The ransomware crisis
At the end of 2019, we stated the ransomware threat had reached a crisis level. Since then, the situation has only worsened, with attacks on healthcare and other public and private sector organization continuing and escalating during the course of the pandemic. Even a ventilator manufacturer was attacked.
Compounding the problem is the fact that more and more groups have started to steal data and using the threat of releasing it as additional leverage to extort payment. Data is now stolen in about 1 in 4 attacks, resulting in very sensitive information falling into the hands of cybercriminals and subsequently being posted online.
Additionally, the average demand has increased significantly and now stands at somewhere between $150,000 and $250,000 USD, with multi-million dollar demands becoming increasingly commonplace. The highest demand publicly reported is $42 million; the highest demand not to be publicly reported is said to be in excess of $1 billion. For context, the average demand in 2018 was a little over $5,000. As a result of this increase, cybercriminals are better resourced and more motivated than ever.
We estimate that more than $25 billion will be paid in ransom demands during 2020, with an economic toll on the global economy of almost $170 billion – and these are extremely conservative estimates.
So far this year, at least 219 organizations in the US government, education and healthcare sectors – including multiple hospitals – have fallen victim to ransomware attacks and, in an increasing number of those incidents, sensitive data is being stolen and published online. Globally, there have been more than 170,000 successful attacks in 2020.
The impact of these attacks was significant.
- Personal information was exposed.
- Protected health information was exposed.
- Intellectual property was lost.
- Data was stolen from companies in the US Defense Industrial Base sector, including a contractor that supports the Minuteman III nuclear deterrent.
- Companies were forced into insolvency.
- Healthcare providers and other organizations were hit with class-action lawsuits.
- Sensitive information relating to child abuse cases and veterans’ PTSD claims was posted online.
- Sensitive information relating to ongoing police investigations was posted online.
- Prosecutions were dropped due to evidence being lost.
- Emergency patients were turned away from hospitals, medical records were inaccessible and in some cases permanently lost, surgical procedures were canceled, tests postponed and 911 services interrupted.
In short, these incidents represent a risk to national security, to election security, to companies’ intellectual property and financial security, to individuals’ personal information and to their health, safety and wellbeing.
The first ransomware-related fatality
Further underscoring the risks associated with these incidents, there now appears to have been a ransomware-related fatality. A hospital in Germany was unable to accept new patients after an attack and, as a result, a woman with a life-threatening condition was redirected to another hospital 20 miles away and died as a result of the delay in receiving treatment. Such a tragedy was entirely foreseeable. In fact, we specifically mentioned the possibility in a 2019 report.
“The fact that there were no confirmed ransomware-related deaths in 2019 is simply due to good luck, and that luck may not continue into 2020. Governments and the health and education sectors must do better. ” — Fabian Wosar, CTO, Emsisoft.
This will not be the last fatality. Unless governments make legislative changes, it is inevitable that more lives will be lost.
Governments must ban the payment of ransoms
Law enforcement agencies world-over have long recommended that demands not be paid, and for very good reason. Ransomware attacks happen for one reason and one reason only: they are profitable. Those organizations which choose to pay demands help keep the attacks profitable and, in doing so, perpetuate the cycle of cybercrime, putting other organizations in the crosshairs.
Like climate change, ransomware is a collective action problem and solving it requires that everybody do the right thing. In the case of ransomware, the right thing is not paying cybercriminals, and it’s time for governments to force organizations not to. Making ransomware attacks unprofitable is the only way to stop them. If it was illegal to pay ransom demands, ransomware would cease to be and our public and private sector organizations would no longer be under constant attack. Hospitals would be safe, and lives would not be at risk.
While some may feel a ban is unnecessarily extreme, the reality is that no other practical solution exists. For as long as organizations have been using computers, those computers have been under attack and some of the attacks are successful. Realistically, that is not likely to change any time soon. Security is, at its core, a permanently ongoing game of whack-a-mole, and it is inevitable that not every mole will be whacked. Nor will law enforcement agencies be able to reduce the number of attacks by improving the prosecution rate for cybercrime from its current level of between 0.05% and 0.3%. They may certainly be able to catch and prosecute more cybercriminals, but probably not to the extent that would be necessary in order to put a real dent in the numbers any time soon.
In short, it may be possible to somewhat reduce the number of attacks but, absent a ban on paying demands, the reduction would likely be minimal.
To be clear, a prohibition would not be pain-free. While the criminals would eventually give up, they would not do so immediately and organizations that were successfully attacked during that interim period would not have the option of paying to recover their data. But it is a case of short-term pain for long-term gain. The alternative is our hospitals and other public and private sector organizations being attacked year after year, resulting in the disruption of critical services and, inevitably, in more lives being lost.
Organizations are currently providing cybercriminals with a multi-billion dollar revenue stream – which is entirely funded by the public, albeit indirectly – and it makes absolutely no sense to permit this situation to continue. The best way to protect organizations from ransomware attacks and to protect individuals from the consequences of those attacks is to make it illegal for organizations to pay ransoms. This would stop the attacks, and stop them quickly.
Enough is enough. Governments need to ban ransom payments.