The Rise of RaaS: The Real Cost of a Ransomware Attack

Welcome to the DataMotion Blog’s third and final installment to the Rise of Ransomware as a Service series. Thus far, we have focused on what Ransomware as a Service is, examined some recent attacks and how they started, and explored the snowball effect that can follow when your third-party vendor is a risk factor. While these are important elements to understand in order to help create a defensive plan to avoid falling victim to a similar attack, there are still a couple of critical questions left to ask. What happens after an attack occurs? What is the true cost of a ransomware attack?

Understanding how companies recover from a breach, as well as the obstacles they often face in the wake of an attack, can help with financial planning and crafting a security strategy. For example, many organizations have opted to invest in ransomware insurance, or to establish a fund specifically for the possibility of an attack, because paying a ransom is often the fastest route to getting an encrypted infrastructure up and running again. In this installment, we will go over the financial cost, the required manpower, and reputation damage that is often the residue of ransomware.

The prices of everything, from milk to gas, are rising—and we hate to inform you, but ransom is no different. As companies continue to pay ransom demands to decrypt their environment or retrieve their data, cybercrime groups ask for more. A Forbes article found the average cost of ransomware recovery has grown $1.08 million in the last year. The cost per company, however, can vary, depending on its size and revenue. For example, JBS (the meat packing company who was hacked in early June) paid hackers $11 million to retrieve their data and get their systems back up and running. Colonial Pipeline paid their attackers roughly half of that, about $5 million. Though in Colonial Pipeline’s case, $2.3 million of the payment was recovered by the DOJ’s Ransomware and Digital Extortion Task Force. Given that the companies mentioned above each paid a hefty ransom, it might seem like a good idea to allocate resources, just in case.

Unfortunately, with the rise in ransom cost and the growing frequency of attacks, the price for insurance coverage is also increasing. Many insurance companies are starting to restrict their coverage, or drop ransomware coverage altogether. Those who find the higher cost in coverage to be worth it run into an entirely new issue: insurance is something hacking groups look for. Cybercriminals know they can’t extract blood from a stone, so they perform research to target companies who can afford to pay. Once they breach an environment, they often look for signs the compromised company has financial security to help determine the price of the ransom they will charge. A Washington Post article found hacking groups are referring to insurance companies as “an endless pot of gold” and are known to send screen shots of insurance plans to organizations from their own systems during negotiations. This greatly weakens a company’s ability to lower the ransom price, and may even increase the demand.

The rising cost of ransomware is not the only thing to worry about. As we reviewed in the last part of this series, an organization’s clients can become caught in the crossfire of these attacks, leaving customers’ data and systems vulnerable to subsequent attacks. This can destroy a company’s reputation and devastate their customer base.

Some organizations are able to pay ransom in secret, so their reputations likely won’t suffer the same damage as their wallets. However, it’s hard to keep the cat in the bag when your customers are affected. For example, last month T-Mobile was once again breached, and their customers’ data was compromised. The data for 47 million current and former customers was posted on a public site as a result of this breach, including social security numbers and financial records.

Once the smoke clears and damage is analyzed, lawsuits often follow, adding legal fees and settlement payments to the total cost of a ransomware attack. Colonial Pipeline experienced this after they were hacked; as a result, their oil distribution halted, leaving much of the southeastern U.S. without oil. The legal fallout includes business owners suing for lost profits and customers suing over higher prices while waiting for distribution, on the grounds that a lapse in Colonial Pipeline’s security causing the breach. This is becoming a familiar fate for other organizations as well.

As if the ransom and lawsuits weren’t enough, you also need to factor in the profit lost when your servers are down. This profit loss is what often drives the pressure to pay a ransom in the first place. Every day that your environment is unaccusable and your services are down, the more profit is lost. But paying hackers is a double-edged sword. The more money a cybercriminal group makes, the stronger and more resourceful they become, making them even more dangerous and unstoppable. The new accessibility to malicious software that RaaS brings, coupled with a steady stream of profits from paid ransoms, is only adding fuel to this fire.

Not to mention, there really is no honor amongst thieves. 92% of organizations who paid a ransom did not get all of their data back. New servers need to be built and brought online before services can resume, which can be an expensive and tedious task. Once your environment is up and running again, production is often slowed due to a loss in data. As we discussed in the second installment of this series, disaster recovery servers are the best way to recover data and bring servers back online. It’s also important to back your servers up often to minimize data loss and bring productivity up to speed as quickly as possible and limit the amount of revenue lost.

As promised, below are two additional tips to help protect your environment from a ransomware attack, hopefully sparing you a logistical headache:

The first tip is to implement an email gateway to avoid phishing attacks. An email gateway can help scan links and documents within incoming messages to identify potential malicious code and immediately deny the message or move it to your trash folder. By identifying and removing malicious emails, which hackers often exploit for entry to your systems, you greatly reduce the threat of a phishing attack. Email gateways can also be used to create other rules in addition to thwarting malicious messages. For example, to send data securely with DataMotion software, right from your email client, you can easily create a rule that will send any message with a tag like “[Secure]” to be encrypted and sent over a secure line. This tag can be added anywhere such as the subject or body of the message, and doing so helps lock down sensitive data and meet compliance regulations.

The second tip we have for you today is to patch and update your products and environment as soon as new updates are released. As zero-day vulnerabilities are detected within an environment or product, a patch or update is created as soon as possible to correct the vulnerability and protect you from the exploitations that can follow.  The Kaseya attack started with a zero-day vulnerability in Kaseya’s VSA server. Once the hackers discovered the vulnerability, they quickly scanned the Internet to find customers utilizing this product in order to exploit the lapse and breach customers’ systems as well. Had Kaseya discovered the vulnerability first and deployed a patch to resolve this error, only those customers who did not deploy the patch would still be at risk.

Every ransom that is paid to undo an attack emboldens and strengthens cybercrime groups. But the price of a ransomware attack goes beyond the cost of ransom. With the costs of service downtime, legal fees, lost data and new equipment factored in, ransomware becomes much more expensive than what is often portrayed to the public. And to top it off, your company and leadership team’s reputations are definitely at risk, along with the trust of your current and potential customers.

With the rise of Ransomware as a Service, attacks will continue to be launched, likely with greater frequency. However, implementing the tips reviewed in this series will help you and your organization create a solid defense and resilient infrastructure against ransomware attacks. One tactic we review is to implement email encryption and to secure your data transfers. You can quickly find more information on how to enact this functionality today with DataMotion APIs.

Be sure to check out the DataMotion Blog and our Resources page for great development advice, including articles on protecting your environment both internally and externally.

• The Rise of Ransomware as a Service
• Rise of RaaS: Consolidating the Vendor Risk Factor

• Forbes’ “Ransomware Reality Shock: 92% Who Pay Don’t Get Their Data Back” by David Winder
• Reuters’ “Meatpacker JBS says it paid equivalent of $11 mln in ransomware attack” by Aishwarya Nair in Bengaluru
• TechCrunch’s “T-Mobile says at least 47M current and former customers affected by hack” by Zack Whittaker
• DataMotion’s “The Rise of Ransomware as a Service” by Heather Post
• Washinton Post’s “Ransomware claims are roiling an entire segment of the insurance industry” by Rachel Lerman and Gerrit De Vynck
• Washinton Post’s “First came the ransomware attacks, now come the lawsuits” by Gerrit De Vynck
• Forbe’s “Why Ransomware Costs Businesses Much More Than Money”