Skip to main content
Article

Ransomware: The persistent uninvited guest

Cyber Risk Management|Financial, Executive and Professional Risks (FINEX)
N/A

By Robin Ann Nowicki and Thijs Butterman | November 30, 2020

With an uptick in ransomware attacks, organizations of all sizes and across a wide range of industries are vulnerable.

Introduction

The COVID-19 pandemic has created a “perfect storm” for cybercriminals looking to profit from ransomware attacks. At least initially, there was mass confusion regarding the pandemic, as most IT departments were overwhelmed and ill-prepared for the rapid shift to working remotely, and lax online habits by employees created perfect conditions for ransomware exploitation. Since the start of COVID-19, we have seen a sharp increase in ransomware attacks, both in terms of frequency and in severity. According to a VMware report, ransomware attacks are up by ninety percent.1 This of course doesn’t even take into account the many ransomware attacks that go unreported. Even more alarming is the difficulty in preventing such attacks. As some businesses have begun to open and certain employees have returned to the office, there is concern that the frequency of these attacks will only increase.2

Given the uptick in ransomware attacks and the recent OFAC advisory3, it is timely to revisit its evolution and discuss the current options available to attack victims, which can be organizations of all sizes across a wide range of industries.

What is ransomware?

Ransomware is just what its name contemplates, a hostage-type situation. It is malicious software or malware, that accesses files or systems in order to block the user from those files or systems until a ransom is paid in exchange for a decryption key.4 The malware can be spread to a computer or network through attachments or links in “phishing” emails, “drive by downloads” which are unintentional website downloads, social media which can harbor malicious applications, advertisements, plug-ins and links, or peripheral devices inserted into a computer.5 These modes of infection are also known as “social engineering”, defined as using technology to trick another into giving information or taking an action. The spread of such an attack is usually unknowingly caused by an internal user. According to Willis Towers Watson’s proprietary claims data6, human error is actually the third most common root cause of a ransomware attack, trailing security breaches at a vendor or third party and failed IT security measures. The data corroborates the importance of employee training, including but not limited to detecting social engineering schemes, and maintaining cyber security infrastructure, and also highlights the increasing importance of supply chain security.

Chart showing the root causes of ransomware attack including the most prevalent: - description below

Chart showing the root causes of ransomware attack including the most prevalent:

  • security breaches at a vendor/third-party (49%)
  • failed IT security measures (37%) and human error (7%).
Chart showing the root causes of ransomware attacks including security breaches at a vendor/third-party, failed IT security measures and human error.

History

The first known ransomware attack, now known as the AIDS Trojan or PC Cyborg virus, occurred in the healthcare industry in 1989.7 It was distributed by Dr. Joseph L. Popp, an evolutionary biologist, when he mailed 20,000 infected floppy discs to subscribers of PC World magazine and to some attendees of the World Health Organization’s AIDS Conference.8 The discs contained the malware and a “survey”. Once the computer was rebooted about 90 times, the virus would hide in the computers’ directories and encrypt its files.9 Users were instructed to send $189 to PC Cyborg Corporation in Panama for a “lease” of the software but the user was virtually locked out of their computer because every time they rebooted, the message would appear and not let them utilize any normal functions.10 While the AIDS Trojan attack did not garner a hefty payout and was an easily decoded encryption, it did introduce the concept of ransomware.11

Since the AIDS Trojan attack, ransomware attacks have become more prevalent, sophisticated and costly.12 In May 2017, attackers launched what is now known as the WannaCry ransomware attack.13 It was a worldwide attack that affected numerous high-profile systems by exploiting a vulnerability in the Microsoft Windows operating system. While there was a security patch created two months before the attack, most organizations did not regularly update their operating systems in time. The attackers demanded $300 in Bitcoin and told the victims their files would be permanently deleted if the payment was not received in three days. While that demand seems low and the reported total payments to the cybercriminals only totaled approximately $386,905, it was the interruption in the flow of business that made this attack devastating.14 In fact, because the coding used in the attack was faulty, there was no way to associate any victim payment with their data and it is therefore believed that no one received their data back.15 It is estimated that WannaCry cost those infected hundreds of millions to $4 billion dollars combined, globally.16 WannaCry taught us an important defensive tactic against ransomware: keep operating systems up to date more regularly.

