The Real Cost of Ransomware Attacks Revealed
The actual cost to business victims of ransomware has increased dramatically in 2019...
Ransomware attacks might have been out of the headlines for a while, but a recent uplift in occurrences combined with some frightening real-world figures show just how expensive the clean-up can be.
Interestingly, the most recent hard figures on ransomware both come from the Nordics, with Oslo-based Norsk Hydro releasing a market warning that a ransomware attack in March 2019 would result in a cost of 450 million Norwegian crowns ($52 million) in the first quarter this year.
The company was hit by a new variant of ‘LockerGoga’ according to the Norwegian National Security Authority, but did not pay the requested ransom. LockerGoga is a particularly virulent strain of ransomware, so thorough in removing access to systems that victims can struggle to access the ransom note. After locking out user passwords, Windows boot files are encrypted so that the system cannot be reset.
Another set of figures comes courtesy of Copenhagen-headquartered container shipping giant Maersk, which estimated that the fallout from being infected during the global NotPetya outbreak in 2017 ‘negatively impacted’ the company’s results by $200-300 million.
Lewis Woodcock, head of cybersecurity compliance at Moller-Maersk recently shared his experience of being the victim of a major ransomware incident to a cybersecurity conference.
"I remember that morning – laptops were sporadically restarting and it didn't appear to be a cyber attack at the time but very quickly the true impact became apparent," said Lewis Woodcock, head of cybersecurity compliance at Moller-Maersk, the world's largest container shipping firm.
"The severity for me was really taken in when walking through the offices and seeing banks and banks of screens, all black. There was a moment of disbelief, initially, at the sheer ferocity and the speed and scale of the attack and the impact it had", Woodcock recently told delegates at CYBER UK 19 – a cybersecurity conference hosted by the UK's National Cyber Security Centre (NCSC).
Moller-Maersk was impacted particularly badly by the NotPetya outbreak, with almost 50,000 infected endpoints and thousands of applications and servers across 600 sites in 130 countries. Interestingly, although the firm has spent millions recovering from the ransomware attack, there is clearly work still to be done - an ImmuniWeb security test gives the overall Maersk domain a respectable ‘A’ grade, but several associated sub-domains (including ‘investor.maersk.com’) getting a less robust ‘F’ grade. The same ImmuniWeb website security test run on Norsk Hydro also yields a top-level domain grade of ‘A’, but also highlights potentially problematic subdomains, with ‘prodmdm.hydro.com’ also gaining an ‘F’ overall.
Of course, there have been innumerable reports and breakdowns of ransomware costs from various vendors, and even the US government, but the very nature of ransomware means many companies simply pay up and keep quiet to avoid reputational damage - or indeed comeback from the attackers. One recent survey, for example, found that 55 per cent of executives at small to midsize businesses would immediately pay the ransom in the hope of decrypting their data. That figure increases to 74 per cent among larger SMBs with 150 to 250 employees, according to the AppRiver Cyberthreat Index for Business Survey, with nearly 40 per cent stating that they would "definitely" pay the ransom, at almost any price, to prevent leakage or loss of data.
Unfortunately, simply paying up and keeping quiet has also become more expensive - as well as technically and reputationally risky - according to new research. In Q1 2019, the average cryptocurrency payout for ransomware attacks has risen by 90 per cent, to an average of $12,762 from the last quarter’s significantly lower average of $6,733. The stats from Covewave make grim reading, particularly as they total up an average cost to recover from a ransomware attack of $64,645. That said, the company claims that 98 per cent of the attacks ask for Bitcoin (BTC) as the “payment of choice” for ransom - a cryptocurrency that has appreciated in value by 51 per cent in the last three months, which might explain part of the ransom demand rise.
Although there certainly appears to be a significant volume of ongoing ransomware activity (victims include Verint, The Weather Channel and Arizona Beverages this week alone), there are also seemingly random attacks that have left researchers scratching their heads in confusion. A good example being a recent campaign to deploy Sodinokibi ransomware on unpatched Oracle WebLogic servers. Although the attackers used a zero-day (CVE-2019-2725) in WebLogic's WLS9_ASYNC and WLS-WSAT components, the attack has been limited in effectiveness by the fact that Oracle WebLogic is designed to be easy to backup and reinstall, as well as containing very little valuable data to boot. If only all ransomware attacks were as easy to mitigate!