Back on May 10th Urban One reported it had lost between $500,000 and $800,000 in revenue due to a ransomware attack that affected the entire company. Urban One did not pay any ransom but it paid the price in lost revenue and the expense (another $500,000) to fix the software attack. Can this happen to any radio station in America? How can you avoid being attacked? To help us understand the ransomware issue we turned to attorney Alysa Austin from the firm Womble Bond Dickinson.
(By Alysa M.P. Austin) Ransomware attacks remain a prominent threat for organizations across a wide spectrum of industries. While reports indicate that ransomware incidents in general have declined since 2018, this decrease should offer organizations little comfort as cybersecurity experts note an increase in targeted attacks.
Ransomware is a form of malicious software (malware) that is designed to block access to and render unusable files, devices, or entire networks until a monetary ransom is paid, usually through untraceable, anonymous cryptocurrencies. Ransomware continues to be a lucrative enterprise for hackers, requiring minimal effort and risk while garnering high reward. For example, HealthITSecurity.com noted: “About 70 percent of ransomware attacks in 2018 targeted small businesses, with an average ransom demand of $116,000, according to a recent report from Beazley Breach Response Services.” The Beazley report found that the highest ransom demand in 2018 was $8.5 million. Coveware’s Q1 Ransomware Marketplace report also shows that the average ransom paid by organizations doubled in the past two quarters from $6,733 in Q4 2018 to $12,762 in Q1 2019.
Ransomware has historically been distributed through phishing emails, malicious attachments or links, and compromised websites. Recently, however, hackers are more often targeting particular organizations through social engineering (an umbrella term encompassing phishing attacks) and remote desktop protocol access (when a person logs into a unified system from a different location). Through these targeted attacks, hackers gain access to critical systems and thereby increase the average ransom a victim is willing to pay. According to anti-ransomware company Coveware, upon gaining access to a company’s critical systems, hackers will typically target a victim’s backup systems and then “encrypt the primary file and application servers in order to completely cripple the target company.” Not surprisingly, the least prepared organizations tend to suffer the most.
Weighing The Costs
The stakes are high in ransomware attacks. Balancing the value of losing ransomed data or network systems against the costs of paying the ransom demand is no easy undertaking. Unfortunately, this is not much of a choice for organizations that either have not backed up their critical data or lost their backup data to the same malware — Coveware estimates that 75% of ransomware victims who paid their ransom in Q4 2018 had also lost access to their backups.
Companies that fall victim to a ransomware attack may experience devastating consequences. The financial and other costs associated with paying a ransom, can be severe and often crippling:
— Costs and disruption associated with operational downtime for lost network access.
— Costs and disruption associated with network recovery.
— Costs associated with purchasing new equipment.
— Loss of reputation, goodwill, and trust among clients.
— Permanent loss of critical business or client data.
— Potential litigation arising from compromise of sensitive data.
Coveware estimates that a company’s downtime costs are typically 5-10 times greater than the ransom demanded. That said, actual downtime costs are highly dependent upon the victim’s geographic location, size, and industry. For instance, large-scale aluminum manufacturer Norsk Hydro estimates at least $40 million in lost revenue costs after a ransomware attack forced the company to halt production for one week.
And while insurance policies may alleviate some of the out-of-pocket costs associated with operational downtime, nothing can properly account for the severe disruption and potential reputation damage a company may experience after an attack. According to SC Magazine, a recent survey found that 74% of smaller businesses, those with 150-250 employees, would consider paying a ransom demand to recover their data, and 39% of that subgroup would “definitely pay a ransom of almost any price to prevent their data from being leaked or lost.”
Paying Ransom Demands Is Not The Solution
Simply paying a ransom demand is tempting. But it does not guarantee that a victim will regain access to their files. Although the Coveware research shows that victims opting to pay the ransom are more successful in retrieving their files than in prior years, the success rates were dependent upon the type of ransomware strain used. For instance, Ryuk ransomware, which is typically used in attacks targeting larger organizations, had a lower recovery rate of roughly 80 percent. Paying the ransom also often leads to overlooked consequences. Specifically, victims who pay ransom demands are more likely to suffer from repeat attacks.
Mitigating Future Ransomware Attacks
No entity is immune from attack. Businesses of all sizes and across industries, local governments, and individuals have all fallen victim to ransomware attacks. Mitigation must therefore be the primary focus of any organization’s response to ransomware threats.
To minimize the impact of ransomware attacks, an organization should:
— Use antivirus software and internal firewalls.
— Keep software updated and patch known technology vulnerabilities.
— Create disconnected backups of critical business data.
— Segment networks to quarantine infected devices and prevent the spread of malware.
— Limit administration access to avoid risk of compromise.
— Develop an incident response plan.
— Educate employees to identify suspicious emails, avoid opening links or attachments from unfamiliar sources, and report incidents immediately.
And if your business is attacked, the best course of action is to contact a legal professional to assess your exposure and determine next steps.
Alysa, thank you for your article describing the nature of the ransomware threat to companies…, preventive measures, and recourse. Should the heavy hitters among ransomware and malware attackers, e.g., the Russian Military, choose to target American broadcasting co’s. in the future, as they did the Ukraine infrastructure with what has been nick-named NotPetya, I think the chief goal would be to cause “shock and awe” among the populace. In that cyberwarfare attack, ransoms were futile as the companies’ computers’ master boot records were irreversibly encrypted; destruction of the government entities and companies, while also getting rich from them, was the intended goal from the get go, even as is not uncommonly the case in kidnap-ransom crimes.