Ransomware is a Scourge, But Also Helpful
Everything, everywhere, eventually comes down to money. Even non-profit health care organizations tend to operate as if they have investors peering over their shoulders, because each dollar represents some portion of a life they could save. Put in those terms, it is easy to see why organizations might be reluctant to spend a single dollar on something that doesn’t directly contribute to their mission, profit or otherwise.
Cybersecurity spending isn’t immune to that reluctance, and that isn’t surprising either. Security spending is difficult to tie to revenue in any meaningful way, so it tends to be viewed as a cost center. And cybersecurity is hard. For any meaningful level of assurance, security professionals must discover and defend each potential vulnerability possible, while attackers need only find one hole that they can exploit. That difficulty translates directly into cost: estimates on global cybersecurity spending are on track to pass $1 trillion over the past five years.
Wait… $1 trillion? Didn’t I say that no one would want to spend anything on cybersecurity? How did we get to spending the sorts of money usually talked about in the budgets for large countries?
One important answer is the rise of ransomware.
The attraction of ransomware for attackers is also easy to understand. In most cases, there isn’t any need for attackers to attempt to exfiltrate any data, since the goal is to encrypt devices in situ. This greatly simplifies the efforts for attackers during later phases of an attack. That relative simplicity is also paired with the ease by which the attackers can monetize their efforts. Instead of the complications and difficulty of attempting to sell personably identifiable information (PII) or engage in the fraud themselves, attackers can extort their victims directly.
That level of attractiveness has led to ransomware becoming a scourge. In early 2020, ransomware costs for the year were forecasted to reach $9.3 billion; but by the end of the year, the estimated costs more than doubled. And the targets will pay: those cost estimates represent the 50-70% of victims that agree to pay the ransom.
Now, I hate that victims are falling prey to these kinds of attacks. I’d be delighted if ransomware disappeared off the face of the Earth tomorrow. But ransomware has changed the conversation about cybersecurity budgets in boardrooms around the world. Risk analysts aren’t stuck talking about nebulous potential damages to reputation from a leak of customer data. Instead, cybersecurity professionals can point to actual extortion, often targeted at members of their own industries or at organizations that they know.
Like all of us, the decision-makers in charge of cybersecurity spending have to make hard decisions about where to put their efforts. They make those decisions based on their perception of risk. Ransomware has had the unexpected effect for those decision-makers of making the risks associated with cybersecurity into something concrete, that they can weigh, fear, and most importantly, prepare against. And that unintended result has made one of the biggest risks we face into a surprising asset for the industry.
If you are interested in learning more about ransomware and how to properly develop and execute a ransomware playbook, cyberTAP has created a new Ransomware course. Contact Karen Leaman, firstname.lastname@example.org for more information.
Help Net Security. (2020, April 21). 46% of SMBs have been targeted by ransomware, 73% have paid the ransom. Help Net Security. https://www.helpnetsecurity.com/2020/04/21/paying-ransom/
Kass, D. H. (2020, February 13). Ransomware Demands: $170B Worldwide Forecast in 2020, Report. MSSP Alert. https://www.msspalert.com/cybersecurity-breaches-and-attacks/ransomware/demand-costs-2020-research/
Morgan, S. (2019, June 10). Global Cybersecurity Spending Predicted To Exceed $1 Trillion From 2017-2021. Cybercrime Magazine. https://cybersecurityventures.com/cybersecurity-market-report/
PurpleSec LLC. (2020, July 9). 2021 Ransomware Statistics, Data, & Trends. PurpleSec. https://purplesec.us/resources/cyber-security-statistics/ransomware/
About the author
Senior Information Security Analyst