This post originally appeared on Cybercrime Magazine, June 3, 2021.
A 2017 report from Cybersecurity Ventures predicted ransomware damages would cost the world $5 billion (USD) in 2017, up from $325 million in 2015 — a 15X increase in just two years. The damages for 2018 were predicted to reach $8 billion, for 2019 the figure was $11.5 billion, and in 2021 it’s $20 billion — which is 57X more than it was in 2015.
Despite authorities’ recent success in busting several ransomware gangs, this particular breed of malware has proven to be a hydra — cut off one head and several appear in its place — and all signs are that the coming decade will be no less problematic.
Ransomware will cost its victims around $265 billion (USD) annually by 2031, Cybersecurity Ventures predicts, with a new attack every 2 seconds as ransomware perpetrators progressively refine their malware payloads and related extortion activities. The dollar figure is based on 30 percent year-over-year growth in damage costs over the next 10 years.
That represents a significant acceleration from recent years, when scattershot ransomware was building momentum and extracting money from a largely unaware world.
The FBI’s Internet Crime Complaint Center (IC3) pegged ransomware losses at $29.1 million last year, with its latest Internet Crime Report showing 2,474 formal complaints about ransomware were lodged through the organization last year alone. The losses are limited to ransom payouts and do not include other costs in connection to the cyberattacks.
The true number of payouts is guaranteed to be several orders of magnitude larger — the Internet Crime Report figures “are only the people that cared enough to report it,” cybersecurity expert Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, recently told Cybercrime Magazine, noting that for most people there is little value in reporting ransomware and other attacks because “there’s no benefit other than data collection” for the FBI.
Painting a portrait of ransomware over the next decade, then, requires extrapolating from the figures that are currently available, charting the impact of increasingly capable ransomware extortionists, and expecting that things will get much worse before they get better — assuming that they ever can.
A clear and present danger
Despite the recent retirement of several dominant ransomware gangs — authorities shut down the Egregor group, while the seemingly repentant Ziggy gang offered refunds to some of its victims and Babuk shut down but released its malware as open source — new groups are appearing in their place at breakneck pace.
Ransomware in its current state is a nightmare for businesses of all industries and all sizes, who are being successfully breached every day as users click on that one malicious email or URL that slipped through corporate defenses.
Business surveys report ransomware attacks to be nearly ubiquitous already: 61 percent of businesses reported being hit by ransomware last year and suffered an average six days’ downtime, according to one recent study.
Another survey pegged the number at 37 percent, down from 51 percent the year before — but noted that the financial impact of the attacks increased from $761,106 to $1.85 million this year. Comparing this to the cost several years ago, it’s clear that ransomware extortionists are targeting larger companies, with bigger exposure and deeper pockets — and that their increasing demands are unlikely to abate any time soon.
This important observation reflects a concerning trend that is certain to continue over the next decade, as ransomware extortionists move on from basic lock-your-computer-until-you-pay attacks — which have been commoditized through the prevalence of ransomware-as-a-service (RaaS) offerings — to multi-pronged attacks in which ransomware is only the beginning of a longer, more expensive conversation.
The first major transition towards this new state of operation came last year, when so-called “double extortion” attacks saw ransomware not only encrypting data in situ, but exfiltrating it to the criminals — who blackmail their victims with the threat of having that data made publicly available if they don’t pay up.
Data exfiltration jumped 20 percent during the last quarter, according to one estimate, with 70 percent of ransomware attacks now involving a threat to leak the data exfiltrated by the ransomware. This was up 43 percent from the previous quarter — confirming that the threat of data exfiltration has rapidly become part of the new ransomware normal.
This trend is not only a favored tactic for ransomware artists, but a way that they are buffering themselves from being rendered irrelevant by companies that are slowly getting a grasp on how to fight back against file-encryption ransomware — for example, continuous data backup strategies and ransomware-aware backup tools that can detect encryption activities and automatically restore affected files.
