In 2021, it is my expectation that we will see ransomware victim organisations facing government lawsuits. Indeed, authorities like the U.S. Department of the Treasury (USDT) have already announced they will file civil suits against organisations that pay the ransom to get their data back, along with the cybersecurity consultants assisting in the recovery efforts, intermediaries brokering the deal with the ransom gangs, and even any insurance providers who encourage the payout. But why is this is happening, and what does it mean organisations?
Ransomware attacks are becoming far more common, and a whole lot more expensive.
First, the why. It’s common knowledge that ransomware is on the rise, but unless you’re really paying attention, you might not know just how bad the problem is. No matter which research you trust, the statistics are grim. For instance, Check Point Research found a 50% increase in ransomware in Q3 2020 compared to the first half of the year, while Bitdefender recorded a whopping 715% year-over-year increase in the total number of ransomware reports globally. North America is being particularly hard hit; according to Lumu, 69 percent of companies there said they suffered at least one ransomware attack.
Meanwhile, ransomware is becoming far more disruptive and damaging. Hackers are increasingly likely to follow through on their threats to leak the data they've stolen if the victim doesn't pay, which sends a clear signal to future victims that they must pay up pronto. In addition, the size of the ransoms is skyrocketing: Lumu pegs the global cost of ransomware attacks is now $20 billion, up from $11.5 billion just last year, and the average cost of one attack is a staggering $4.44 million — more than the total cost of a data breach.
Organisations are failing to report ransomware attacks
All too often, ransomware victims avoid reporting the attack to authorities. Europol posits many reasons for this. Approaching law enforcement to start a criminal investigation is generally not a priority for victims, who see paying the ransom as the quickest avenue to restoring business operations. Others simply don’t believe authorities can help (even though they do have access to known decryption keys and other tools). Organisations are also concerned that making the incident public is likely to damage their reputation and cost them revenue. Finally, ransom is usually paid in cryptocurrency, which makes it easier for the victim organisation to conceal the transaction. Whatever their reasons, some businesses are choosing to hire private security firms to investigate attacks and negotiate ransom payments, even though 17% of victims who pay the ransom never get their data back.
Alarmed and frustrated, authorities respond — but leave many questions unanswered.
This combination of a huge amount of cybercrime evolving into an extremely effective “business model” and the failure of victims to report attacks leaves authorities in an unhappy position. They can’t get an accurate handle on the scope of the problem, learn from one attack to help mitigate the next, or attempt to catch and prosecute the perpetrators. As a result, we’re seeing policies like the one from the USDT to take action against victim organisations that pay a ransom, along with anyone who helps them do it.
However, there are a number of questions which remain which we hope to see answers to in 2021: Which rules apply to which organisations in which countries? Can organisations face multiple penalties? Who exactly is liable, and what other consequences, such as criminal charges, might befall the organisation if it falls victim? With so many questions remaining, many organisations will be entering 2021 with trepidation.
To reduce your risk, follow IT best practices!
One thing is crystal clear: In 2021, organisations will be smart to up their game when it comes to preventing, detecting and recovering from ransomware infection. From protecting regular backups and ensuring you can recover quickly from them, to educating users about cybersecurity threats and
best practice, 2021 will be the year when organisations will need to really shore up their defences, or face the consequences.