The Pernicious Effects of Ransomware

April 21, 2021

| | From The Front Lines
Ransomware is hardly new, but several recent high-profile cases underscore that it not only remains a persistent threat, it’s also a growing one. The “great pivot” to remote work in 2020 increased the attack surface for most companies whose workers were suddenly dispersed. It also coincided with a staggering rise in the volume and velocity of ransomware attacks, a phenomenon documented in the CrowdStrike 2020 Cyber Front Lines Report.

 

The routine nature of each individual attack belies the significant harm that ransomware campaigns inflict in aggregate. The effects are felt far beyond the individual victims, burdening society as a whole. In this context, ransomware looks much less like a nuisance and much more like a global security problem — a problem that governments and organizations must address immediately.

 

The Tyranny of Downtime

One effect is a constant across all ransomware attacks: downtime for the organization. This may be compounded by data loss, data theft, monetary loss, legal or regulatory liability, and damage to reputation. The exact combination of these — and the severity of them — is usually a function of the victim’s preparedness, response and luck.

 

Downtime is the intended effect, making the victim feel that payment is their best or only option. An attack that doesn’t result in downtime probably isn’t a successful ransomware attack.

 

For victims, the effects of downtime from ransomware are fairly straightforward: halted or reduced operations. Ransomware victims endure 21 days of downtime on average, according to statistics compiled by Coveware, and these periods have repercussions. Ransomware attacks have disrupted manufacturing supply chains, halted the research and production of life-sustaining medications, and scuppered business deals. Some ransomware victims have gone out of business, putting their employees out of work during an already precarious time.

 

Nowhere are downtime effects as stark, or as sinister, than when the victim organization provides life-or-death services such as healthcare. It’s no coincidence that hospitals have been frequent targets.

Local Governments in the Crosshairs

The effects of ransomware attacks are not always so stark, and these subtler effects ripple across communities. Ransomware attacks can degrade people’s faith in the victims. When those victims include local government, schools, healthcare providers, employers or other institutions that people rely upon, the fabric of a society becomes weaker, leading to a growing psychological toll.

 

In the past two years, an uptick in ransomware attacks on municipal governments and public institutions has had particularly far-reaching ripple effects. When local governments become victims, the communities they serve suffer.

 

This can be difficult to quantify, but the City of Atlanta estimated that a single ransomware incident in March 2018 cost taxpayers up to $17 million in response and recovery, and such estimates don’t quantify the cost to the community of lost services. For example, Atlanta’s police department lost digital evidence. In Baltimore, a ransomware attack encrypted the systems that the city used to record new property deeds, effectively holding up real estate transactions for over a week.

 

School districts that have been the victim of ransomware have had to close schools — or during the pandemic, halt online classes — until their systems were back up and running. This doesn’t just mean lost instruction time, it also means that parents need to find alternate sources of childcare or miss work themselves — a challenge that has become all too familiar to parents over the last year.

 

And the effects of ransomware attacks on local governments don’t stay local. Municipal bonds have long been viewed as a safe, tax-incentivized place for investors to put their money. But as ransomware increasingly targets local governments, the security of those investments has been cast into doubt.

 

A Self-Perpetuating Cycle

When threatened, what are victims to do? Some victims of ransomware feel they have no option but to pay their attackers and hope to recover their systems. Unfortunately, those payments strengthen the adversary ecosystem.

 

Proceeds from ransomware fund greater investment by threat actors seeking new and more sophisticated methods of compromising their victims. This doesn’t just benefit the eCrime ecosystem — nation-state adversaries and other malicious actors also benefit from such technological advances.

 

Part of this cycle, too, is denial — victims with poor security practices feel they have no option but to pay their attackers. Some companies choose to purchase insurance but not invest in security measures, creating a potential moral hazard that harms not only their insurers but also the future victims of the enriched attackers. Breaking this cycle of unpreparedness is an important key to stemming the reach of ransomware’s impact.

How Do We Fight Back?

To stop the effects of ransomware attacks, we must prevent them. For most organizations, properly configured advanced endpoint protection will stop these types of breaches. For attacks that are not prevented, strong backups on immutable storage that cannot be deleted provide an ability to recover without succumbing to the attacker’s demands.

 

But we must prioritize security investment before something goes wrong. Far too many ransomware victims say, “We never imagined that we’d be targeted.” That cycle of unpreparedness cannot be broken until organizations recognize the risk that they face and prioritize fixing it.

We’re All In This Together. How Do We Prevent It?

Enhanced security doesn’t just protect the organizations that implement it — it also increases the attackers’ cost of doing business. Weakening that attacker ecosystem has broad benefits for us all.

 

So how can we help organizations that don’t know they’re at risk?

 

For one, we must change the way we talk about ransomware. Rather than treating each attack as an isolated incident, we must consider the full breadth of ransomware campaigns and the reach of their effects. Security companies, regulators, insurers and the law firms who deal with ransomware victims can connect the dots, while public policymakers can shine lights on the tools and expertise to prevent attacks.

 

After all, clearly we’re all at risk.

Additional Resources