How does a ransomware attack happen?
Ransomware, much like other types of malicious software, capitalizes on lapses in security practices by both employees and system administrators. In 2021, there were 623.3 million ransomware attacks reported globally, marking a notable surge of 105% compared to the figures from the previous year, 2020. It is important to clarify that these statistics encompass attempted breaches and not solely successful attacks. This substantial increase in ransomware attempts can be attributed, in part, to the persistent challenges faced by businesses as they grappled with the demands of adapting their networks and supply chains to accommodate remote and hybrid work arrangements. Ransomware primarily infiltrates systems in three ways:
Email Phishing – this method involves a form of social engineering where cybercriminals craft seemingly legitimate emails. These emails often contain links to malicious websites or documents embedded with harmful scripts. When recipients click on these links or open the documents, their computers, and associated networks become infected.
Software Vulnerabilities – these refer to weaknesses in the code of software applications that can be exploited by malicious actors. Exploiting these vulnerabilities grants the threat actors control over a system, allowing them to introduce and execute malware.
Remote Desktop Protocol (RDP) Vulnerabilities – RDP is software that permits individuals to control the resources of a remote computer via the Internet. It is commonly employed by remote employees and system administrators to manage computers from a distance. However, vulnerabilities in RDP can be exploited by threat actors to gain unauthorized access and subsequently deploy malware.
Impact of a ransomware attack
Revenue
A ransomware attack can have a profound impact on an organization’s ability to function effectively. Even if the organization is well-prepared and has functional backups in place, the process of restoring affected systems can be time-consuming, taking hours to complete. In more dire situations, organizations that were not adequately prepared, or whose backups may have been compromised during the attack, could face recovery periods lasting days or even weeks. This extended downtime can result in a significant decline in revenue or a complete cessation of income generation while the organization strives to recover.
Reputation
Experiencing a data breach or falling victim to a ransomware attack can severely tarnish an organization’s reputation. Some customers may perceive a successful attack as an indication of lax security practices, leading them to doubt the organization’s commitment to safeguarding their data. Additionally, customers who endure service disruptions as a result of such incidents may decide to take their business elsewhere, further damaging the organization’s reputation and customer trust.
Financial
Ransomware represents an unexpected and costly financial burden. In addition to the direct loss of revenue that an organization may incur during the attack and recovery period, there are various other explicit and implicit costs to consider. Evident expenses include the ransom payment – if one is made – the costs associated with remediating the incident—such as acquiring new hardware, software, and incident response services—insurance deductibles, legal fees, and potential litigation costs. Less overt expenses may involve increases in insurance premiums, the devaluation of the organization’s reputation or brand, and the loss of valuable intellectual property.
Data
During a ransomware attack, malicious actors encrypt numerous files, rendering them and often the systems dependent on them unusable. If a ransom is not paid, these encrypted files may remain permanently locked, necessitating the organization to recreate the information if possible. Even in cases where a ransom is paid, there is no guarantee that the threat actor will act in good faith and provide a decryption key. Moreover, the ransomware attack may have caused substantial destructive damage, potentially requiring the complete rebuilding of affected systems. Additionally, if the threat actor has stolen trade secrets, proprietary information, or any Personally Identifiable Information (PII), the loss of this data could lead to legal action or the forfeiture of a competitive advantage.
The Scattered Spider story
MGM Resorts, a company with a market value of £11.2 billion, operates hundreds of hotel and gaming establishments across the globe, with a prominent presence in Las Vegas. On 11 September, three days after acknowledging a significant cyberattack, one of the largest hospitality outfits in the United States, still grapples with paralyzed hotel booking systems and casino slot machines. This cyber incident has taken a toll on MGM Resorts, resulting in a more than 6% decline in its share price. The FBI is actively investigating the matter. Insider sources claim a hacking group known as “Scattered Spider” is believed to be responsible for the attack. In 2020, MGM Resorts also disclosed a 2019 cyberattack that led to the breach of its cloud services, allowing the hackers to steal over 10 million customer records. Analysts believe MGM Resorts International could be losing between $4.2 million and $8.4 million in daily revenue and around $1 million in cash flow every day as a result of the ransomware attack.
The MGM incident follows hot on the heels of the attack on Caesars Entertainment, the largest U.S. casino chain with the most extensive loyalty program in the industry. On 7 September, attackers stole its loyalty program database, which stores driver’s license numbers and social security numbers for many customers. Caesars paid the ransom of roughly $15 million, half of the attackers’ initial $30 million demand in order to avoid the threat of triple extortion.
Remediating ransomware
Remediating the aftermath of a ransomware attack, much like other successful cyber incursions, can entail significant expenses. Since 2018, the costs associated with ransomware and extortion insurance claims have surged, increasing sevenfold. The spectrum of expenses related to recovery is multifaceted. These costs hinge on factors such as the attack’s severity, the availability of backups, and the scale of the affected network. Consequently, expenses can range from a few thousand dollars to several million dollars, exclusive of the ransom payment. According to recent data from the U.S. Department of Health and Human Services, the average expenditure for rectifying a ransomware attack, spanning all industries, amounted to $1.27 million. However, if the attack also involves data theft from the organization, costs can escalate further. IBM’s 2023 Annual Cost of a Data Breach Study highlights that the average recovery cost for a U.S. company grappling with a data breach stands at $9.48 million.
Ransom demands
Similar to projected costs, the average ransom demand exhibits considerable variability. These demands often pivot on the nature of the targeted organization and its annual revenue. For instance, recent attacks on critical infrastructure in 2021 have witnessed ransom demands spanning from $5 million to $11 million. Insurer AIG, in their Q3 2020 Claims Analysis, observed that payment amounts fluctuate in response to the characteristics of the attack. In 2021, the U.S. Department of Health and Human Services reported that the average ransom demand levied against hospitals amounted to $131,000.
Ransomware downtime
The duration of downtime following a cyber incident largely hinges on an organization’s resilience and preparedness. When organizations possess functional backups that undergo regular testing, the downtime can be minimized to just a few hours. However, in cases where an organization encounters challenges in restoring their systems from backups, the downtime can extend for days or even weeks, especially if it necessitates the replacement of unique hardware or a comprehensive network rebuild. Under such circumstances, most organizations should anticipate an outage that spans several days while they work to reinstate their systems. In their Q3 2020 Claims Analysis, insurer AIG observed that the typical duration of downtime ranges from 7 to 10 days.
Protect IT Better
Zhero will help you develop and implement a cybersecurity strategy that works for your business and protects it against all cyber threats, including the ransomware menace. Remember that 90% of ransomware attacks fail or result in zero losses for the victim. Our Protect IT better security offering is based on zero trust principles and designed to crush your cybersecurity risk. Contact us today and find out how we Protect IT better by delivering better IT faster.