Ransomware is big business. It would not be a stretch to say that it is a billion-dollar industry for criminals. Just in the last year alone, over USD $150 million was paid out to just one ransomware group alone. What is more alarming is that this is only the amount that we know of. Many corporations and businesses often do not publicly reveal that they have been subject to a ransomware attack in fear of losing trust from their customers. Instead, they would prefer to pay out the ransom to the criminals in order to prevent the malicious actors involved from making public stolen data, and to receive the decryption key.
Total cost of ransomware attacks is expected to exceed USD $20 billion in 2021
In a survey conducted amongst security professional, ransomware has become the top cause of concern for all organizations and industries. Ransomware is a multi-faceted attack vector that can both target large corporations and small individually run home businesses. It has no concern or care as it is often a matter of opportunity for criminals. It is after all easier to phish a small business and receive a small sum multiple times than try to break into a highly secured network.
Targeted ransomware often focuses in on education and healthcare systems as these organizations have smaller security teams if any at all. Other targets such as family offices, hedge funds, and small financial services and institutions have also seen a rise of ransomware cases due to the same reasons stated above.
However, just because you do not fit in those lucrative target categories for malicious groups does not mean that you have nothing to worry about. There are many types of ransomwares that have been developed that have no specific targets and spread themselves automatically, with no particular target profile.
Malicious emails containing such ransomware have gone up over 600% just in the last year alone due to COVID-19. Today, on average, a ransomware attack occurs once in every 11 seconds. Over 200,000 people last year alone that were affected by ransomware also found that their bank accounts and secure logins had been compromised with signs of transactions they did not recognize.
Ransom demands have also increased tremendously over the last few years from a few thousand dollars just a few years ago to millions of dollars today, with one of the largest payouts being a USD $90 million bitcoin payout by an oil company.
Cybersecurity Insurance
You may say: “But I have cybersecurity insurance.”
Insurance companies often do not pay out the total amount of the damages cost by ransomware. In most cases, only a small fraction is paid out by the insurance plan. This is another cause of concern as there needs to be a lot more thought and work done to make these plans viable, especially for private citizens.
Real worry for the future
Due to COVID-19, it has become the norm for work from home plans within organizations. 84% of organizations have made it public that they will keep remote work as a norm even after COVID-19. It is impossible to place an enterprise grade security appliance in every work from home environment, and thus increasing the attack surface of these organizations.
With such good returns for criminals, we do not foresee the threat of ransomware declining any time soon. In fact, we project that the total costs for ransomware and their damages will eventually hit USD $6 trillion annually. This will be more pronounced as malicious actors are beginning to spread their target net towards changing working habits due to COVID-19. Phishing and spear-phishing attacks targeted towards people working from home have increased tremendously since the mid 2020’s, and we project this to only keep increasing moving forward. It is this very reason that ransomware is no longer a threat for just the corporations, but for all of us as well, and it has become a true cause of worry and concern.