At a time rife with cat-and-mouse games of ransomware attacks, when cybercriminals have held the data of oil companies, hospitals, and water treatment plants hostage with computer code, a win against digital assailants is rare. Sometimes, these ransomware criminals, who often act as if they are striking a legitimate business deal, demand a ransom payment of millions of dollars to return the victim’s data. 

Ransomware gangs run like any number of businesses worldwide, albeit with coders, researchers, and best practices to keep the group’s members hidden from law enforcement. They even offer customer service for victims and clients and, in between, test their product on a victim and fine-tune it.  

According to the latest IBM report, the cost of cybersecurity incidents in the Middle East has reached a new high of $6.93 million per data breach — significantly higher than the global average cost of $4.24 million per incident. “The illicit ransomware industry is on a roll. No company is immune from a ransomware attack these days,” says Oleg Skulkin, head of Digital Forensics and Incident Response team at Group-IB. 

And that’s the truth.

Last July, the world’s most valuable oil producer Saudi Aramco was hacked, and data, about one terabyte, was held by extortionists in exchange for $50 million in cryptocurrency. Hackers gained entry into the networks of the Saudi Arabian energy giant through a third-party contractor.

Showing how devastating deepfake ransomware can be, cybercriminals cloned the voice of a company director in the UAE to steal $35 million two years ago. In the Middle East, at least 50 organizations fell prey to ransomware attacks in 2021, according to Group-IB. That’s an 85% increase compared to 2020. 

What’s more, ransomware has become increasingly complex, as cyber-attackers have begun employing sophisticated tactics such as double extortion, aiming to maximize their profits by repeatedly attacking the firm’s vulnerabilities.

A recent Cybereason report found that 77% of UAE organizations suffered at least one ransomware attack over the past 24 months.

And shockingly, the study found that “it doesn’t pay-to-pay” a ransom demand, as 90% of UAE organizations that paid were hit by ransomware a second time, with 78% reporting that threat actors demanded a higher ransom amount. Moreover, almost half of the organizations reported that some or all of the data was corrupted during the recovery process, underscoring why it does not pay to pay ransomware attackers.

IT’S A LUCRATIVE BUSINESS MODEL 

Ransomware has developed as the main financial artery of the cybercriminal world, generating billions of dollars for the cybercriminal community. According to a recent Ransomware Uncovered 21/22 report, the ransom demand averaged $247,000 in 2021, 45% more than in 2020. According to Kaspersky, the most prolific actors from the past year have potentially received $5.2 billion in transfers over the last three years. For ransomware operators, profits could reach up to a whopping $40 million a year. 

There are two main reasons behind this phenomenal growth of ransomware, says Skulkin. The increasing number of initial access brokers who sell access to companies and remove the need for ransomware operators to break into the networks on their own, and the expansion of Ransomware-as-a-Service (RaaS) affiliate programs, which are well-organized IT businesses with huge budgets, coherent structure, and incentive programs. “RaaS made it possible for even low-skilled cybercriminals to join the game to bring the victim numbers up ultimately,” Skulkin adds.

Through 2021, Iranian groups such as BlackShadow and Deus figured among the biggest ransomware users in the world – targeting both Iranian and global companies, reveals a CrowdStrike report.

The groups conduct “lock and leak” operations where the attackers lock down a system using ransomware and subsequently leak sensitive company information through their channels on the dark web.

There are many challenges for those trying to stem the tide. Gangs are anonymous, rebranding and relocating as quickly as the authorities can find them.

Increasingly, they work together to pool specialized knowledge. The “initial access” brokers connect firms good at infiltrating systems to others who are better at deploying ransomware once inside.

Kaspersky’s experts analyzed nearly 200 posts on the dark web offering to buy information for initial access to companies’ forums. The average cost for access to a big company’s systems lies between $2000 and $4000, which is relatively inexpensive compared to the potential damage it could cause targeted businesses. 

Many businesses that have fallen victim to a ransomware attack face the dilemma of whether to pay the ransom. Security experts advise enterprises against paying when struck by a ransomware attack.

“While it is a difficult decision, and the need to restore business operations is a significant motivator, paying the ransom can have a number of negative implications,” says Emad Fahmy, Systems Engineering Manager, Middle East, NetScout. “In some situations, a company may face the consequences for assisting a criminal operation. 

Moreover, even when businesses pay the ransom, cybercriminals often fail to supply the encryption key needed to unlock the systems. Once the bad actors have infiltrated a system, what’s to stop them from utilizing a backdoor to attack the company again and demand more ransom?

Some experts have proposed banning companies from paying ransoms, removing the incentive for such attacks. 

“Businesses and lawmakers must realize ransom payments can be banned, ransomware attacks can’t be,” says Nader Baghdadi, Senior Regional Director, Middle East Sales & Strategic Partnerships for ColorTokens. “Organizations are caught in between having to digitally transform their businesses while having to safeguard them from evolving attacks. It is indeed a tough job.”

