372fc66ba9c89064d9fca13d781d7d97b205a7ede9dbc0}. Finance sectors and public administration accounts for about 10{d8b66277a7518e4eec372fc66ba9c89064d9fca13d781d7d97b205a7ede9dbc0} each followed by the wholesale trade at 9{d8b66277a7518e4eec372fc66ba9c89064d9fca13d781d7d97b205a7ede9dbc0}, Transport, communications and utilities each at 7{d8b66277a7518e4eec372fc66ba9c89064d9fca13d781d7d97b205a7ede9dbc0} and the retail trade and construction each at 4{d8b66277a7518e4eec372fc66ba9c89064d9fca13d781d7d97b205a7ede9dbc0}.
How are ransomware attacks delivered?
Ransomware criminals are becoming more expert, innovative and audacious. For example, the use of bit coins has significantly increased the success and profitability of ransomware to criminals. Using a bit coin ‘wallet’ for each attack, then moving these wallets through chains of wallets, generally means that the movement of money is outside the traditional financial system and anonymous.
How ransomware became a billion-dollar nightmare for businesses, The Atlantic, September 3rd 2016.
Datto’s state of the channel ransomware report 2016, Datto.
Generally, the major ransomware operators, such as TeslaCrypt and Locky, mount major spam campaigns meaning that millions of users are being hit on a daily basis. Just 0.001{d8b66277a7518e4eec372fc66ba9c89064d9fca13d781d7d97b205a7ede9dbc0} of these spams finding a victim still means very high profits to the criminals.
But, as I mentioned earlier, ransomware criminals are targeting specific organizations, businesses and industries. The level of expertise seen in these targeted attacks are similar to cyber-espionage attacks and hard to protect against. The goal is to penetrate deep into a victim’s IT systems, infect as much of it as it can, and only then, issue the ransom demand. This approach is likely to be a main growth area over the next few years.
It gets worst! We are now seeing an acronym, RaaS, meaning Ransomware as a Service. It means that criminals of low technical skill can purchase the services that provides the malware as well as the distribution channels to the potential victims. The creators and operators of the Raas act as a ‘wholesaler’ of ransomware and take a percentage of the profits. Again, this is likely to be a growth area in the coming years.
In effect, ransomware is likely to become, even more so, a growth industry in its own right. With expert targeting services, expert malware creators, expert distributors and so on. It’s a criminal industry that could wreak havoc.
But, in the main, it’s an industry based on one inadvertent and simple action. Someone in the organization clicks on an infected link on an email and/or website – stop this and you stop ransomware. Of course, it’s not as simple as this but it could be and I’ll return to this point later in articles two and three.
Ransomware is delivered by a small number of mechanisms. The most common way of infection is by a person(s) simply clicking on a link in a botnet-delivered email. In principle, these are spam emails with little personalisation and/or relevance to the email receiver. For example, an email, about celebrity gossip, lottery winnings, porn and so on. In the main, these spam emails are dealt with by antivirus software. But some get through and most of these are deleted by the receiver. However, the criminal plans on these deletions. As I mentioned earlier, a click-rate of only 0.001{d8b66277a7518e4eec372fc66ba9c89064d9fca13d781d7d97b205a7ede9dbc0} (and lower) is still very profitable to the criminal – they sent out 10m spam emails. At 0.001{d8b66277a7518e4eec372fc66ba9c89064d9fca13d781d7d97b205a7ede9dbc0} click-through rate, that’s over $75,000 of ransom returns!
The newer trend is to ‘personalize’ the email using data from social media sites. The criminal collects data from (say) Facebook or LinkedIn and search for potential candidates. Or, they may buy or hire email list of companies in a certain target industry and/or profession. Sure, the criminal is spending time and money but they will get a higher click-through rate. Even on a much-reduced spam email volume, they might net $150,000 or more.
These infections depend upon spam emails getting through. A more reliable method for criminals is to get the recipient to download a work-relevant file containing a macro, this in turn delivers the ransomware. For example, an industry report on staff costs sent to HR department staff. The report is downloaded but within the download is a macro that may initiate the ransomware at a later date. As the criminals say, ‘‘job done’’, and they wait to receive their $250,000 returns. Further variations are emails from well-known organizations such as (say) a delivery note from UPS, an alert from the IRS, an invoice from a known supplier and so on. Remember, there’s no holds barred from audacious criminals!
Another mechanism, now becoming more common, is the trend of ‘exploit kits’. Typically, these are spurious notifications to update a piece of software from a reputable software supplier, such as JavaScript or Adobe Flash. Although seemingly reliable as a source, the download leads to the ransomware being installed.
Further variations are ‘iframes’ installed on web servers and the web pages on the server. The ’iframe’ directs website visitors to the exploit server, which downloads the ransomware. Variations are particularly pernicious. For example, an advert placed on a popular website is an advert that directs to the exploit kit. Even more pernicious, sometimes a page visitor doesn’t even have to click on the advert – just the act of visiting the page directs to the exploit kit.
The reader is directed to the excellent report from Symantec, cited earlier, that provides much more detail on the above issues as well as case studies of corporates dealing with ransomware attacks.
Summary
In this first article, I’ve attempted to point out the threats you face.
As you can see the threat of ransomware to corporates and organizations is growing at a very fast rate. At the beginning of 2016, there were 37,000 attacks per month, whereas at the end of the same year there were 100,000 attacks per month.
Although the ransoms are relatively small at about $750 per ransom to a maximum of $20,000 per ransom they are miniscule compared with the costs of business disruption measured in $000,000’s. In the very worst case, ransomware can put a corporate out of business!
Finally, the impact of ransomware on economic wealth is huge. The FBI estimate that the cost was over $800m in 2016. However, this could be a gross under-estimate. Expert industry sources are estimating $75bn, and growing.
All of this is a deep worry for corporates. As I mentioned at the beginning of the article, the new reality for corporates now is ‘‘will the next attack succeed?’’.
Contact Node International
Phone: 44 2033 208983
Email: neilg@nodeinternational.com
Node International profile
Node International is a wholesale insurance broker and Lloyd’s coverholder focused solely on digital, cyber and technology risk insurance solutions. It is a joint venture with Charles Taylor Broking Services Limited (CTBSL).
Based in offices within the Charles Taylor London offices, close to the Lloyd’s of London Building, Node International offers its services to retail brokers around the world through the 72 worldwide offices of Charles Taylor plc. In particular, it is focused on the 21 offices of Charles Taylor in the Americas, the largest market for cyber and digital risk.
One of Node International’s strengths is that its staff are graduate technologists and expert insurance professionals. This is an important competitive factor because digital risk-based corporates prefer to work with those who are familiar and expert with their risks and technologies.