That ransomware is expensive to resolve isn’t news to anyone. While most attacks end up costing victims at most tens-of-thousands of dollars, most people are aware of big names like Norsk Hydro or Royal Mail, whose recovery efforts ran to the tens-of-millions of dollars. Even these numbers are small, however, when it comes to the true global cost of this blight.
A 2018 paper presented at RSA conference estimated that around $1.5 trillion was stolen from the global economy every year by cyber criminals. That figure has gotten no better in the intervening years and in July 2023, Cybersecurity Ventures predicted that ransomware attacks will cost victims approximately $265 billion annually by 2031.
According to some in the security industry, the biggest enabler of the explosion in ransomware’s popularity and profitability has been Bitcoin.
“When we brought together the combination of encrypting data and cryptocurrencies for the sake of payment, we created this perfect storm whereby ransomware was able to take off,” says Joe Levy, president and CTO of Sophos, in Weapons and Warriors, the final episode of the cyber security firm’s three-part documentary series, Think you know ransomware?
“[Cryptocurrency] offers a unique opportunity for elicit actors to transfer value across borders with speed that was not previously possible,” explains Gurvais Grigg, global public sector CTO at blockchain analyst firm Chainalysis.
As laid out in the previous episode, Hunters and Hunted, some of the money taken will be used to fund playboy lifestyles that cyber criminals in Russia are becoming increasingly accustomed to. In other countries, however, the stakes are even higher.
“Look at North Korea. How are they building those missiles – those missiles that are Russian-designed missiles? They’re paying for that in stolen virtual currency and stolen proceeds of cyber crime,” says Tom Kellerman, member of the Cybercrime Investigations Advisory Board for the United States Secret Service.
Beyond the money motivator
While it’s easy to focus on the ransom amount and whether or not it’s paid, there are other elements affected in a ransomware attack that both sides would consider valuable.
“The problem with ransomware is a lot of the effects are not clear right from the beginning,” says Clare Sullivan, a visiting professor at Georgetown University.
“I think it’s wrong just to look at the ransom. The broader picture is the data, the value that has and what stance a nation should be taking to protect [it]. There needs to be a fundamental recognition that the data that we hold is really, really valuable,” she adds. “Focusing just on whether ransoms should or not be paid, it’s missing the crucial element.”
Indeed, it’s not out of the ordinary for cyber attackers to use a ransomware attack as cover for other criminal activity such as the exfiltration of sensitive data.
Tracking down thieves
A ransomware attack is a crime and, provided the victim chooses to involve law enforcement, may attract a police investigation. There’s a level of ‘crime scene’ work that can be done by computer forensics – establishing how the attack unfolded, where the entry point was, what data was affected (even if it wasn’t encrypted), and whether there’s any evidence of the attackers still lurking in the system.
If a ransom has been paid, it may also be possible to track the attackers through their ill-gotten gains, despite cryptocurrencies’ reputation for anonymity.
“They get paid and they receive those crypto and then they begin to move that through a series of wallets in an attempt to obfuscate the trail,” says Grigg. “That’s what makes blockchain analytics so fascinating, because we can literally follow those digital breadcrumbs until they ultimately get it to a place where they hope that it will be safe and they can cash it out.”
As Catalin Cosoi, senior director of investigation and forensics at Bitdefender explains, the main cryptocurrency exchanges are well regulated, established businesses. If law enforcement suspected a cyber criminal used one of these services to cash out their Bitcoin for real money, they could subpoena the records and track down the perpetrator.
Consequently, once they have finished attempting to launder their money, they have to take it to a smaller exchange to cash out ‘off the books’ – but a record of the transaction still remains on the blockchain ledger.
According to Jackie Burns Koven, cyber threat intelligence lead at Chainalysis, the work she does has shown that there is a small number of wallets – and, therefore, a small number of individuals, who are behind most of the attacks.
The importance of defense
While it may be tempting to view this as a victory, the reality is many of these individuals will be outside of the jurisdiction of the place where the victim is based and often there will be no extradition treaty.
Investing in prevention, therefore, is often better than the hope of any retribution.
“In my experience, prevention – and investment in prevention – is always the best path,” says Grigg. “When you look at solutions of securing your network, that goes a long way to preventing. It’s always easier to prevent a spill than to clean up a spill.
“Waiting until you’ve become a victim and then trying to clean it up by paying a ransom, that money probably would have been better … spent long before that and maybe you wouldn’t have been a victim at all.”
This includes technology itself, but also skilled cyber security professionals. According to Peter MacKenzie, director of incident response at Sophos, these specialized personnel should be monitoring all machines on an organization’s infrastructure and looking for anomalies. This, he says, will enable them to act prior to the attack being executed, rather than afterwards.
With the tech skills gap still in full swing and a particularly pronounced lack of skilled workers in the cyber security field, finding these skilled professionals may be easier said than done.
Cosoi offers a solution: “If we compare the underground economy and where we have the crime ‘as a service’, probably the same model has to come into cyber security as well. So you need to have cyber security as a service.”
In the words of Erez Leibermann, litigation partner at Debevoise and Plimpton: “Most companies can’t afford the resources that are necessary to fight the sophisticated hackers that are sitting on the other side and yet their data is worth protecting.
“Working together to pool those resources … through actual cyber security [has] changed the game completely.”
This is the third in a series of three articles based on the Think you know ransomware? documentary series by Sophos. To watch the whole episode Weapons and Warriors and learn more about how businesses can protect themselves from ransomware, click here.
