Organizations are facing an unrelenting stream of ransomware attacks.
While not as widespread as the WannaCry, Petya and NotPetya ransomware attacks that struck earlier this year, the less-publicized attacks also are creating significant problems for companies, experts say.
And the availability of ransomware on the so-called dark web gives criminals easy access to programs that can be used to target organizations.
With the relatively small amounts generally demanded — usually in the form of bitcoin — it is often cheaper for companies that don’t have backup files to pay the ransom than to spend potentially many thousands more restoring their systems, even though paying the ransom raises the troubling issue of abetting criminals or even terrorists.
When they pay, in most cases the victims receive the encryption key that restores their data.
Ransomware attacks have caused problems for organizations for several years, but the WannaCry attack in May and an attack using a new variant of Petya in June hit numerous companies, particularly in Europe, causing widespread concerns.
But smaller, less far-reaching attacks are also causing big problems for companies, and there is little sign of criminals relenting, said Richard May, Seattle-based managing principal for Integro Ltd. “I think it’s unfortunately going to be more of the same,” he said.
Ransomware is an effective business model for criminals because it involves little expense, experts say. It is “essentially a pure profit gain,” said Alan Brill, senior managing director at Kroll Associates Inc. in Secaucus, New Jersey.
The only effective measures firms can generally take, observers say, is preventive, with frequent backups.
Insurance coverage for ransomware attacks is generally available in both cyber and kidnap and ransom policies (see related story).
“Ransomware does continue to grow as a problem, both in terms of the sheer volume and sophistication,” said Tim Marlin, Alexandria, Virginia-based senior managing director and head of cyber and professional liability underwriting at Hartford Financial Services Group Inc.
He noted that criminals can now buy ransomware software on the dark web without even having to bother to develop it themselves.
While hard data on the issue is hard to find, “certainly the impact has increased,” while its incidence is higher as well, increasing dramatically last year and perhaps accelerating even faster this year, said Thomas Fuhrman, Washingtonbased global leader of cyber security consulting and advisory services at Marsh Risk Consulting.
“We’ve seen a significant increase” in ransomware in the past 12 months, particularly in the small and medium-size enterprise and middle-market space, said Kimberly Horn, New York-based global focus group leader for Beazley P.L.C.’s breach response and information security claims. These small to midsize companies “don’t necessarily have the same resources as Fortune 500 companies to invest” in data security and are also limited in their ability to have robust procedures to back up their data, she said.
“The effects of ransomware have evolved,” said Dan Twersky, New York-based claims advocate and cyber claims leader for FINEX North America with Willis Towers Watson P.L.C. The “big issues” initially concerned whether the ransomware should be paid, he said.
Now, its impact on firms’ business operations has “really become the primary concern,” he said.
Paying ransomware “is not particularly effective,” Mr. Fuhrman said. Organizations should focus on prevention, he said.
“The only real way to restore data is to go to backups.” Those who do not have backups “are in trouble,” he said.
Willis Towers Watson has no hard and fast rule as to whether ransomware should be paid, Mr. Twersky said. “We’ve taken the position that each incident and each attack warrants its own unique analysis,” he said, with relevant factors including whether the data has been compromised or encrypted, whether there is a decryption key available and whether there is a backup.
“Many of our clients who have suffered ransomware attacks had excellent backup systems in place, and good IT personnel were able to isolate and disable the affected machines,” said Michael Born, Kansas City, Missouri-based vice president of the global technology and privacy practice at Lockton Cos. L.L.C.
But for firms without backups and property protections, ransomware “can cripple your company, and often the ransomware demands are not that big, so for the cost of paying the demand,” it may be worth it if companies can get their systems back, Mr. Born said.
“If it’s the difference between insolvency and continuing your business for an additional $300, it’s probably an easy choice for most,” said Joshua Gold, a shareholder with Anderson Kill P.C. in New York.
Robert Horn, associate director at Crystal & Company in New York, said in one case a 911 dispatching firm that fell victim to ransomware “didn’t think they had the opportunity to negotiate with hackers” and paid the roughly $44,000 demanded in ransomware.
Meanwhile, observers warn that the malware that carries the ransomware may include other insidious software, including the installation of “back doors” that give crooks easy future access into computer systems.
There is also the danger of computers becoming botnets, or part of a remote-controlled network of compromised computers that become “zombies” used to spread malware to other computers.
Data retrieved by criminals through ransomware may also be sold to others on the web, say experts.