2020 has been a bad year for ransomware. 2021 will be worse.
As we start the new year, there has been no shortage of memes, social media posts, and other commentary justifiably expressing an intense dissatisfaction with the events of 2020. While many are eager for a fresh start, hopeful for better times, in the area of cybersecurity and of ransomware in particular, 2021 is unfortunately shaping up to be a far worse year.
Ransomware—a form of malware that prevents a computer system from being used or its data from being retrieved, but with an offer to restore access if the attackers are paid—has proved to be a lucrative criminal pursuit. Industry research assesses that ransom payment amounts continue to climb, reaching an average of $233,817 as of late last year according to one analysis. But the cumulative costs of damage resulting from ransomware attacks are far worse, almost doubling last year from an estimated $11.5 billion in 2019 to $20 billion in 2020.
World events, other high-profile cyber concerns such as election security and the SolarWinds SUNBURST attack, and the long predicted dramatic increase in ransomware attacks, have all limited the number of headlines that this high dollar figure should have generated. But the businesses that have been the targets of ransomware know firsthand that its devastating effects are deserving of far more attention by the public, and of far more concern by businesses.
Looking ahead to 2021, we’ve identified three key trends for which businesses should be prepared.
First, we expect the model of ransomware itself to mature. Historically, attackers would often lock up data and systems within seconds of gaining access. Moving forward, we expect to see the growth of a more sophisticated approach, where attackers access a network and first exfiltrate the data so they can not only encrypt it, but also threaten to leak it or sell it if the ransom isn’t paid.
This evolution from a ransom model to an extortion model carries even deeper risks of a cascade into more complex attacks. A sophisticated operation could be designed to not only interrupt day-to-day business activities, but to influence mergers and acquisitions, stock prices, and company reputations—providing savvy criminals with opportunities to exponentially grow their potential payouts.
Second, we expect an accelerating shift to a “ransomware as a service” model, as expert attackers attempt to avoid the risk of monetizing their skill sets by conducting ransomware attacks of their own volition. Instead, they will offer their implants, tools, and system credentials on the underground market. Over time, this proliferation of plug-and-play tools is likely to dramatically expand the universe of criminal elements using ransomware, leaving less-sophisticated defenders more and more exposed.
Finally, we expect the technical capabilities of criminal ransomware attacks to reach new heights in 2021. As cyber tools and concepts have migrated from the level of nation states, ransomware has already begun to evolve from blind, automated forget-and-fire attacks to a more tailored approach customized at specific targets. This technical evolution will also include more advanced anti-detection techniques—some of which, such as the ability to access and manipulate data without leaving a timestamped digital trail, we are already seeing.
These three expected evolutions in the ransomware threat need to be a critical concern for every business, but they must be of special relevance for organizations in two categories.
The first is health-care companies. There has already been a substantial rise in ransomware since the onset of Covid-19, and the financial success of those attacks will only cause their pace to accelerate in 2021.
Operating in a highly regulated and sensitive industry, health-care companies are especially vulnerable to the evolution into extortion, data manipulation, and disinformation. But as hackers get closer to where care is delivered, the greater the probability of seeing ransomware attacks occur, since attackers know the potential for loss of life hangs in the balance. They can prey on emotions and know that time is of the essence for administrators to decide whether to pay or not to pay.
The second category includes both small- and mid-sized businesses, as well as companies in the sectors hardest hit by the pandemic-caused recession, such as transportation, hospitality, manufacturing, and retail. While many organizations in both of these groups undoubtably planned to invest in making their systems more secure in 2020, the Covid-19 crisis simply wasn’t in the budget. With the economic outlook into 2021 still uncertain, companies are continuing to be forced to make difficult budget decisions, and far too many are choosing to deprioritize strengthening their cyber defenses.
This failure doesn’t rest only on the shoulders of business leaders, who after all, are in their roles precisely because they must often choose between difficult tradeoffs. There has also been a failure by the cybersecurity industry to offer commoditized, widely available endpoint solutions that are easy to access and use within commonly used operating systems. For companies with limited resources, ransomware is likely to continue being an issue until this gap in the market for a more cost-effective solution is addressed.
Smart business leaders have started the new year by making a resolution to ensure they are doing everything they possibly can to protect themselves from the accelerating pace of ransomware attacks. As all signs indicate a growth in both the number and severity of attacks, those who don’t prepare are likely to find themselves looking back on 2020 more fondly than they ever would have imagined.