Targeted ransomware attacks are the current weapon of choice for cybercriminals looking to extract large sums of money from unprepared organisations. This trend marks a step toward a more sophisticated era of cybercrime.
The shift towards this method of attack was noted and warned against in November 2018 by the UK’s National Cyber Security Centre (NCSC).
Targeted ransomware attacks, as the name would suggest, differ from the previously popular ‘Spray and Pray attacks’ in that they require careful planning, with great lengths of time taken to learn about their victims during the social engineering reconnaissance phase.
Rather than locking or deleting the files of the computer they infiltrate and then demand an arbitrary monetary figure to unlock it (like the famous WannaCry attack of 2017), they go after classified business documents, crash mission-critical servers and even wipe entire back-up structures. This systematic approach, which knits the malware much further into their corporate structure, enables the attacker to demand significantly more than a few hundred dollars. There is still no guarantee the damage can be undone, but organisations are more likely to pay up when the perceived risk is so much higher.
Old vs New
The spray and pray method, as effective as it still is, relies entirely on “economies of scale” to make worthwhile profits from their victims. Taking small payouts from many unfortunate victims.
The new and improved targeted approach hits far fewer victims, much harder. A fact made painfully apparent when one notes how, as hackers have adopted this new method, the average ransom demand has skyrocketed.
- Between Q4 2018 and Q1 2019, The average ransomware demand rose 93% (from $6,733 to $12,762)
- Between Q1 2019 and Q2 2019, The average ransomware demand rose 184% (from $12,762 to $36,295)
Contrast these figures with the paltry $300 demanded in 2006 and the scale of the issue becomes truly sobering.
Payout vs Pay Off
In many cases, especially in larger organisations, the ransom is not the costliest part of the attack. Disruption of regular business operations can cause immense financial distress, costing many times the initial ransom demand.
In May 2019, the US city of Baltimore was hit by the RobbinHood Ransomware variant. The initial ransom demand of approximately $75,000 was refused by Mayor Bernard C. “Jack” Young. “
We’re not going to pay criminals for bad deeds. That’s not going to happen.
Bernard C. “Jack” Young, Mayor of Baltimore
Since then the cost of restoring their systems has exceeded $18 million.
Don’t be a target
As the threat from cyber criminals grows exponentially, the necessity for systems, procedures and controls grows with it. Basic virus scanners and spam filtering are not enough to stop a targeted ransomware attack wreaking havoc across an organisation. The UK’s NCSC recommends the following mitigations as examples of good security practise:
- Defending against phishing attacks, including the implementation of security awareness training.
- Regular security patching and vulnerability management.
- Controlling code execution.
- Filtering web browser traffic.
- Controlling access of removable media.
Reducing an organisation’s susceptibility to a successful attack should be at the forefront of any cyber-risk decision making as we move into this next phase of attack sophistication and complexity.
Continuously phishing and security awareness training is an important aspect to helping satisfy the first side of the information security triangle which consists of “people”, “process” and “technology.