It was Ott Biederman, an accountant for American organized crime back at the turn of the 19th century that originally issued the famous immortal line, “Nothing personal, its just business.” That is what ransomware is today – just business. While there are occasional ransomware attacks initiated by state-sponsored groups to bring down the operations of key infrastructure, most ransomware attacks are about making money. While money may not be the root of all evil, it is the root of most ransomware attacks. Ransomware criminals are in it to make a buck.
Ransomware involves business decisions
No doubt you’ve read ransomware articles that outline attack methodologies and mitigation techniques. This isn’t one of those articles. This is about the business side of ransomware, not just for the ransomware organization, but for the victimized organization as well. That’s because defending against ransomware involves business calculations. How much time and resources should you allocate towards prevention? Should you pay the ransom if you fall victim to an attack? These are questions that every organization should have a prepared answer for as well.
Ransomware organizations are company structured
Ransomware is an industry, and the end goal of every ransomware organization is to make a profit. Like any corporation, many ransomware outfits set quarterly revenue goals that managers are responsible for. According to the business network, CNBC, cybercriminal organizations are structured much like the companies they target. There is a leader equivalent to a CEO who leads a group of project managers who each execute different parts of an attack. In fact, some of the most effective ransomware organizations are successful not because of their technical knowledge or innovation, but their organizational skills. A highly effective project manager can be just as valuable as a competent hacker and cybercriminal organizations actively recruit talent from the same talent pools as the biggest corporations.
Ransomware as a Franchise
The franchise model has proven a highly effective way for many businesses to scale out and expand revenue income. Ransomware-as-a-Service (RaaS) is very much like a franchise. A budding ransomware entrepreneur that wants to break into the business but lacks the technical or financial ability to create the necessary attack software to do so can become an affiliate. The most popular model requires affiliates to purchase the software for a nominal fee and agree to a monthly split of the profits. Normally, the ransomware developer receives anywhere from 20 to 40 percent of the ransom. Often the affiliates have access to a web portal giving them access to new features and updates. There they can check on the status of their attacks such as the total number of files encrypted and how much ransom money has been collected. Affiliates can even obtain support much like a traditional SaaS subscription.
To Pay or Not to Pay
There is one driving question for any organization befallen by ransomware. Should they pay the ransom? It is a question of both morality and business. The FBI and other government institutions discourage the payment of ransoms as they feel it only encourages the malicious practice and they do have a point. The FBI however isn’t the one saddled with recovering from the attack itself either.
There’s no doubt that some monster-sized ransoms have been paid recently, but those big payouts have been made by big companies. Ransomware organizations don’t reach for the stars when deciding upon a ransom amount. The right size the ransom according to the ability of the victim to pay. Attackers are targeting local government institutions and SMBs with greater frequency to get a quick payout that fits the victim’s budget.
Besides the ransom itself, companies must endure the cost of remediation, lost business, reputational damage, and potential legal costs. Downtime is expensive. Even if your IT team is confident in bringing everything back up, how long will take? You must also consider the historical credibility of the ransomware attackers you are working with. While some organizations are known to keep to their word about releasing a decryption key upon payment, others are not.
Security Comes First
Even if you choose to pay the ransom, you still must perform your due diligence to find out how the perpetrators pulled off the attack to prevent future attacks. There is ample evidence that organizations that do pay the ransom are repeatedly targeted. One example was a company that paid millions to recover their data but failed to take any measures to secure their network from a similar attack. That failure resulted in a second attack two weeks later in which the firm was forced to payout once again.
The Cyber Insurance Bust
Any responsible business owner is mindful to get the necessary insurance to reduce their risk of exposure to destructive events such as fires or floods. Today there are policies for ransomware. These policies cover a variety of costs such as the cost of the ransom itself, data recovery, remediation, forensic analysis, legal counsel, and public relations services. Insurance companies that specialize in ransomware policies will often provide a team of specialists to advise you and if necessary, negotiate an agreed ransom with the attackers. Any company that has experienced a well-implemented ransomware attack can certainly vouch for the value of these policies.
Unfortunately, the success of these policies has led to the demise of the industry because while these policies have helped protect the customers that purchase them, many insurance companies are taking a bath on those policies due to the mounting losses on them. Lloyds of London announced last November that it is discouraging its syndicate to take on any new cyber business in 2022. Lloyds currently holds 20% of all the cyber insurance market. The reason is simple. The frequency of ransomware attacks has increased by 62% on a global basis since 2019 while the average ransom payout has increased by 171%. This is causing insurance premiums to increase as much as 50% a year.
So many things, in the end, come down to money. As one author wrote, money is the great equalizer and common denominator. To understand the nuances and decisions involving ransomware, you must follow the money. Be sure to do the math when you make your decisions concerning this dreaded menace, that’s just business for those involved.