In 1989 a biologist, Joseph L. Popp, created the first documented ransomware – he called it the AIDS Trojan. Joseph attended the World Health Organization’s AIDS conference and handed out 20,000 infected floppy disks to unsuspected attendees. The programme would count the number of times the computer was booted and once it reached 90 it would hide the directories and encrypt or lock the names of the files on the C-drive. To regain access, the users needed to send US$189 to PC Cyborg Corporation at a PO box in Panama. The AIDS Trojan used simple symmetric cryptography and was fairly easy to overcome but ransomware as we know it now was born.
Ransomware may have started over 30 years ago but first gained global notoriety as a result of the WannaCry attack in May 2017. This campaign was unprecedented in scale, with an estimated 200,000 computers across 150 countries infected. Some unfortunate organizations spent in excess of US$100M to recover from this infection.
Since 2017, cyber criminals have chosen ransomware as the “weapon” of choice and the frequency of attacks has increased significantly. However, it was not until the global COVID-19 pandemic where the number of ransomware attacks skyrocketed. The Chainanalysis 2021 Crypto Crime Report indicated that in 2020 cybercriminals profited an estimated US$350M from ransomware alone, an increase of 311% from 2019.
But why only in 2020 and during a global pandemic? The COVID-19 spread prevention lockdown orders resulted in a significant shift towards remote working. The once impossible became a new norm virtually overnight. Companies’ IT networks were extended to every single employee’s home Wi-Fi network and therefore the attack surface increased exponentially. This left companies even more vulnerable as the dash to cloud enabled services and collaboration tools created more security debt. ‘Fast deployment no matter what’ was the objective to ensure business continuity with very little security testing – if tested at all.
People were fearing the worse and this soon resulted into panic buying of goods. Supermarkets broke previous sales records – substantially more than the anticipated festive season sales. Cyber criminals not only took advantage of this by selling non-existent goods but also leveraged it successfully as phishing bait. Phishing campaigns increased and fed off people’s fears through enticement of online special offers for sought after goods and even fake coronavirus cures. Large numbers of user credentials were captured, which resulted in cyber criminals gaining access to IT networks to steal sensitive data before deploying the ransomware code.
This resulted in double extorsion tactics. This means that if the organization refuses to pay the ransom, the stolen data will be leaked online or sold to the highest bidder on the Dark Web. Some criminal groups went a step further by deploying triple extortion tactics, where not only are the organizations being targeted but also the personnel and customers whose data may have been stolen during the data exfiltration. This has happened in the healthcare industry where patients are targeted to make ransom payments otherwise their personal files will be leaked online.
This is only the tip of the iceberg as more vulnerabilities in people, process and technology controls presented huge opportunities for cyber criminals. The 2020 Harvey Nash/KPMG CIO Survey reported 41% of organizations worldwide experienced an increase in ransomware incidents while employees were working remotely; 29% of attacks are via phishing campaigns; and 21% of attacks are via remote access. It was also estimated that the cost globally to remediate a ransomware attack is US$1M.
It is evident that we are now dealing with a second pandemic that has potentially widespread devasting impacts. Unfortunately, there is no cyber vaccine available at this point of time so ‘prevention control orders’ must be implemented by all organizations. The focus must be to reduce the likelihood of a ransomware infection but also to recognize that a successful attack is likely.
Hence, business leaders in every organization must be proactive to mitigate the risks. To start, ask the following questions to your Cyber Security and IT teams:
Detailed answers to these questions will provide business leaders with the insights to decide on the next steps. However, the most frequently asked question by business leaders is “should we pay the ransom?”. There is no straightforward answer to this question as every victim’s situation is different depending on their cyber security posture and the immediate business impact.
Law enforcement do not encourage, endorse, nor condone the payment of ransom demands. If you do pay the ransom, please take note that:
On a larger scale, more must be done in the future to reduce the impact of this pandemic of organized crime. It is necessary to establish more coordinated international diplomatic and law enforcement efforts to bring these borderless crimes to justice. This calls for increased collaboration between Government Task Forces and the private sectors to cohesively fight this pandemic, e.g. in the U.S. the FBI recently launched a new initiative to disrupt cybercrime. Regulations must be put in place to make it mandatory to report the payment of ransom payments and vigorous cryptocurrency regulations – KYC, AML and CFT laws – must be enforced to control this payment method that is a key enabler for cyber criminals.
Just like we had to adjust to the impact of the COVID-19 pandemic by wearing facemasks, continuous sanitation of our hands, and reduced social events to fight the spread of infection, organizations need to be more proactive. But be ready to react quickly in the event of successful ransomware attacks.
 Sophos Whitepaper, May 2020.
 H1 2020 Cyber Insurance Claims Report, Coalition Inc., 2020.