Ransomware: It never pays to pay

The ransomware business is booming. In fact, a recent study by Sophos showed that the average global cost of addressing the impact of a ransomware attack, including business downtime, lost orders, operational costs, and more, was US$1.85 million. In Singapore, the average cost has more than quadrupled from US$832,423 in 2020 to US$3.46 million this year. 

Ransomware attacks have now gone from using highly customised software to a system where it’s become the malevolent equivalent of software–as–a–service–ransomware–as–a–service (RaaS). These attacks are high volume, low ransom events where the software developers sell their malicious packages (or take a cut of the ransom) to less sophisticated cybercriminals. Those cybercrooks then take a shotgun approach, attacking anything and anyone they can in the hope that a percentage will stick and be forced to pay a fee to have their precious data decrypted. That’s where they make their money.  

REvil, also known as Sodinokibi, is the most active family of ransomware that Sophos is seeing at the moment. It allows criminal customers to lease the REvil ransomware from its developers and then add their own tools and resources for targeting and implementation. 

The recent Independence Day supply chain attack made global headlines due to its speed and scale hitting companies of all sizes from all industries with REvil ransomware. Using an exploit of a remote management service, the REvil actors launched a malicious update package that targeted customers of managed service providers (MSPs) and enterprise users of the on-site version of the remote monitoring and management platform. 

The state of the local ransomware economy 

Sophos’ recent report, The State of Ransomware 2021 surveyed 5000 respondents from 26  countries, including 200 people from Singapore. 

The report found that while the number of Singapore organisations that experienced a  ransomware attack fell from 40% of respondents surveyed in 2020 to 25% in 2021, more organisations suffered data encryption as the result of a significant attack (65% in 2021  compared to 62% in 2020). This reveals a worrying upward trend, especially where the impact of a ransomware attack is concerned.  

In almost three-quarters of ransomware attacks globally, cybercriminals succeeded in encrypting the data, and in just under a quarter of cases, the attack was stopped before the data was encrypted. This indicates that anti-ransomware technology is having an effect and stopping the bad guys’ attacks before they can cause havoc. 

In Singapore, more than half (59%) of those who were not hit by ransomware last year  expect to be hit in the future. Many rightfully believe that ransomware attacks are getting increasingly hard to stop due to their sophistication – much like the Epsilon Red, a recently discovered ransomware that offloads most of its functionality to a series of PowerShell scripts. It is only used for file encryption, and it does not precision-target assets: if it decides to encrypt a folder, it will encrypt everything inside that folder. Unfortunately, this can mean other executables are also encrypted, which can disable key running programs or the entire system. This adds to the cost of recovery as the attacked machine will need to be completely rebuilt. 

Ransomware – the costs of paying up

Alarmingly, the average cost of remediating a ransomware attack in Singapore has increased around fourfold in the last 12 months. Remediation costs in Singapore, including business downtime, lost orders, operational costs, and more, grew from an average of US$832,423 in 2020 to US$3.46 million in 2021.  

Despite organisations opting to pay the ransom and succumbing to threats, none of those who pay actually get all their data back. In fact, it would be naïve of organisations to think so.  This is, in part, because using decryption keys to recover information can be complicated – just as it was observed with the DearCry and Black Kingdom ransomware attacks which were  launched with low quality or hastily compiled code and techniques that made data recovery  difficult, if not impossible.  

If you pay a ransom, you’d expect to have your data decrypted and everything will be fine,  right? 

It doesn’t quite work that way. 

Even if an organisation pays up, they still need to do a lot of work to restore the data. So,  what they’re dealing with is the cost of being held hostage, as well as the money required to get everything back to a state of normality. 

Unfortunately, this is just the beginning of the rise of ransomware and organisations need to  be aware that when it comes to such threats, it never pays to pay. The fact is the costs to recover data and get things up and running again are going to be substantial either way.  Paying the ransom just means another big cost on top. 

Dealing with ransomware 

The good thing about ransomware-as-a-service (RaaS) is that the scattergun approach means there are lots of copies of the software floating around. This means, unlike bespoke ransomware software, the tools needed to defend against an attack are easily and quickly updated and so if an organisation has anti-ransomware software on their network, they’ll generally be protected. 

The key here is to have the crucial elements in place. First, start with the assumption that an organisation will be hit and plan a cybersecurity strategy accordingly based on that idea.  Preparation is the best defence. Organisations should also invest in anti-ransomware technology – according to our survey, nearly half (49%) of those in Singapore believe cyberattacks are now too advanced for their IT team to handle on their own. This only emphasises the need for companies to have the right tools to be prepared for these malicious threats. Businesses should consider using a managed threat response service to help bridge the gap left by a lack of security personnel. 

It’s also wise to protect your data wherever it’s held. Ransomware doesn’t discriminate, and attackers can hold data that’s in the public cloud as easily as it does on-premises.  Organisations should have regular backups in place and store data offsite and offline so that if they are hit, they can recover as quickly as possible and get back to business as usual. The ransomware landscape is changing. RaaS is the new normal, but with the right defences and a cybersecurity plan in place, companies can keep their business intact – and avoid the costs and disruption of a ransomware attack.