RANSOM AND REPUTATIONAL DAMAGE

These attacks harm more than the direct targets. According to Baghdadi, the real cost of ransomware attacks extends beyond ransom demands and operational repair costs. As attackers take on bigger targets, they want to create a domino effect. 

Case in point: the Kaseya attack on one major vendor resulted in multiple client organizations paying the price. “Today, data from one victim is being exploited to reach its clients and/or connected stakeholder ecosystem. More importantly, a company loses its reputation and customers’ trust even after paying the ransom and/or recovering its systems. Many such costs tend to go uncalculated,” he adds.

The loss resulting from a ransomware attack can be narrowed down to the ransom and the reputational damage. “Once a successful cyberattack has targeted a company, it is its regulatory obligation to report it to the affected parties,” says Emad Fahmy, Systems Engineering Manager, Middle East, NetScout. “At the same time, the concerned company will lose confidence due to their inability to protect and ensure the safety of their customers’ data. This can cause the customers to reconsider their choice of supplier and look elsewhere, whether they were a part of the affected parties or not.” 

On top of that, firms risk regulatory fines if data is leaked.

Sometimes, even coughing up a million-dollar ransom doesn’t help. In the case of Travelex, it paid a $2.3 million ransom two years after a ransomware attack, but many say its collapse may have come from the loss of trust from customers.

But restoring a brand’s reputation following a ransomware attack is difficult but not impossible, says Fahmy. For example, looking back at 2021’s infamous SolarWinds attack in the US, the incident did not drastically affect SolarWinds’ profits. “For the first quarter following the attack, the company’s profits were down 3% from the preceding quarter’s profits. However, it rebounded by about 2% during the next quarter.”

Although many organizations now have cyber insurance that offers them the option of letting the insurer pick up the tab, it has stoked criticism for potentially fuelling future attacks. 

“With practically everything now available as a service, attackers have had an easier time deploying ransomware in recent years,” says Maher Yamout, Senior Security Researcher at Kaspersky. “A lot of cyber insurance companies now cover a variety of ransomware recovery expenses, including the ransom, which is probably helping to drive up ransom demands.”

However, the findings show that cyber insurance is becoming more difficult, and in the future, ransomware victims could be less eager or able to pay exorbitant ransoms. “Sadly, this is not likely to lower the likelihood of a ransomware assault overall. Cybercriminals will continue to go for the low-hanging fruit since ransomware attacks are not as resource-intensive as some other, more carefully constructed hacks,” adds Yamout.

PREVENTION IS THE KEY

The need of the hour is to proactively empower enterprises with the right tools to guard them against ransomware and other cyberattacks. “Zero trust is one such framework. Organizations must be made aware of new-age security practices and urged to follow through,” says Baghdadi.

According to Kaspersky, organizations should always update their cybersecurity software on all the devices; focus on defense strategy on detecting lateral movements and data exfiltration to the internet, and pay attention to the outgoing traffic to detect cybercriminals’ connections.

“Enable ransomware protection for all endpoints, and install anti-APT and EDR solutions, with capabilities for advanced threat discovery

and detection, investigation, and timely remediation of incidents,” says Yamout.

“Based on our regional incident response engagements,” says Skulkin. “I can say that ransomware operators often obtain access to companies via exploiting public-facing applications, which is why having complete visibility over all corporate digital assets is important.”

Organizations must prioritize foundational cybersecurity solutions, including Privileged Access Management, Vulnerability Management, Configuration Management, and Secure Remote Access. Removing direct network access, even via VPN, takes away any opportunity for ransomware to jump from company to company through privileged access often provided for maintenance and management of systems. 

“Ransomware isn’t something you can tackle. If your environment isn’t prepared for a ransomware attack, it’s highly likely to sweep through your systems before you can respond,” says Brian Chappell, chief security strategist, EMEA & APAC, BeyondTrust. “Prevention is the key to tackling ransomware.”

Experts say organizations should focus on detection and prevention strategies to end ransomware attacks at the earliest stages before critical systems and data are put in jeopardy.

No business sector is off-limits when it comes to ransomware, says Fahmy. “Cyber criminals target businesses of every size and in every domain. Comprehensive cyber-attack protection is no longer an option. It’s a necessity.” 

The only solution, experts agree, is for an organization to take every precaution to defend against weaknesses that digital assailants exploit, often via individual staff members. These include targeting devices used remotely by staff, a growing trend as the pandemic led to more people working from home.

“Year after year, we see breaches that demonstrate that these basics, among others, are not being done well and, until that changes, ransomware will continue to offer a lucrative market for the attackers,” adds Chappell.

The key is being prepared.