Weeks after WannaCry, the most destructive attack to date was released, NotPetya. It is believed that this was a state-sponsored Russian cyberattack perpetrated under the guise of ransomware. This attack was not perpetrated to make money, its goal was to simply destroy, and destroy it did! It irreversibly encrypted computers and even if a ransom payment was made, there was no key to gain access.17 This was a first-of-its-kind act of cyberwar. It spread like wildfire around the world taking down networks and causing an estimated $10 billion in damages.18 Once again, it is believed that if operating systems were up to date, this ransomware would not have spread as wildly as it did.

The two most common types of ransomware are “locker” and “crypto.” Locker ransomware locks a victim out of their device and demands a ransom payment to unlock it. This malware is inadvertently downloaded by unsuspecting victims, often from pirated or adult material websites, and garner a couple hundred dollars for cybercriminals. This strain of ransomware has lately taken a back seat to crypto ransomware which encrypts files so the user cannot access them. Bad actors originally targeted home users with crypto ransomware and would seek minimal payments. More recently, however, the evolution of cryptocurrency has created a “wild west” for cybercriminals utilizing this type of ransomware because the transactions and culprits are harder to trace. Cybercriminals now have the anonymity and confidence to up the ante and seek bigger paydays from organizations, often into the millions.

Evolution of ransomware

Recently, crypto ransomware has evolved into a “double extortion scheme”, where cybercriminals will not only encrypt files, but will copy files, often containing personally identifiable information (“PII”) or sensitive business data. This provides the bad actors with added leverage when seeking payments, as they can threaten to expose or sell this information on the black market. Recently, when the Clark County School District in Las Vegas, Nevada was hit with a ransomware attack and the ransom was not paid, stolen student and employee PII was leaked by the cybercriminals.19

New ransomware variants arise regularly. A current variant is the Sodinokibi ransomware, which hit Travelex, a London-based foreign currency exchange, with the most expensive publicly known such attack on December 31, 2019. In the double extortion scheme, attackers sought $3 million in bitcoin to decrypt the files and not publicly disclose any information removed in the attack.20 In the wake of this attack, Travelex was forced to shut-down online operations for several weeks, costing them millions in business loss. It was reported, but never confirmed, that Travelex paid $2.3 million in bitcoin to the cybercriminals, which likely contributed to them filing for bankruptcy.21

As ransomware attacks have evolved and increased in frequency, so have the demands. Older attacks were “dominated by opportunistic spray-and-pray threat actors who rarely exercised victim profiling and issued nominal demands that remained constant whether the victim was a 10-person company or a 1,000-person enterprise.”22 But ransom demands and payments have climbed steadily since 2018.23 According to Willis Towers Watson’s proprietary claims data, the average initial ransom demand was around $3.8 million and $613,000 was the average ransom payment. The graphic below shows the steady rise in ransomware claim notifications to Willis Towers Watson in the last four years with a projection to rise in 2020.

Graph showing increase in ransomware claim notifications in the last 4 years from less than 10 in 2016 to over 60 projected in 2020.
Graph showing increase in ransomware claim notifications in the last 4 years.

Willis Towers Watson claims data further illustrates categories of costs associated with a ransomware attack. The most significant costs associated with a ransomware attack are the business interruption costs and ransom payment.

Graphic showing the costs associated with a ransomware attack
with business interruption/loss of profits as the single largest cost at 29% followed by payment of ransom at 28%.
Graphic showing the costs associated with a ransomware attack with business interruption/loss of profits as the the single largest cost.

Options to mitigate

Travelex’s fate highlights that companies need to respond rapidly and robustly in order to get their systems up and running and get their information back. First and foremost, it is imperative to have an incident response plan in place, with different options depending on the strain of ransomware and the potential impact to the insured’s business. A business continuity plan should include regular system back-ups, regular anti-virus and anti-malware scans and an understanding of how systems could be restored after an attack. Further, training should be mandatory for all employees to ensure they are fully educated on common phishing schemes.

