The headlines last February were dominated by the ransomware attack on Hollywood Presbyterian Hospital. After losing the use of their internal IT system and operations, senior management made the decision to pay a negotiated ransom of $17,000. At the time, a ransom of that size seemed shocking.
Today however it is pocket change. South Korean web hosting company Nayana was the victim of a ransomware attack called Erebus on June 10. Though originally designed for the Windows operating system, Erebus was recently modified to target Linux web servers as well. Though it is still not clear how the malware infected the system, none of the 153 Linux servers that comprise the web-hosting infrastructure were properly patched. With their business completely shut down, management came to the negotiating table to iron out a deal with the hackers. The final agreed price was $1 million, sizably less than the original asking price of $4.4 million. The ransom is being paid in three installments; each installment decrypts a batch of their servers.
Ransom payments for businesses are often in the $10,000 to $25,000 range, the gang behind this attack demanded 550 Bitcoin to unlock the encryption – approximately $1.62 million. On June 14, Nayana reported it had negotiated a ransom payment of 397.6 Bitcoin – approximately $1.01 million, making this the largest ransomware ransom payment ever reported.
You read that right, over $1 million, and it may have been avoided with proper patching.
A month later, a Canadian firm was hit with ransomware as well and they should consider themselves lucky as they were only forced to pay $425 thousand. Senior management had no choice in paying, as the attack was able to encrypt all of the company backups. A forensic team investigating the aftermath of the attack believe the attackers knew exactly where the database servers and backups were contained. The malware was launched via a phishing attack targeting six senior company executives. The emails were supposedly from a courier company concerning outstanding invoices that were attached as PDFs. Two executives fell for the ploy and the malicious payload contained in the attachments went to quick work. Of course, if the company had followed the 3-2-1 backup strategy of 3 copies of all data, residing on 2 formats with one copy offsite, the extortion payment may have been avoided.
With ransoms of such epic amounts today, the logical advice may be simply not pay the ransom. That was the mindset of the Erie County Medical Center in New York that fell victim to a ransomware attack this past April that took down 6,000 computers. The initial attack was levied at a hospital web server that was left completely exposed. Once the attackers gained remote access to the server, they began launching a credential stuffing attack to gain access to the system. The compromised account that got them in was only protected by a default password. The attackers then logged onto the system and began encrypting everything in a way that complicated the ability to restore the data.
The cybercriminals demanded $30,000 for the decryption of the center’s data. Paying for ransom was never an option for senior management. Three months and $10 million later, the center may have been better off paying it. According to a HIPAA news source, about half of that amount went to computer hardware, software and assistance needed in the response. The other half represents a combination of increased expenses, such as for staff overtime pay, and lower revenues from the loss of business during the system down time. In addition, the hospital has doled out $250K each month since to upgrade technology and improve employee education on cybersecurity.
The decision to pay ransom demands for decryption keys is a complicated issue. From a cost and productivity perspective, it can prove less costly. On the other hand, there is no guarantee that the hackers will respond once the ransom is paid and some argue that ransomware victims are then simply targeted repeatedly thereafter, as hackers know that the organization is willing to pay. According to a study by Symantec in April of this year, 64% of American victims say they would pay the ransom compared to 34% internationally.
The amount of money involved in these attacks is alarming. A single attack now has the potential to put a company out of business. The most upsetting thing for these victims however has to be the fact that all three attacks may have been prevented by simple security measures.
Are you an IT professional that wants to ensure sensitive data and devices are protected? Talk to a specialist, email us at firstname.lastname@example.org with any questions.
Sign-up for email updates...