The Escalating Cost of Ransomware

By Hubert Yoshida posted 07-07-2021 19:57

The average cost of a ransomware incident as reported by used to be 
  • 2018 – $4,300
  • 2019 – $5,900
  • 2020 – $8,100

This was mostly targeting small businesses.

In 2021 this took a dramatic turn.

On May 7, 2021, a cyberattack on the U.S.’s largest fuel pipeline, Colonial Pipeline forced a shutdown that triggered a spike in gas prices and shortages in parts of the Southeast. The operator of the Colonial Pipeline learned it was in trouble at daybreak on May 7, when an employee found a ransom note from hackers on a control-room computer. By that night, the company’s chief executive officer came to a difficult conclusion: He had to pay. He authorized the ransom payment of $4.4 million because executives were unsure how badly the cyberattack had breached its systems, and consequently, how long it would take to bring the pipeline back.

On Sunday, May 30, technology staff members at JBS, the largest meat processing company in the world, noticed irregularities with the functioning of some servers. Soon they found a message demanding a ransom to reclaim access to the company’s system. JBS USA Holdings Inc. paid an $11 million ransom to cybercriminals who temporarily knocked out plants that process about one-fifth of the U.S. meat supply. The ransom payment, in bitcoin, was made to shield JBS meat plants from further disruption and to limit the potential impact on restaurants, grocery stores, and farmerds that rely on JBS. Although JBS maintains secondary backups of all its data, which are encrypted, and was able to bring back operations using these backups. JBS’s technology experts cautioned the company that there was no guarantee that the hackers wouldn’t find another way to strike, and JBS’s consultants continued negotiating with the attackers. 

On Friday this past weekend, July 2, we suffered the largest Ransomware attack so far. Thousands of companies across all five continents were affected. Initially companies were charged $50,000 to $5 million in exchange for a special key that would allow them to decrypt their data and resume normal operations. Later the group responsible was willing to negotiate for $70 million to restore all the data rather than the drawn-out process of negotiating with each account. The group responsible is suspected by Cybersecurity experts to be the Russia-based hacking group REvil—the same gang that shut down JBS in June and successfully extorted $11 million in ransom. 

The reason this hack was so widespread is that they attacked the supply chain for several Managed Service Providers that were supporting many small businesses. It all started with a Miami, Florida-based IT services company called Kaseya, which provides security software for many  large-scale cybersecurity contractors, which in turn sell their security services to thousands of businesses worldwide. After hackers breached Kaseya’s servers on Friday (July 2), they were able to quickly leap into at least 40 cybersecurity contractors’ systems. Since, the contractors trusted their supply chain supplier, Kaseya, they installed the updates from Kaseya that contained the hack. Their customers them installed the hack into their systems and were infected. The timing, which was before a three-day, 4th of July holiday in the US meant that many of the end users did not know they were hacked until they tried to start their businesses on Tuesday. It also took advantage of the practice for many IT departments to install system updates on long weekends to minimize the disruption to their users.

Most of the affected companies were in the US, but the cyberattack spread to other countries such as New Zealand and the UK. Swedish grocery chain Coop was forced to close 800 supermarkets when the hack knocked out its cash registers on Saturday July3. The Coop was able to reopen many of its stores by asking customers to use a “scan & pay” app on their smartphones to pay for their groceries.

Now that the Gang has negotiated for a $70 million ransom, no word has been received as to whether that ransom will be paid. Law enforcement agencies and cybersecurity experts warn that the multi-million-dollar ransom payments have encouraged the hacking gangs’ growth and incentivized more criminals to enter the field seeking big scores. In just a few months we have seen ransoms jump from $4.4 million to $11 million, and now to $70 million. While the larger ransoms are demanded from large companies in the critical infrastructure, a supply chain hack like the one that hit Kaseya could cost 100’s of millions if it is spread across thousands of smaller companies.

Even though some companies can recover using backups, the recovery costs could vastly exceed the cost of the ransom. And in the case of JBS, even when they recovered, they still paid the ransom just in case. Although some insurance companies provide ransom protection, I don’t know how they can update the actuarial tables to keep up with the escalating ransom costs.

Ransomware has become a national threat that ranks up there with the COVID crisis. Cyber security has to be our number one priority.

1 comment



05-04-2022 11:48

Good read