Ransomware is now one of the world’s most profitable (and seemingly low risk) criminal enterprises — with an underground network estimated to cost legitimate business around USD20 billion this year alone.

While that sum is 57 times the amount collected by ransomware gangs only a few years ago, the worst is yet to come, and some experts suggest that within a decade, USD265 billion will be stolen and extorted annually through ransomware crime.

And with that growth in revenue has come remarkable sophistication as crime gangs efficiently target victims, with an estimated 150% surge in attacks in the past year.

“It’s a growth market,” says Baker Tilly Netherlands IT Advisory Partner Martin van Ernst.

“What we say is it’s not a question of if you’re going to be hit someday with ransomware, but when.

“If you choose that state of mind, then you have to do something about it.

“Prevention is important, but so is your response. What are you going to do? What kind of plan do you have to get your company back in business again?

“When you have those plans, you can sleep a little better.”

What sets ransomware apart from many other kinds of cyberattack is the simplicity of the crime, which combines both technological and psychological attacks on the victims.

Unlike malware that might corrupt files, ransomware uses encryption tools to lock them so they are just out of reach of a business that desperately needs its systems and data to be able to continue shipping goods, paying staff, responding to customers or delivering on contracts.

While it is relatively easy to enact this encryption — some ransomware tools trade on the dark webfor as little as $70 — the lock is also very difficult to undo.

Some groups, such as the No More Ransom project, involving a range of cybersecurity and international policing partners, make decryption software available for free, but these address only a fraction of the tools commonly used.

This is where the second psychological nudge is used to get companies to pay.

For many companies, the cost of paying the ransom is relatively small: a median $47,008 in the first quarter of this year, according to Coveware.

Although some targets are hit with ransoms significantly higher, that kind of price is in the reach of many businesses, according to Baker Tilly experts, making it more tempting to authorise the Bitcoin or other cryptocurrency commonly used to make the transaction untraceable.

And the more people pay, says Partner at Baker Tilly US Jeff Krull, the greater the incentive for criminal gangs to double down.

“Frankly, it’s probably only going to get worse, not better, and we’re probably going to see more successful ransomware,” Mr Krull says.  

“The bad guys are making money doing it, with the proportion of organisations who are paying ransom.

“There’s been so much financial reward for the people doing the ransomware that the groups are now well-funded, with far more resources and the ability to come after organisations.”

But the cost of ransomware goes far beyond the ransom payment.

Besides an average downtime of three weeks, 80% of ransom attacks now include the threat to leak company data, which can trigger its own crisis in terms of loss of trust (reputational risk) and breach of privacy.

Then there are the recovery and business interruption costs, even if a ransom is paid.

In fact, a survey by cybersecurity group Sophos of more than 5400 companies earlier this year found that of those who were attacked and paid up, only 8% recovered all their data, and on average only two-thirds of files were restored. 

“I believe any organization that’s only relying on insurance, or a low relative cost of ransom payouts, as their way to mitigate the risk, is really putting the organization in the firing line right now,” Mr Krull says.

“The bad guys may know how much somebody has in insurance and use that when they’re figuring out how much they’re going to charge, or they may know how much somebody has in the bank, and use that to set the pain point on paying the ransom.

“Ask almost anybody who got hit with ransomware if it was worth not having done some of the good hygiene things they could have done to protect their business and I suspect virtually all of them will say, ‘we really wish we had taken that step’.”

Although the average payout for ransomware might be small, there is huge potential for high yield returns.

Not only has the volume of attacks scaled dramatically, to one every 11 seconds, but as their techniques and tools improve, gangs are changing tactics.

Ransomware first responder Coveware suggests that the size of companies who fall victim to ransomware is growing, with half the victims in Q2 this year having 200 or more staff.

Although experts are divided over how closely ransomware attackers consider the industry of their victims, some groups are over-represented, in part because the software they use has been exploited or because they hold sensitive data and are more likely to pay.

