At an average $780K per demand, who says that Crime doesn’t pay?
In our last insights piece, we focused on the Colonial Pipeline ransomware cyber attack which resulted in the shutting down of over 5,500-miles (8,900km) of fuel supply to the US East Coast.
Last week Joseph Blount, CEO admitted that the company had transferred, via Bitcoin, nearly $4.5m to the hackers to restore operations. Even after ‘settlement’ and the release of the ‘software keys’ to unlock Colonial’s systems, it took a further 6 days to restore service.
$4.5m for one attack is just the tip of the iceberg according to research by Bitcoin analysts Elliptic who estimate that Darkside, the hacking group responsible for the Colonial attack, have made at least $90m in ransom payments from a further 47 victims since August 2020 – approximately $300k per day.
According to insurance broker Aon, the total number of global ransomware reports increased by 716% in 2020 over 12 months, with the average demand/payment being $780K. Aon predicts the global costs to organisations of ransomware attacks to reach $20bn in 2021.
The big question being asked in board rooms around the globe is: “if we are targeted, do we pay?”
Law-enforcement agencies are quite clear – NO. In response to the Colonial Pipeline news, the UK Home Secretary, Priti Patel re-affirmed the UK Government’s view that ransom demands should not be met.
“Paying a ransom in response to ransomware does not guarantee a successful outcome,” said Patel. “It will not protect networks from future attacks, nor will it prevent the possibility of future data leaks. In fact, paying a ransom is likely to encourage criminality to continue to use this approach.”
The big conundrum is that paying ransoms is not illegal and can usually be conducted secretly.
Hackers are increasingly targeting organisations for whom any down time is critical, not just from a financial perspective, but in some cases life threatening.
NTT’s latest Global Threat Intelligence Report 2021, released earlier this month, revealed how hackers are taking advantage of the global destabilization by targeting essential industries and common vulnerabilities from the shift to remote working. In a separate report published by Sophos, it was suggested widespread use by attackers of Remote Desktop Protocol (RDP) with about 30% of attacks starting with RDP and 69% of subsequent activity being conducted with RDP.
Healthcare, manufacturing, and finance industries all saw an increase in attacks (200%, 300%, and 53% respectively), with these top three sectors accounting for a combined total of 62% of all attacks in 2020, up 11% from 2019.
The report shows that healthcare has borne the brunt of the attacks with its shift to telehealth and remote care, with 97% of all hostile activity targeted at the industry being web-application or application-specific attacks.
A statistic that will not bring any comfort to Paul Reid, Head of HSE (Health Service Executive), who had estimated that this month’s ransomware attack on the Irish Department of Health’s systems, would cost “tens of millions” of euros to get its systems back up and running. The attack has affected 2,000 systems used by the health service and more than 4,500 servers.
The effects of the hack have been devasting. Routine non-emergency operations have been cancelled in many hospitals. Administration staff have resorted to the use of pen and paper to keep patient records updated leaving many medical staff unable to access previous scans and notes. Observers have blamed lack of investment in the health services IT infrastructure as the underlying issue, with the use of an outdated Windows system being highlighted as the possible ‘back door’ for the hacking group.
However, in an unexpected twist, the hacking group, the Conti ransomware group, who’d originally demanded $20m to restore services handed over the software keys for free, but the Irish Health service is not out of the woods yet. As the hackers changed their threat to the publishing of over 700GB of private medical record data if the Irish Government failed to ‘resolve the situation’ amicably.
This may yet land HSE with another major cost, as if the threat is carried out and medical records are made public, the health service could face fines of up to €1m (£860,700) for inadequate data protection under General Data Protection Regulation (GDPR) rules.
The revised threat, led to Dublin’s High Court issued an injunction against Conti to stop data belonging to Ireland’s health service from becoming public.
Throw in individual breach compensation claims and reputational damage, and it becomes the perfect case study for the need to take cyber security seriously.
To mitigate the threat of becoming the next ‘headline’, organisations can’t adopt a ‘do nothing strategy’ believing ‘it won’t happen to us’. That truly is criminal.
Good basic IT housekeeping is essential. Backup critical data and systems, patch regularly, train employees, understand threats, monitor traffic and plan for attack are activities that should be standard.
The cost of taking a proactive approach to ransomware is insignificant when compared to suffering a security breach.
If you have any concerns about the security of your organisation’s IT systems, then please do get in touch for a confidential chat.