While there is some debate
over whether the number of ransomware attacks is rising, there is no arguing
that the losses suffered by both public and private sector organizations have
increased. Hardening your organization’s security posture requires an
understanding not only of how ransomware works technically, but also how the
attacks psychologically compel victims to open emails, click on links or
download attachments from unknown senders, even if they’ve been trained not to.
The FBI reports that
ransomware attacks are becoming more targeted, sophisticated, and costly.
Moreover, as Forrester VP and principal analyst Dave Bartoletti told an
audience at this year’s CommVault GO conference, ransomware attacks are up 500
The resultant losses have increased significantly, with costs expected to hit
Attackers have been using
ransomware for decades, yet it remains an effective tool because it takes
minimal skill and effort compared to traditional computer crimes. Dark web
sites have all the resources that criminals need to execute their attacks. They
can purchase Ransomware-as-a-Service (RaaS) and initiate the attacks themselves
or use botnets to spread it. They can also easily find instructions for
accepting bitcoin payments and anonymously communicating with potential
The key factor that makes
ransomware so effective is the psychological nature of the attacks. If an
attacker sends an email carrying a malware-laden attachment to 10,000 people,
and just one person downloads and opens it, the hacker has succeeded. As such, hackers will take advantage of
users’ generosity, desire to save or earn money, or any number of other
emotional triggers to increase the likelihood that they’ll convince that one
user to fall for their phishing emails.
One particularly insidious
example is the CryptoMix ransomware, which promises to send the ransom money to
charities such as the “International Children Charity Organisation”. Of course,
no money actually goes to any children.
If an organization has not
implemented a robust system of backups, there’s no way to prevent a ransomware
attack from crippling its IT systems and locking users out of important files.
Once this happens and the malware spreads, it’s not uncommon for the victim to
have no idea whom to call for help. This helpless feeling leads many victims to
conclude that the only way to recover their files is by paying money to the
anonymous criminal on the other end of the Internet.
Unless the ransomware is well
known and decryption keys are readily available, the best that an expert can do
is teach the victim how to rebuild the system from scratch and load the backups
(if there are even backups available). The only other options are to pay the
ransom or consider all of the data lost.
Many victims are too
embarrassed by their mistake to seek help. They don’t want to be seen as
technically inept, so they are left reliant on the criminal as their only
source of guidance.
Attackers usually make it
sound like they are doing the victim a favor by helping to recover the lost
data. They might even be willing to negotiate with the victim, bizarrely making
it seem like the victim owes them a favor. The criminal then frequently has to
walk the victim through buying and sending the bitcoin payment.
At the other end of the
spectrum are the enterprises, hospitals and government agencies that fall
victim to ransomware attacks. For these entities, the question of whether or
not to pay the ransom is a business decision. In some cases, the organization has
a mandate not to pay criminals. No matter what the cost, on principle alone,
they will deal with the consequences of non-payment.
The FBI does not advocate
paying ransom, in part because it does not guarantee that the person or company
will regain access to their data. In some cases, victims who paid a ransom were
never provided with decryption keys. In others, flaws in the encryption
algorithms of certain ransomware variants prevented victims from recovering
some or all of their data, even with a valid decryption key. The FBI also warns
that paying ransom emboldens criminals to target other organizations and
provides an alluring and lucrative enterprise for other bad actors.
Many organizations analyze
the costs of potential downtime and data recovery (assuming the data can be
recovered) before paying the ransom. Then, as long as the ransom does not
exceed the expected costs to otherwise address the attack, the company makes
its decision based on the perceived likelihood that paying the ransom will result
in the desired outcome.
As you can see, the technical
issues of ransomware are the least of the problem. While it is not necessarily
simple to mitigate ransomware, the process is known. The decision-making
process is, however, a very emotional one.
professionals, it is our nature to approach the situation as a technical one.
However, we need to be aware of how people rationalize the business decisions
they make regarding which direction to take.