To pay or not to pay considerations

Should an organization elect not to pay a ransomware demand, it is important to understand that relying on system back-ups to obtain files and restart operations will only work if the business can sustain the amount of downtime necessary to do so. Part of a not paying a ransom plan should involve hiring an expert that may be able to “beat” the ransomware by utilizing known decryptors. You can likely lean on your cyber insurance broker or carrier to recommend the right vendor.

The FBI has repeatedly advised that ransomware demands should not be paid, as there is no guarantee that data will be returned and paying encourages cybercriminals to continue infecting others.24 The FBI does, however, understand that each organization must complete their own cost-benefit analysis on whether or not to pay a ransomware demand. One downfall of not paying the ransom in a double extortion scheme, is that sensitive information may be leaked, and a company’s reputation could be adversely impacted, as was the case in the Clark County School District in Las Vegas, Nevada. Also, if data is stolen and/or published, there are regulatory considerations regarding reporting to both impacted customers and regulators.

Although the thought of paying a ransom does not sit well with most, sometimes it is the most cost-effective way for a company to regain control of its data and systems and get back to business. This approach requires organizations to have faith that the cyber criminals will give back information once the ransomware demand is met. If the company has invested in cyber insurance, filing a claim will get the ball rolling and provide the insured with access to vendors to assist in the pay or not to pay cost benefit analysis, to determine the cause and scope of the attack, and to actually negotiate the payment if that is the decision made.

Organizations further need to take into account potential sanctions that could stem from ransomware payments made to sanctioned people, organizations or jurisdictions. On October 1, 2020, the Department of The Treasury’s Office of Foreign Assets Control (OFAC) published an advisory warning of possible sanctions for facilitating ransom payments.25 OFAC is concerned with payments being made to sanctioned persons or jurisdictions which could further activities adverse to the national security and foreign policy of the United States. OFAC will consider a company’s actions like notifying law enforcement and reporting the attack as mitigating factors should there be a sanctionable offense.

Ransomware is here to stay, COVID-19 or not

While ransomware has been around for about 40 years, it seems to have exploded in popularity among cybercriminals during this global pandemic, with no sign of it slowing down. As such, organizations should be as proactive as possible to protect themselves from this exposure. Steps taken should include ensuring the necessary technological safeguards are in place, properly training employees, having a well-rehearsed incident response plan and making sure to have a cyberinsurance policy specifically tailored to their business. With this approach, organizations will be able to most efficiently seek out the best advice on how to respond to a ransomware incident, how to protect their network and sensitive data and, most importantly, how to mitigate business and reputational loss.

Footnotes

1 Sheng, Ellen. “Cybercrime Ramps Up Amid Coronavirus Chaos, Costing Companies Billions.” CNBC, July 29, 2020, https://www.cnbc.com/2020/07/29/cybercrime-ramps-up-amid-coronavirus-chaos-costing-companies-billions.html

2 Jareth. “Spike In Ransomware Predicted As Remote Workers Return To The Office.” Emsisoft Blog, June 4, 2020, https://blog.emsisoft.com/en/36275/spike-in-ransomware-predicted-as-remote-workers-return-to-office/

3 https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf

4 DeGroot, Juliana. “A History of Ransomware Attacks: The Biggest and Worst Ransomware Attacks of All Time.” Digitalguardian, October 24, 2019, https://digitalguardian.com/blog/history-ransomware-attacks-biggest-and-worst-ransomware-attacks-all-time

5 See https://www.kaspersky.com/resource-center/threats/ransomware-examples and https://www.darkreading.com/vulnerabilities---threats/social-media-platforms-double-as-major-malware-distribution-centers/d/d-id/1333973

6 The claims data includes all analyzed ransomware events notified to Willis Towers Watson North America and Willis Towers Watson GB from 2007 to October 2020.