The public sector, for example, is the single biggest target, followed by professional services including law firms, accounting firms and financial groups, and health care.

And with an attack in May that brought down Colonial Pipeline, a major US oil and gas pipeline responsible for supplying nearly half of the East Coast’s petroleum, the energy sector has suddenly realised its exposure as well.

“Then you need to prepare to manage the risks and respond effectively to them. That means different measures, securing the systems, educating the users, frequent awareness programs, and applying all the latest security updates to the systems.”

Email phishing attacks and compromised remote access remain the key vectors for ransomware, with malware introduced into a network that can initiate an attack.

“Usually, the end users are the ones that, lacking awareness, just click a link and download something,” Mr Dimopoulos says.

“So you start by protecting the endpoints and your systems, and you pay a lot of attention to backups and incident response plans and how you can use them to recover if you need to.”

The kinds of preventative steps needed to keep a company safe are not necessarily difficult to implement from a technical standpoint, says Mr Krull, but they pose a challenge to workplaces reliant on having seamless access to data, files, servers and systems on demand.

“If you think about where ransomware is successful, everybody wants to pin it on the person who clicked the link, but when you start to unravel a successful ransomware attack, you have to go all the way back to the beginning,” he says.

“Do you have good authentication? Good passwords? Multi-factor authentication? Do you have good user security awareness training? Do you have a good patch management process to keep the systems up to date and patched? Do you have good provisioning/de-provisioning systems in place to pull terminated users out and add users in?

“Do people only have access to what they need to have access to, and have you clamped that down? Have you segregated administrative accounts from regular accounts?”

Anticipating the likelihood of an attack also means having a robust disaster recovery plan, Mr Krull says.

“Do we have a way we could actually recover in alignment with the timeframe we would need to?

“Some people say they have a disaster recovery plan, and you say ‘great, how long would it take you to recover?’ But they have never tested it and it could take weeks.

“The truth is in three weeks the damage is done, and you probably have somebody saying, ‘let’s just pay the ransom’.”

Krull warns many businesses hesitate to implement controls that prevent an authorised — or unauthorised — user rampaging across systems, because of the inconvenience.

But that also opens the door for employees to be tempted rather than fooled into clicking a link that could bring the business to its knees.

“People don’t want to do this stuff like checking with data owners for access each time because it’s boring. The process is simple but it takes time and effort,” he says.

“For all your controls, for all the great things you’re doing, do you think there’s no one in your organisation who wouldn’t act if somebody walked up to them on the street, handed them a paper bag full of $5,000, and said, ‘hey, at 3:22, you’re going get a link, all I need you to do is click it, put in your credentials, and you’re done’?

“I suspect there’s somebody in almost every organization who you could get to do that, and that’s a really insidious thing.”

All three experts have seen clients who, when confronted with the risks, believe they are somehow immune to the risk of ransomware because they store files or use software based in the cloud.

But although that might be more secure than using an old server, it is not a perfect solution.

“Ransomware can move from a data centre to another via your company and malware can encrypt files in the cloud,” says Mr van Ernst.

“We have clients who think that if they put their data into the cloud through Microsoft then everything will be secure, or that their cloud provider will be able to detect and protect against threats.

“Sometimes they can, sometimes they can’t but that’s a complex picture.”

Mr Krull says breaches in the cloud often boil down to a company not configuring their cloud access properly.

“The big cloud providers have a huge incentive not to get hit and if you see a problem it is often that the organisation interacting with the cloud provider set something up incorrectly,” he says.

“They might have turned off a default setting, exposed a bunch a stuff to the internet that shouldn’t have been, misconfigured something or they are sloppy in credentialling.

“It’s not to say it’s impossible, however.

“Sometimes you hear in disaster recovery planning a company saying, ‘no, everything’s at this giant cloud provider’. That’s great, but what’s your recovery plan if they disappeared? They say, ‘well that’ll never happen’.

“That’ll never happen is not a good answer.”