Sometimes, crime does pay. According to reports, CNA Financial, one of the biggest insurance companies in the U.S., paid hackers $40 million after a ransomware attack seized its data and prevented access to the company’s network. CNA contacted outside professionals and law enforcement to investigate. Behind closed doors, the company started negotiations with the hackers roughly a week after the hit. At first, the criminals demanded $60 million. But after some discussions, CNA agreed to pay $40 million, which may have been the biggest ransomware payment to date.
CNA isn’t the only organization that chose to fork over a huge sum to cybercriminals. It’s joined by companies from a range of business sectors, some of which are recognizable names in the business world: Colonial Pipeline, JBS Foods, and CWT Global, to name a few.
Fortinet Study Sheds Light on Alarming Ransomware Preparedness Trends
Ransomware payments are increasing, as are the frequency and sophistication of attacks. It comes as no surprise that 85% of the respondents in a global ransomware survey conducted by Fortinet found ransomware more concerning than other types of cyber threats. Of the 455 cybersecurity professionals and business leaders surveyed, 94% were either moderately, very, or extremely concerned about the threat of a ransomware attack on their organization.
But although only 6% of the respondents were not very or not at all concerned by the possibility of an attack, in terms of preparedness, less than 50% had a strategy in place that included the following:
- Network segmentation (48%)
- Business continuity measures (41%)
- A remediation plan (39%)
- Testing of ransomware recovery methods (28%)
- Red team/blue team exercises (13%)
In addition, 84% reported having an incident response plan:
- Employee cyber training (61%)
- Risk assessment plan (60%)
- Offline backups (58%)
- Cybersecurity/ransomware insurance (57%)
Download the full report here.
What the Data Tells Us
The above numbers reveal a disturbing trend: Taking an aggressive stance to stop ransomware is less popular than preparing to recover from an attack. The Fortinet study further revealed that 49% of respondents would pay the ransom outright to resolve an attack. For another 25%, whether to pay or not would depend on how much the ransom costs.
Many companies are paying up right away to get their systems back up and running as quickly as possible. The longer they spend negotiating, the more money they lose due to encrypted data and crippled processes.
The Effects of Organization’s Defeatist Mentality
Presuming defeat at the get-go works to criminals’ advantage. Hackers know that organizations preparing for eventual attacks will also put financial mechanisms in place to enable them to pay ransoms. Dark web experts play a role, as well. Instead of imposing a random sum, hackers go to them for advice on what ransom amount to demand based on an organization’s capacity to pay. Others also have a plan for entities that are unwilling to pay.
This, at least in part, contributes to the skyrocketing ransomware settlement amounts we see in the headlines.
Largest Ransomware Payout Ever Made
The attack mentioned at the outset, where CNA Financial handed over $40 million, appears to be the largest ransomware settlement ever made. While the sum, in and of itself, is worrisome, what it leads to is even more unsettling.
The Impact of Growing Ransomware Payments
Ransomware-as-a-Service (RaaS)
Cybercriminals no longer even need to code their own malware, and that’s due to the growing RaaS ecosystem. On the dark web, crime syndicates have developed a new business model where they sell pre-packaged ransomware. Some even provide customer support to assist other attackers with their schemes.
Delivery Without Human Interaction
Earlier malware needed human intervention to access networks, either by using stolen credentials or by fooling a user into downloading malicious software. Today, many ransomware attacks also use worms or malware that exploits a flaw or backdoor in software code. The result is ransomware that can be spread without the help of a human intermediary.
Pay or Publish
Fraudsters have upped the ante by threatening to publish or sell sensitive data taken from an organization on the dark web if the ransom is not paid—a tactic also known as double extortion (more on this later). This makes it harder for a company to “call the bluff” of cybercriminals. In other words, if the victim refuses to pay, hackers can publish some or all of their data. At that point, the organization can no longer emerge from the attack unscathed, even if they pay the ransom and regain control of their systems.
Attacks on Supply Chains
Why target secure infrastructures when it’s simpler to target a supplier with less secure systems? Supply chain attacks, where target systems are accessed using a vendor’s compromised credentials or infected systems, have proven effective for cyber criminals—such as in the case of the Kaseya VSA and Audi/Volkswagen attacks.
Double Extortion Is Rising, Cybersecurity Experts Warn
Cybercriminals’ use of data extortion is not new. Threat actors leverage a ransomware tactic known as big game hunting (BGH), in which they go after big, important companies and their most valuable data. If the target refuses to pay, the hackers threaten to share the victim’s data with a third party, typically a rival company.
As an example, a relatively new type of double extortion attack has emerged, and it’s levied by a ransomware operation by the name of 0mega. The group uses ransomware that adds the extension .0mega to the files it encrypts and creates the DECRYPT-FILES.txt, which contains ransom notes. The notes describe the data that’s been stolen, and some also describe how Omega plans to disclose the attack to the company’s business partners if it refuses to pay up.
How Double Extortion Came into the Scene
To avoid paying ransoms, businesses started restoring from backups. As a result, threat actors had to up their game by releasing hacked data.
One of the earliest instances of double extortion went down like this: To communicate with their victims, the threat actors hosted an image containing sensitive information on the Tor network. The threat actors then sent out additional emails promising to delete any stolen material if the ransom was paid by a certain date.
However, this early attempt didn’t work. So to apply more pressure on victims, threat actors started releasing material far more frequently. Because of the way double extortion forced victims to pay up, attack success rates started to improve.
Preparing Your Organization for Ransomware Attacks
Ransomware is a persistent threat to the data and systems that companies rely on. As such, businesses should take the following simple precautions to protect against ransomware:
- Fully patch all computer systems.
- Use security tools or services that block access to known ransomware websites on the internet.
- Use antivirus software at all times—and make sure it’s configured to automatically scan your emails and removable media for ransomware and other kinds of malware.
- Configure operating systems—or use third-party software—to permit only approved programs to operate on all computers attached to your network.
- Forbid or restrict the use of privately owned devices for remote access to the company’s networks, especially if the users haven’t implemented additional security precautions.
- Avoid using personal websites and programs on work computers, such as social media, chat, and email.
- Never open files from unfamiliar sources or click on links without first screening them for questionable, potentially dangerous content. For instance, you can check a file with an antivirus program or determine if a link actually points to the website it says it does.
Pros and Cons of Cyber Insurance
Cyber insurance can also help prepare your organization for ransomware attacks because it gives you the financial backing you need if you have to pay a ransom. In addition, cyber insurance can help pay for the cost of repairing systems, recovering data, and compensating customers impacted by the attack.
However, there are also some drawbacks to consider. Here are some of the pros and cons of cyber insurance:
Pros of cyber insurance:
- It covers many of the costs associated with a ransomware attack.
- It gives your organization and its investors confidence that, if hit by an attack, you can limit the financial fallout.
- Because it can make you feel more comfortable paying the ransom, you may not feel forced to negotiate for several days with the criminals. You can just pay up and get back to business.
Cons of cyber insurance:
- Hackers may target companies that have cyber insurance policies, knowing they have the financial support they need to pay ransoms.
- Cyber insurance doesn’t cover everything associated with a ransomware attack. For example, it doesn’t compensate you for the effects of reputational damage or loss of customer trust.
Proactively Protect Your Business From the Growing Threat of Ransomware
Experts predict that ransomware attackers will continue to use data exfiltration throughout 2022. By implementing the above steps to protect your business, you can make it much harder for criminals to penetrate your system. By closing or patching vulnerable points of access, you take away some of their strategic advantages. By being proactive in your defense strategy, you not only avoid huge ransomware payments but you can also prevent successful attacks altogether.
