This past August, more than 20 local government entities in Texas, including a number of small North Texas cities, were hit by a coordinated attack by a single source using ransomware—a broad term used to describe malware that prevents or limits users from accessing their computer systems, either by locking the computer’s screens or by encrypting the users’ files until a ransom is paid. The strike made national headlines and is believed to be the largest such hack from a single source. With city functions from processing traffic ticket fines and other payments to issuing birth certificates crippled while the hackers demanded a collective $2.5 million in ransom, the episode sent shockwaves through not only the public sector, but the private sector, too.
Ransomware attacks on businesses have been skyrocketing; according to antivirus firm Malwarebytes, the second quarter of 2019 witnessed a staggering 363 percent year-over-year increase in strikes directed against companies using its business software. Trend Micro’s 2019 ransomware report also indicates that ransomware activity is on the rise, with over 40 million ransomware “detections” made between January and April of this year—compared to just over 50 million for all of 2018.
And the costs of rescuing your files from attackers is going up as well. According to cybersecurity company Coveware, the average ransom paid per incident during the first quarter of 2019 was $12,762, nearly double the $6,733 average ransom during the fourth quarter of 2018. Coveware’s Ransomware Marketplace Report also reflects that the average number of days that a ransomware incident lasts is going up as well, from 6.2 days in 2018 to 7.3 days in 2019—a reflection of more sophisticated ransomware techniques and use of encryption tools that are more difficult to defeat. Cybersecurity Ventures estimates that a new organization will fall prey to ransomware every 14 seconds in 2019, with that figure jumping to every 11 seconds by 2021.
Small- to medium-sized businesses, which typically spend less on cyber security, are the hardest hit by ransomware attacks. According to Beazley Breach Response Services, roughly 70 percent of ransomware attacks in 2018 targeted such companies, making an average ransomware demand of $116,000 (the highest reported ransom demand was $8.5 million). Healthcare companies were targeted more often than any other sector. Malwarebytes reports that, in the case of small- and medium-sized companies, 37 percent of the ransomware attacks resulted from malicious email attachments. And for smaller businesses, the impact of a ransomware attack can be devastating: 22 percent of these victims had to cease business operations immediately.
“Hackers have learned if you lose access to your data, you will pay to get it back … nobody can run their business with a Big Chief tablet and a pencil.”
For larger companies, ransomware attacks can be crippling as well. A variation of the “WannaCry” ransomware struck Taiwan Semiconductor Manufacturing Company (TSMC) during the summer of 2018, forcing it to temporarily shut down several chip-fabrication factories. In 2017, Reuters reported that the “NotPetya” ransomware attack had cost FedEx $300 million during the first quarter of that year. And in 2018, the criminal actors behind the “SamSam” ransomware launched an attack on the city of Atlanta’s infrastructure, holding hostage municipal functions like paying bills or parking tickets while making a $51,000 demand. The city refused to pay, and instead incurred an estimated $17 million in recovery costs while spending an estimated $5 million to rebuild their infrastructure. In May of this year, hackers who targeted the city of Baltimore’s computer system demanded about $76,000 in Bitcoin to unlock the city’s files and allow municipal employees access to their computers. Mayor Bernard Young refused to pay, and over the next several months, the city spent over $5.3 million on computers and contractors to recover from the attack. One estimate puts the total impact, with not just city expenditures but loss of revenue as well, in excess of $18 million.
Given the staggering potential cost in terms of not just dollars but also reputational damage, the question becomes: to pay or not to pay? The FBI and most cybersecurity experts counsel against giving in to the hackers’ demands, pointing out the lack of guarantees that such payments will restore access to computer systems and data, as well as the fact that payments will only embolden criminals and lead to more attacks and higher ransom demands in the future. The Texas Department of Information Resources (DIR), which is leading the investigation of the mass ransomware attack on Texas municipalities, reports that none of the affected entities paid any ransom, and in fact reported that within a week of the attack, more than half had resumed normal operations.
A ProPublica study suggests that insurance companies providing coverage for ransomware attacks and other cyber risks frequently recommend paying the ransom because it is cheaper than the cost of business interruptions, lost revenues, and fees for data recovery experts and lawyers. Fabian Wosar, chief technology officer for antivirus provider Emsisoft even went so far as to state that “Cyber insurance is what’s keeping ransomware alive today. … They will pay anything, as long as it is cheaper than the loss of revenue they have to cover otherwise.”
Dallas-based Steven Anderson, vice president and product leader-cyber for insurance giant QBE North America, disagrees. “The reality is that the average demand is between $5,000 to $10,000,” he explained. “From an insurance carrier’s perspective, we want our insureds to have a solution that drives cost down, both for them and us. What we have seen is that by paying the ransom, those costs are mitigated in most cases.” The size of the company and its deductible are also factors, Anderson adds. “If the firm is a smaller firm, they may have a deductible that is well below the demand and therefore it makes sense to proceed with payment.” The costs of a ransomware attack, Anderson cautions, can be substantial, and include “investigation costs, legal liability, regulatory liability, business interruption, direct theft costs, and damage to customer relations and reputation.”
Of course, the ideal solution is to prevent one’s company from being a ransomware victim in the first place. Nationally-recognized cybersecurity/cyberliability attorney Shawn Tuma, a partner in the Plano office of Spencer Fane LLP, says this episode is a wake-up call for those companies who don’t consider themselves potential targets and plan accordingly. “For years, some companies and business owners have felt ‘hackers don’t care about us because our business is not that large or important’ or ‘because our data is not valuable to anyone’—well, your businesses’ data is valuable to your business and hackers have learned that if you lose access to your computer network or your data, you will pay to get it back because these days, nobody can run their business with a Big Chief tablet and a pencil.”
Another key takeaway from the attack on the Texas municipalities is the importance of preparation. Small cities like Kaufman, Wilmer, and Keene may not have been prepared to deal with such a cyber assault, but the Texas DIR was, immediately implementing a previously established response plan that involved the support of at least 10 government agencies, including the Texas Department of Public Safety, Texas Division of Emergency Management, and the Texas A&M University System’s Critical Incident Response Team.
Steven Anderson says prior planning involves multiple stakeholders, including IT professionals making sure that recovery systems are in place that include “proper patch management, offline backups, and software protection,” as well as members of the legal department and compliance teams working with the CEO as first responders to develop an Incident Response Plan to assess and mitigate risk, including considering insurance coverage for such cyber risks. Companies “want to make sure proper processes are in place,” Anderson observes, “so that when this occurs, the ‘fire drill’ doesn’t cost the company time and money.” And given the likely source of many ransomware attacks, Anderson adds, “Train employees on best e-mail practices, and make spam filtering improvements.”
With ransomware attacks on the rise, companies would be wise to remember the old adage, “An ounce of prevention is worth a pound of cure.”
John G. Browning is an attorney, book author, and award-winning legal journalist.