Inside the Business of Ransomware

Cybercrime is an increasingly prevalent – and costly – concern for organizations around the world. Information loss represents 43 percent of an average $2.4 million cost for malware victims. Cybercrime damage is projected to reach $6 trillion annually by 2021.

It is especially common in heavily internet-connected countries like the United States, where companies increasingly focus on protecting themselves against constantly changing threats. One particular type of attack – ransomware – is effective against many targets, lucrative for the attackers, relatively easy to purchase, and becoming more and more common.

What is Ransomware?

Ransomware is defined by cybersecurity firm Carbon Black as “digital extortion that is executed through software that uses encryption techniques to keep files and entire systems locked from use by their original owner, [holding] them hostage until (theoretically) a payment [is] made.” Attacks are typically carried out through multiple methods – “drive-by downloads, email links, social network messages, and websites…[as well as] aggressive worms and targeted attacks” – that masquerade as real files to induce clicks.

Once a system is infected, victims must follow instructions to pay the ransom (often in cryptocurrencies like bitcoin, which preserve a measure of anonymity for the attackers). There is no guarantee, however, that victims who pay the ransom will regain control over the locked system.

Ransomware Attacks in Action

Two recent instances illustrate the indiscriminate nature and real consequences of ransomware attacks – one on Eurofins, a forensic analyst, and another on the more than half a dozen cities and public services across the United States who have fallen victim so far in 2019.

Eurofins is the UK’s largest provider of forensic analytics services, handling significant amounts of analysis used as evidence in court cases. A “highly sophisticated” ransomware attack on June 2, 2019 paralyzed the company’s IT systems – and with it, the “more than 50 percent of outsourced case work” the company handles.

This attack forced the National Police Chiefs’ Council to “[launch] an emergency response to the cyber-attack to prioritize the flow of forensic submissions so that the most serious crimes could continue to be investigated rapidly.” The contingency plan was unable to alleviate the ensuing backlog – investigations into the attack meant “other forensics firms doing case reviews on the behalf of defense teams have been told they cannot access files held by Eurofins,” forcing postponements and delays to court cases already in progress.

Bottlenecks were not the only concern. Worries about data theft or alterations to data persisted as a result of the attack, though Eurofins said in a statement that “the investigations conducted so far by our internal and external IT forensics experts have not found evidence of any unauthorized theft or transfer of confidential client data.” A BBC report indicates that Eurofins is “likely” to have paid the ransom sometime in mid-June, though no one was willing to comment officially on the report.

While a private company handling sensitive information like Eurofins is likely to place emphasis on cybersecurity – and devote resources towards maintenance and upkeep – other organizations are less predisposed to doing so.

City governments and public services, who may not have the budget for cutting-edge security systems, have been identified as “low-hanging fruit” by hackers. An attack on the City of Baltimore in May used a stolen NSA tool called EternalBlue to bring city business to a standstill. Rather than pay the $75,000 ransom, the city elected to follow the FBI’s recommendation and repair the damage instead. The result? The city “now expects to spend $10 million restoring its systems, and the disruption may have cost $8 million more.”

It is a scene playing out over and over again around the country. The City of Atlanta endured a crippling cyberattack in 2018 – a little over a year later, the Administrative Office of the Georgia Courts was victimized by a similar attack. More municipalities, faced with the prospect of paying a cheaper ransom than the cost to fix the damage, are choosing to pony up and publicly report the ensuing payouts, Jake Williams, founder of security provider Rendition Infosec, told Wired. “Most [targets of cyberattacks] have heard of ransomware but fail to realize they have an exposure,” said Williams.

Doing so may put a target on their back as opportunistic hackers continue to target and monetize vulnerable sectors, billion-dollar businesses or otherwise.

What Can Be Done?

Sowing chaos is key to hackers’ approach – it buys “street cred,” cybersecurity expert Gregory Falco told the New York Times. Columnist Jamie Condliffe says that a “proactive” approach to prevention is the best (though often expensive) option to preventing ransomware attacks. This means “[spending] some money improving security, [having] contingency plans in place, and [taking] out cyber insurance,” explained Condliffe.

Ransomware is both lucrative and less difficult to execute than other kinds of cyberattacks. The result is an ongoing threat that organizations of all types should remain cognizant of. An emphasis on awareness and prevention seems to be the best course of action as attacks expand beyond traditional targets into new sectors.

Quandary Peak Research

Based in Los Angeles, Quandary Peak Research provides software litigation consulting and expert witness services. We rapidly analyze large code bases, design documents, performance and usage statistics, and other data to answer technical questions about the structure and behavior of software systems.

Leave a Reply