Ransomware attacks, like the one that cost Hanesbrands Inc. about $100 million in second-quarter sales, are increasing in frequency among corporations facing uncertain prospects of a complete restoration and recovery.
Ransomware is a type of malicious software employed by hackers that can block access to a computer system until a ransom is paid.
The Winston-Salem-based apparel manufacturer reported in a May 31 regulatory filing that it began experiencing the ransomware attack on May 24.
Hanesbrands disclosed Aug. 11 in its second-quarter earnings report that its global supply chain network and ability to fulfill customer orders were affected for about three weeks.
“At this time, we believe the incident has been contained,” the manufacturer said in a separate quarterly regulatory filing Aug. 11.
People are also reading…
“We have restored substantially all of our critical information technology systems, and manufacturing, retail and other internal operations continue. There is no ongoing operational impact on our ability to provide our products and services.”
A 2021 study by Cloudwards determined that 37% of all U.S. businesses and organizations have been a ransomware victim, with 32% of those group paying the ransom, but only 65% getting all of their data back.
A 2022 survey by HornetSecurity.com found that 21% of respondents to a ransomware study had been a victim and 9.2% “were left with no choice but to pay the ransom to recover their data.”
Those counts may be conservative given the reluctance of non-publicly traded companies to acknowledge a ransomware attack.
HornetSecurity said the average downtime a company experiences after a ransomware attack is 21 days, while the average ransomware amount that companies were forced to pay in 2020 was $170,404.
“While the cost of that downtime alone can be fatal for many companies, that is without taking into consideration the cost of data recovery, the payment of the ransom and long-term brand damage,” HornetSecurity said.
Hanesbrands has not said whether it paid a ransom to regain access to its computer system. The company has not returned inquiries on the subject.
Hanesbrands said in the May 31 disclosure it had notified law enforcement of the ransomware attack and was cooperating with the investigation in addition to engaging attorneys, a cybersecurity forensic firm and other professionals to deal with the response.
Hanesbrands’ $100 million in lost second-quarter sales came primarily from the ransomware attack “negatively impacting our ability to order materials, make and ship orders, and process payments during the second quarter.”
Hanesbrands said among its restorative steps have been: re-securing data; remediation of the malware across infected machines; rebuilding critical systems; global password reset and enhanced security monitoring.”
Hanesbrands disclosed that it experienced $15.51 million in costs related to the ransomware attack: $14.17 million related primarily to supply chain disruptions; and $1.34 million related primarily to information technology, legal and consulting fees.
Hanesbrands projects received a level of reimbursement from its insurance policies.
“We continue to assess the security event and cannot determine, at this time, the full extent of the impact from such event on our business, results of operations or financial condition or whether such impact will ultimately have a material adverse effect,” the company said.
“We will continue to evaluate and provide breach notifications or regulatory filings as may be required by applicable law as we continue our review of the scope and impact of the incident.
It remains unclear if the attack affected only internal operations or whether the information held hostage affected employees and customers.
Shifting of targets
According to HornetSecurity, the most frequent targets of ransomware are server infrastructure and network storage, although some attackers focus on the backup storage systems to eliminate them as safeguards.
“Network storage is normally used to store sensitive data, which can be shared between multiple users simultaneously, and is utilized in nearly every company,” the group said.
“Without access to this shared data, many organizations can be left stranded and unable to operate. It is therefore clear that having malware protection present at all levels of the organization is essential, particularly on end-points that have easy access to servers and network storage.
“This is especially true for companies with employees who work remotely and rely on access to network storage via VPN, as local storage is not an option.”
In recent years, the targets have shifted from individuals to governments, corporations, nonprofits and health care systems.
How wide of a spectrum is noted in a July 19 posting by Heimdal Security in which it listed 87 high-profile global ransomware attacks in 2021.
The victims included Acer, Bose, Discount Car and Truck Rentals, Fujifilm (in Tokyo), Howard University, Kia Motors, the National Basketball Association, National Rifle Association, NFL’s San Francisco 49ers, Scripps Health, Shutterfly, Sinclair Broadcasting and the Universities of Colorado and Miami.
“Every day, over 200,000 new ransomware strains are detected, meaning that every minute brings us 140 new ransomware strains capable of evading detection and inflicting irreparable damage,” according to Heimdal Security.
“Ransomware operators will never stop, not even after the victim pays the demanded ransom.”
Attorney William Roberts, co-chairman of Day Pitney LLP’s Cybersecurity and Data Protection Practice Group, told Forbes magazine that “there is no simple answer to whether an organization should pay the ransomware demand.”
“The FBI does not recommend paying a ransomware demand. This is because it doesn’t guarantee you will get your systems back online or your data back and it incentivizes threat actors to continue to target companies.
“Your organization may even become known as an easy mark,” Roberts said.
Ransomware attacks “are just going to become more common and less important beyond the immediate financial repercussions already known at the time the attack is disclosed,” said Zagros Madjd-Sadjadi, an economics professor at Winston-Salem State University.
“There may be a slight dip in terms of investor confidence, but I do not think that it is going to be major, especially once the next targeted company is hit.”
A consumer-focused corporation has an additional burden post-ransomware attack, said Tony Plath, a retired finance professor at UNC Charlotte.
“There are lots of things that Hanesbrands can do to get the word out in the market that this sort of thing just isn’t going to happen again, because they’re fortifying their systems, people and infrastructure to prevent it,” Plath said.