Cat, meet mouse
Yet even as companies build anti-ransomware defenses, malware authors — who have the dual advantages of time and scale on their side — are guaranteed to get craftier over the next decade as a rapidly expanding ecosystem of devices, better-understood vulnerabilities in legacy systems and increasingly tense political-economic relationships bring ransomware to a completely new level.
Internet of Things (IoT) devices are pouring onto consumer, business, healthcare, and industrial networks at breakneck pace — IDC has predicted that IoT devices will comprise 75 percent of the 55.7 billion devices connected by 2025 — and by 2031 this number will likely have grown towards 200 billion devices.
With different vendors, code bases and dependencies, every one of those devices has its own possible vectors for attack — providing fertile hunting grounds for a growing army of white-hat and black-hat researchers who will continue to discover, publish and exchange these with impunity.
The prevalence of IoT devices has opened up worrying new avenues for ransomware attackers, who can easily adapt their malware to particular industrial sensors, healthcare monitors or dosage devices, or self-driving cars.
Imagine the repercussions if cybercriminals locked the controls of a self-driving or bus while at speed or — as was recently demonstrated with a drone-borne attack on a Tesla — installed ransomware on moving vehicles with no physical interference necessary.
Even drones themselves, which are fast becoming the core of new aerial distribution networks, are likely to be targeted in ransomware attacks in which non-payment could see the devices dropping from the skies.
With smart-city initiatives rapidly taking hold and likely to be ubiquitous by 2031, almost every device around you will be potentially susceptible to compromise: think ransomware criminals demanding payment to avoid shutting off key road safety signs or public lighting, and you’ve got an idea of the risks that city security managers will be fighting every day by then.
While both commendable and necessary, efforts to fight ransomware by finding and closing code loopholes will continue to be a challenge over the next decade. Automated code-scanning tools offer some assistance, but much of today’s vulnerability detection still requires human ingenuity.
Current public reporting mechanisms are little more than an instruction manual for cybercriminals, who know that companies are chronically poor at systematically patching vulnerabilities even though they know they should be better at it.
This is unlikely to change in the short term, although by 2031 it’s safe to assume that the majority of corporate systems will be running from cloud-based platforms — whose highly granular full-stack architectures can more easily propagate new patches across large numbers of compute instances — reducing companies’ exposure to ransomware attack.
Cloud platforms can also support deployed applications with purpose-built tools capable of spotting and stopping ransomware’s telltale activities, and others that will leverage the cloud’s virtually unlimited data storage capacity to maintain up-to-the-second backups for easy restoration of data.
Yet even cloud-based protections aren’t a complete defense, however, since ransomware actors will still be targeting victims through the inevitable holes in individual application components. And while application managers would like to believe the widespread adoption of DevOps and DevSecOps methodologies will have ironed security holes out of the software development lifecycle by 2031, the reality is that new technologies are likely to perpetuate many of the same issues that we are facing today.
While ransomware authors will continue to tweak the structure and methodologies used by their malicious code, over the next decade it’s likely that ransomware will take on a completely new role as a cyber weapon used within a continuously shifting geopolitical climate.
Still-nascent rules around international cyber warfare, and the almost complete lack of sanctions for countries that attack each other online, mean the next decade will continue to be a Wild West when it comes to cyberattacks. Whether publicized or not, most countries are building national offensive cybercriminal activities — and it’s hardly a far stretch to assume that ransomware will play a strong role in their toolboxes.
This is less likely to be a scattershot attack to devastate a target country’s business, as it would be a way for an attacking nation-state to target a particular government agency, key supplier, or private firm with mission-critical intellectual property.
Ransomware’s demonstrated effectiveness could make it a tool for gaining advantage during trade negotiations or political tensions, for example, with nation-states either hiring geographically remote third parties to ensure plausible deniability, or — as in Israel’s apparent recent attack on an Iranian nuclear reactor — making little effort to hide their role.