7 DeGroot, Juliana. “A History of Ransomware Attacks: The Biggest and Worst Ransomware Attacks of All Time.” Digitalguardian, October 24, 2019, https://digitalguardian.com/blog/history-ransomware-attacks-biggest-and-worst-ransomware-attacks-all-time

8 Lessing, Marlese. “Case Study: AIDS Trojan Ransomware.” SDXCentral, June 3, 2020, https://www.sdxcentral.com/security/definitions/case-study-aids-trojan-ransomware/

9 See https://www.knowbe4.com/aids-trojan

10 Lessing, Marlese. “Case Study: AIDS Trojan Ransomware.” SDXCentral, June 3, 2020, https://www.sdxcentral.com/security/definitions/case-study-aids-trojan-ransomware/

11 Lessing, Marlese. “Case Study: AIDS Trojan Ransomware.” SDXCentral, June 3, 2020, https://www.sdxcentral.com/security/definitions/case-study-aids-trojan-ransomware/

12 DeGroot, Juliana. “A History of Ransomware Attacks: The Biggest and Worst Ransomware Attacks of All Time.” Digitalguardian, October 24, 2019, https://digitalguardian.com/blog/history-ransomware-attacks-biggest-and-worst-ransomware-attacks-all-time

13 Fruhlinger, Josh. “What Is WannaCry Ransomware, How Does It Infect, And Who Was Responsible?” CSO, August 30, 2018, https://www.csoonline.com/article/3227906/what-is-wannacry-ransomware-how-does-it-infect-and-who-was-responsible.html

14 “How Much Money Did WannaCry Make?” WebTitan Blog, December 2, 2019, https://www.webtitan.com/blog/how-much-money-did-wannacry-make/

15 See https://usa.kaspersky.com/resource-center/threats/ransomware-wannacry

16 “How Much Money Did WannaCry Make?” WebTitan Blog, December 2, 2019, https://www.webtitan.com/blog/how-much-money-did-wannacry-make/

17 Greenberg, Andy. “The Untold Story Of NotPetya, The Most Devastating CyberAttack In History.” Wired, August 22, 2018, https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/

18 Greenberg, Andy. “The Untold Story Of NotPetya, The Most Devastating CyberAttack In History.” Wired, August 22, 2018, https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/

19 Hobbs, Tawnell D. “Hacker Releases Information On Las Vegas-Area Students After Officials Don’t Pay Ransom.” The Wall Street Journal, September 28, 2020, https://www.wsj.com/articles/hacker-releases-information-on-las-vegas-area-students-after-officials-dont-pay-ransom-11601297930

20 Olenick, Doug. “Travelex Paid $2.3 Million Ransome, Report.” SC Magazine, April 10, 2020, https://www.scmagazine.com/home/security-news/ransomware/travelex-paid-2-3-million-ransom-report/

21 Jaffee, Larry. “Travelex Driven Into Financial Straits By Ransomware Attack.” SC Magazine, August 10, 2020, https://www.scmagazine.com/home/security-news/travelex-driven-into-financial-straits-by-ransomware-attack/

22 “Ransomware Attacks Fracture Between Enterprise And Ransomware-as-a-service In Q2 As Demands Increase.” Coveware Blog, August 3, 2020, https://www.coveware.com/blog/q2-2020-ransomware-marketplace-report

23 “Ransomware Attacks Fracture Between Enterprise And Ransomware-as-a-service In Q2 As Demands Increase.” Coveware Blog, August 3, 2020, https://www.coveware.com/blog/q2-2020-ransomware-marketplace-report

24 Federal Bureau of Investigations. Scams And Safety, Ramsomware. https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/ransomware#:~:text=Tips%20for%20Avoiding%20Ransomware&text=Keep%20operating%20systems%2C%20software%2C%20and,Secure%20your%20backups.

25 U.S. Department Of The Treasury. October 1, 2020, Ransomware Advisory, https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20201001#:~:text=The%20U.S.%20Department%20of%20the,risks%20for%20facilitating%20ransomware%20payments.

Disclaimer

Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed subsidiaries of Willis North America Inc., including Willis Towers Watson Northeast Inc. (in the United States) and Willis Canada, Inc.

Authors

NA Cyber Product Coverage Analyst

Senior Risk Insight Analyst, FINEX GB

Contact Us