The exact scope of the financial impact of ransomware attacks carried out using cryptocurrency remains unknown, a new study says.
According to the 2020 Crypto Crime report published by Chainalysis, a leading blockchain and crypto analytics firm based out of New York, more than $6.6 million was paid to wallet addresses associated with ransomware. However, the report highlights that this number is almost certainly a gross underestimate of the actual extent of the problem.
Companies Avoid Reporting Attacks
As a ProPublica investigation in December found, most publicly traded companies that fall victim to ransomware attacks are incredibly wary of alarming investors and consequently driving down their share prices.
Ransomware attacks not only cost money and affect operations, but also expose the cybersecurity vulnerabilities. Therefore, businesses often choose to pay the ransom without notifying authorities like the SEC and the FBI.
In fact, SEC-regulated companies often chose to explain the disruption of operations using vague terms in their legally mandated public findings, by reporting it as a “malware” or merely a “security incident”.
Hence, even with blockchain analysis, it is almost impossible to accurately quantify the total number and amount of ransoms paid if attacks go unreported.
Apart from the ransom costs, businesses also incur expenses of hiring cybersecurity consultants, replacing damaged equipment, higher cyber insurance premiums, and interrupted operations. They must also face customer dissatisfaction and embarrassment of losing sensitive data. Such costs are even more challenging to determine precisely.
Ransomware Attacks Rise
The difficulty of accurately measuring impact is further compounded because ransomware attacks are steadily on the rise. Millions of incidents take place each year, paralyzing computer systems of government entities, companies, medical institutions as well as individuals.
In an announcement last year, the FBI cautioned that ransomware attacks were becoming progressively sophisticated and expensive. Such incidents have increasingly resulted in significant monetary losses along with sensitive data breaches.
In a statement to ProPublica, John Reed Stark, a former SEC official and a consultant for firms that are victim to ransomware attacks, expressed that the evolution of ransomware attacks into data theft was nothing short of “terrifying”. The problem is so persistent and petrifying that businesses are reluctant even to use the word ‘ransomware’.
According to the US Department of Homeland Security (DHS) – which has repeatedly listed cyberattacks as the foremost security threat facing the nation – ransomware crimes have risen by over 300 per cent. Since 2016, there have been an average of 4000 ransomware attacks daily compared to 1000 attacks per day in 2015.
According to a Threats Report produced by McAfee Labs, ransomware attacks have more than doubled year-over-year. Attacks grew by a staggering 118 per cent in the first quarter of 2019 alone. A contributing factor to this growth is the detection of multiple new and innovative strains of ransomware.
RaaS: Targeting the Vulnerable
One such novelty in ransomware is the widespread prevalence of ransomware as a service (RaaS), the Chainalysis report found. Technologies like MegaCortex and Sodinokibi offer those with fewer resources and lesser technical sophistication to rent ransomware for a percentage of crypto made from an attack.
RaaS also allows developers to shift to the distribution and recruitment aspects of the supply chain and earning a cut from every user. They no longer have to act from the front lines and risk being on the radar of law enforcement authorities.
RaaS has spread access to the software to cybercriminal masses and impacted the nature of attacks as well as the profile of victims targeted. Instead of large businesses and nation-states, RaaS targets tend to be smaller businesses that are easy to prey. Although the ransom amounts are lower, smaller entities are more likely to pay without notifying authorities.
Therefore, companies of all shapes and sizes are now vulnerable to ransomware attacks. As the cyber-criminal market matures, there is bound to be increased innovation in the field with the development of new, more dangerous strains. Consequently, the problem will only get worse.
Authorities Urge Companies to Come Forward
Authorities like the FBI and SEC have repeatedly urged victims to come forward and disclose ransomware attacks with candor.
Recently, the FBI stated that it advised businesses to avoid paying ransoms since it only encouraged cyber-crime. However, whether or not firms decided to pay, the Bureau urged them to come forward and report attacks. “Doing so provides investigators with the critical information they need to track ransomware attackers, hold them accountable under U.S. law, and prevent future attacks.”
In 2018, the SEC appealed businesses for more candor. It added that companies should avoid the use of generic cybersecurity terms and euphemisms and err on the side of specificity when disclosing information to investors.
In fact, SEC regulations dictate that publicly traded corporations must reveal any ‘material’ events that impact the decisions of investors. Nevertheless, the possible ramifications of making such knowledge public often force businesses to omit ransomware assaults in SEC disclosures or alert the FBI.
Businesses Face Backlash from Both Directions
Although it’s essential for firms to promptly and candidly report any ransomware attack, they often face a dilemma between their duty to fully inform investors and their commitment to their shareholders, employees, and customers. Attacks are embarrassing, and therefore, it is in everybody’s interest to downplay them and maintain their stock price.
Defining what constitutes a ‘material’ event under SEC regulations is subjective; therefore, companies take advantage of the leeway and skirt materiality by reporting the attack in generic terms.
Businesses weigh quantitative and qualitative costs of the attack against the importance of compromised information to decide whether they should make the attack public.
However, failing to disclose an attack promptly can cause backlash from both authorities and investors. For example, Yahoo’s failure to immediately report a data breach resulted in a $35 million fine from the SEC and another $80 million in settlement costs of a shareholder lawsuit.
Hence, firms must err on the side of reporting. Not only can it help catch the culprits, but it can also help authorities wholly understand the problem and design a response accordingly. Until we have real data, we cannot know the scope of the problem. Moreover, authorities need accurate information to reconstitute systems and patch vulnerabilities.
But, at the same time, law enforcement authorities must change their protocols to ensure firms are not dissuaded from reporting. They must openly share their findings with the victims and investigate without intruding on the businesses’ operations.