“If they tighten their electronic security systems, invest in new intelligence and infrastructure to protect their electronic networks and data access points, and fortify electronic access to the company’s systems, databases and networks, then these things will be perceived by the market (and the cybercrooks) as a forceful and vigorous response to their cyber vulnerability.
“In the process, they’ll gain some measure of new respect and protection from the cybercrooks, and the stock market will treat these things as just another one of the necessary costs of doing business in an electronic world.”
However, Plath cautioned that if companies, such as Hanesbrands, “don’t respond vigorously and aggressively with these changes, however, then they’ll be seen as weak, apathetic and vulnerable to continuing cyberattacks.”
Roberts said the increase in ransomware attacks emphasizes the importance of corporations and other groups have a vigorous backup system in place.
“Organizations that have fully or nearly-complete backup copies of the data affected by the ransomware generally don’t need to pay a ransomware demand,” Roberts said.
“Even if you have backups of your data, but you confirm that the threat actor in fact has obtained a copy of it, consider the implications of the threat actor releasing the data if a demand is not paid.”
Another factor, in an honor-among-thieves vein, is determining the reputation of the ransomware attacker, Roberts said.
“This requires you to have a certain level of trust that the threat actor won’t just take your money and run or won’t ask for even more additional payments,” Roberts said.
Analysts also advise obtaining ransomware or cyber liability insurance coverage if the coverage is likely to reimburse for the potential payment.
Other local attacks
In 2021, ransomware attacks were carried out on at least 2,323 local governments, schools and health care providers in the United States, according to a May 24 report to the U.S. Senate Homeland Security and Governmental Affairs Committee.
One of the most recent high-profile ransomware attacks occurred in May 2021, affecting Colonial Pipeline, which has a major operational hub in Greensboro.
The Colonial Pipeline shut down for six days because of the attack, affecting gasoline, diesel and jet fuel supplies in North Carolina and along the East Coast. It took several more days for supply to reach normal levels.
Multiple sources confirmed to the Associated Press in May 2021 that Colonial Pipeline paid the criminals who committed the cyberattack a ransom of nearly $5 million in cryptocurrency for a software decryption key required to unscramble their data network.
In 2018, ransomware attacks involving Iranian-based hackers struck the computer networks of hospitals and other targets in 43 states. That disrupted Laboratory Corp. of America in Burlington.
“There is no evidence that any LabCorp data was removed from our systems,” LabCorp said in an Oct. 26 statement.
The company said the attack affected access to test results for a limited period but that “operations were returned to normal within a few days.”
U.S. lacks info
A U.S. Senate ransomware report determined that the federal government lacks a complete picture of ransomware attacks.
The report also found that the government lacks information on how much ransom was paid — typically in the form of cryptocurrencies — by victims of such attacks.
“Cryptocurrencies, which allow criminals to quickly extort huge sums of money, can be anonymized and do not have consistently enforced compliance with regulations, especially for foreign-based attackers, have further enabled cybercriminals to commit disruptive ransomware attacks that threaten our national and economic security,” committee chairman Sen. Gary Peters, D-Mich., said in a statement accompanying the report.
The investigation found the federal government “lacks the necessary information to deter and prevent these attacks and to hold foreign adversaries and cybercriminals accountable for perpetrating them,” Peters said.
“Many of these attacks generated significant losses and damages for victims,” the report said. Data from the FBI based on complaints from victims from 2018 to 2020 showed “a 65.7% increase in victim count and a staggering 705% increase in adjusted losses.”
In 2021, the FBI received 3,729 ransomware complaints, with adjusted losses totaling $49.2 million, according to the report.
But the data “drastically underestimates” the number of attacks and ransoms paid, and the FBI considers the numbers to be “artificially low,” the report said.
The real cost of such attacks could range from several hundred million dollars to as much as $10 billion, the report said.
In 2020, criminal gangs were said to have received “at least $692 million in cryptocurrency” as ransom payments, the report said, citing data from Chainalysis, a blockchain data and analysis company that tracks such payments. That compares with $152 million in ransoms paid in 2019, the report said.
Another study by anti-malware company Emsisoft counted 24,770 ransomware incidents across the United States in 2019, with estimated damages, including downtime losses, of “just under $10 billion,” the report said.
Size not factor
HornetSecurity cautions smaller companies that size doesn’t tend to matter when it comes to be a ransomware target.
According to its survey, there was a nearly even split among the five employer workforce categories:
- 18.7% of the victims were companies with between 1 and 50 employees;
- 21.3% between 51 and 200 employees;
- 25.3% between 201 and 500 employees;
- 22% between 501 and 1,000 employees; and
- 22.7% with at least 1,001 employees.
“Our survey data makes it clear that while companies with 1-50 employees are the least common target for ransomware attacks, almost 1 in every 5 of these organizations have fallen victim to an attack,” HornetSecurity said.
“Small companies don’t tend to prioritize information technology security, even if they’re a high revenue organization, until something bad happens making them an easy target for ransomware attacks.”
Meanwhile, HornetSecurity said companies with 201 to 500 employees appears to be most vulnerable “are most likely at a stage where having a dedicated IT team is a no-brainer, but tight cybersecurity might not be a perceived priority just yet.”
“A final interesting observation is that companies with 1,000-plus employees are more likely to be attacked by ransomware than those with 501-1,000 employees.
“This is likely due to the fact that while the largest organizations normally have the most stringent security measures, they also represent the largest potential pay-outs to cybercriminals.”