Recent trends suggest that cybercriminals are also more than willing to target individuals — the clients of one Finland mental-health facility were recently individually targeted with threats to release sensitive information if they didn’t pay up — and there’s no reason to believe malevolent nation-state actors won’t embrace the same tactics to gain an upper hand.
This could see state-sanctioned ransomware gangs targeting high-profile individuals in government and business, planting ransomware that could be remotely activated to ensure the business interruption occurs at a time of crisis.
Diplomats might, for example, be targeted during tense political negotiations or business leaders threatened with exposure of personal secrets during heated takeover talks. In this way, ransomware is likely to become a favored tool of mercenary extortionists focused on money, political gain, or simply creating chaos.
Develop a ten-year plan
With so many potential vectors for attack and little motivation for ransomware attackers to exit the game, ransomware isn’t going anywhere.
Cybersecurity managers will have their hands full over the next decade, as the massive technological innovations of the past decade — cloud computing, AI, drones, autonomous vehicles — provide new vectors for attack as quickly as companies can close the old ones.
Managing the technological aspect of this vulnerability will continue to require a high degree of vigilance, but over the next few years security executives need to step up their education and training of users to ensure that the chance of a human-created ransomware infection is minimized.
This includes ongoing education campaigns, email-scanning tools that raise alerts and initiate targeted training the second a malicious email or URL is clicked, company-wide education campaigns, and publicizing the impact of ransomware attacks rather than hiding it.
As far too many IT managers already know, ransomware is a real threat with very real financial, operational and prudential implications — so it needs to be treated as such with attention at every level of the business.
This includes developing a comprehensive action plan, which includes clear business-continuity planning as well as board-approved rules about whether to pay the ransom or not — still a subject whose contentious nature has provided fertile opportunities for ransomware criminals.
Looking back a decade from now, it would be great to be able to talk about ransomware as a scourge of the late 2010s and early 2020s — but given the many moving parts in today’s technology-driven economies, such solace is unlikely.
Staying safe over the next decade will take much the same advice as it does now: work with internal teams and key third-party suppliers to ensure that your security processes are up to scratch; retire legacy systems in favor of modern and more easily securable cloud platforms; remind users to think twice before they click.
Do whatever you can to stop ransomware — because if the trends of the past year are any indication, the world is only beginning to appreciate the magnitude of a threat that will only get worse over the next decade, and beyond.
“Ransomware is the fastest-growing cybercrime for a reason,” says Steve Morgan, founder at Cybersecurity Ventures and editor-in-chief at Cybercrime Magazine. “It’s the proverbial get-rich-quick scheme in the minds of hackers.”
Cybersecurity Ventures states that ransomware costs include ransom payouts, damage and destruction (or loss) of data, downtime, lost productivity, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hostage data and systems, reputational harm, and employee training in direct response to the ransomware attacks.
“We hold out hope our prediction will be wrong,” adds Morgan. “For that to happen, consumers and organizations will need to stop paying ransoms — which unfortunately is easier said than done. There also needs to be massive education of employees at businesses of all sizes globally. We may even see a push to ban cryptocurrency if society believes it does more harm than good.”
InfoSystems is a trusted go-to cybersecurity partner, bringing advanced expertise to modern risks and metrics to review positioning. Our team serves as an extension of your team, whether seeking assistance with HIPAA Risk Assessments, Penetration Testing or Virtual CISO Services. Contact us to help you mitigate risk.
For over 25 years, InfoSystems has provided reliable IT solutions to build and maintain strong and secure systems for both SMB and enterprise organizations. Headquartered in Chattanooga, TN, our trusted team of experts specialize in traditional infrastructure, IT optimization and cybersecurity services, as well as next gen solutions such as hybrid cloud and artificial intelligence, from partners such as IBM, Dell Technologies, Red Hat, VMware and Cisco.
KnowBe4 is the provider of the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. We help you address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. Tens of thousands of organizations like yours rely on us to mobilize your end users as your last line of defense.