Security news that informs and inspires

The Painful Calculus of Ransomware Payments

The pandemic has disrupted, and in some cases destroyed, the business models of many companies, but it has been a boon for many ransomware gangs, which have taken the opportunity to hone their skills and expand their operations to include new forms of extortion, making an already serious threat into perhaps the most significant one most organizations face.

For several years, ransomware actors focused their attention on individual victims, using large malicious spam campaigns that deployed automated malware to encrypt victims’ files. The ransom demands were typically pretty small, often in the low hundreds of dollars, and the attackers depended on high volumes of successful infections and payments to keep them afloat. That model proved relatively successful, but a few years ago some groups began to shift their targeting to enterprises and state and local government entities, surmising correctly that there was much more money to be made with big game hunting. Those groups found that if they hit the right organization, victims were willing to pay hundreds of thousands or even millions of dollars in order to get their networks back up and running.

It didn’t take long for the other ransomware groups to take notice and get on the bandwagon, and the last year has seen a major spike in ransomware incidents at organizations across industries, including a rash of attacks on hospitals and health care providers as the pandemic accelerated in the summer and fall. Many of those incidents have ended with payments that make the ransoms from just a year or two ago look laughably small.

“If you had asked me in 2019 how bad the problem was, I would’ve said it was terrible. If you ask me now, I’d say it somehow managed to get worse,” Charles Carmakal, senior vice president and CTO of FireEye, said during a panel discussion on ransomware at the Aspen Cyber Summit Tuesday.

“The extortion demand has become multifaceted. Victims are paying for the promise that the actors won’t release stolen data. Most financially motivated criminals are monetizing their operations through ransomware. Before, six figures was the floor for ransom demands, and now seven figures seems to be the new floor for any medium sized organization that has the ability to pay.”

And those demands are being met on a regular basis. Carmakal said he has seen payments between $10 million and $30 million in the last six months, a fact that is at once distressing for potential victims and encouraging for the ransomware gangs. Law enforcement agencies often advise victims not to pay ransom, as it helps fund the cybercrime groups and allows for further development of tools. Payment also provides positive feedback for the attackers, encouraging them to continue their operations. But the payment decision is never simple and often it comes down to whether the victim organization has viable backups and how long it can afford to be offline. That decision can be even more complicated for government agencies or critical infrastructure operators that have obligations to the public at large.

“When you tell an entity that’s down, a health care provider, a critical infrastructure agency, don’t pay, there’s always that pause. So they ask us, What services can you provide? We have strike teams that we deploy as soon as we hear of an incident to help. Having a methodical approach to recovery is key,” said Maria Thompson, chief risk officer for the State of North Carolina.

"There are so many victims who feel they have no better option, so they pay."

“This is something that’s been a pain point for me. Some of the entities that have cyber insurance are being highly encouraged to pay the ransom. It’s a vicious cycle so we have to take the approach of not paying.”

To that end, Thompson said the North Carolina legislature is working on a bill that would prohibit state entities from paying ransom. New York has a similar bill in the works, and last year the United States Conference of Mayors adopted a resolution pledging not to pay ransoms. But the shift in tactics by ransomware gangs to include data theft and additional extortion demands not to release that information has complicated matters even further for victims, especially when the stolen data is business-critical or private customer/patient information. Those cases have become more and more common and many ransomware gangs have established dedicated sites on which they post stolen data to prove what they have and exert further pressure on victim organizations.

But as with any ransomware incident, there’s no guarantee that the actors will delete the data they’ve stolen or pass along the decryption key if the victim pays. Paying is a calculated risk in any incident, but the calculations grow exponentially more complex when data theft is involved.

“Most actors tend to move on and hit the next entity once they’ve been paid and that’s because they have such broad access to so many environments today. But I’ve absolutely seen victims being hit by separate groups months apart,” Carmakal said.

“The majority of incidents in which actors promised to delete stolen data, they re-extorted victims months or years later. There are so many victims who feel they have no better option, so they pay. And it’s not going to change until we have a very dramatic change.”