Search for a report, a publication, an expert...
Institut Montaigne features a platform of Expressions dedicated to debate and current affairs. The platform provides a space for decryption and dialogue to encourage discussion and the emergence of new voices.

Cybercrime - Ransomware: Number One Cyber Threat

Cybercrime - Ransomware: Number One Cyber Threat
 Gérôme Billois
Partner, Cybersecurity and Digital Trust at Wavestone
 Marwan Lahoud
Partner, Messier & associés

A ransomware is a software which blocks information systems pending a ransom. It has become the primary threat in the cybersecurity field. Ransomware attacks have a serious impact on companies and often allow cybercriminals to pocket tens if not hundreds of millions of euros in ransom payments. These attacks succeed for two reasons: the high profitability of operations and the perpetrators’ virtual impunity. 

Following the publication of our report, Cyberthreat: Storm Warning (Cybermenace: avis de tempête), we are publishing a series of articles expanding on this cyberthreat. Our goal within the task force has been to assess what actions need to be taken by all public and private players in order to reduce the profitability, frequency and impact of these attacks. This first article explains what ransomware is.

Ransomware: a historical threat newly in the limelight

Of all the cybersecurity threats affecting companies, ransomware was the most common threat occurring in 2020 - it also had the highest impact on victims’ production, reputation and finances. Thus, ransomware attacks deserve our special attention today, perhaps more so than other types of attacks; although others should not be overlooked, cyber espionage recently uncovered in the United States being a case in point.

Despite emerging in the late 1980s, the first waves of massive attacks really only date back to the early 2010s. Cybercriminals benefited from crypto-currencies becoming more mainstream, which was especially useful when it came to maintaining their anonymity when receiving payments. These attacks were initially aimed at the general public, with requests for small amounts - averaging a few hundred dollars per blocked computer - and didn’t require interaction with the victims. They subsequently evolved to target businesses and increased the amount of each ransom demand.

To carry out their attacks, cybercriminals generally follow the same steps: first, intrusion into the victim's information system via email bombs, flaws in websites or remote access systems; then, once in the target's network, propagation and installation with the aim of taking control of the information system (IS), stealing data and planning a complete system lockdown. According to a Wavestone study published in October 2020, it takes an average of 29 days from the first intrusion to the launch of the attack which blocks the IS.

While 2019-2020 saw the threat grow, will 2021 mark a shift?

Cybercriminals benefited from crypto-currencies, which was especially useful when it came to maintaining their anonymity.

Since the end of 2019 and the emergence of the Maze criminal group, ransomware attacks coupled with data theft and blackmail to ensure non-disclosure are commonplace and have given rise to direct negotiations between the attacker and the victim. This type of attack is now widespread: in its report on the threat posed by ransomware in France in 2020, the French National Agency for Information Systems Security (Anssi) registered a 255% increase in reported attacks compared with 2019.

These attacks have had many targets. They have been aimed at large groups in particular, but smaller structures have also been targeted. However, while only assaults on local authorities or hospitals have received media coverage, numerous other attacks have targeted all sectors. These attacks were predominantly opportunistic in nature, nevertheless some were planned specifically to guarantee the payment of a ransom. Cybercriminals choose their targets based on the assailed company’s solvency, its operational status or the fragility of its information systems.

Increasingly, profits generated by these attacks and the feeling of impunity - due to the authorities’ limited ability to punish cybercriminals - have led to the emergence of a real ransomware ecosystem within cybercrime (the next article will address the details of this ecosystem).

It should be noted that, in early 2021, law enforcement operations destabilized this ecosystem by dismantling and arresting well-established groups (e.g., Emotet and Netwalker), and by conducting targeted operations on users of these attack systems (e.g., those that hit Egregor). These operations are crucial: they have had a direct (and major) impact on the groups involved, as well as a deterrent effect on others. After Netwalker was dismantled, Ziggy and Fonix announced they were ceasing their cybercriminal activities. Despite this very promising development, dozens of platforms could replace them, and the medium-term effects remain uncertain.

Increasingly motivated cybercriminals are ever more innovative when it comes to securing ransom payments

In response to the increasing number of attacks, companies have taken protective measures that make it more difficult for cybercriminals to do business. Efficient IS backups and rebuilding strategies make blocking systems less vulnerable to ransomware. This is especially the case for large companies, though smaller ones often remain highly vulnerable.

Cybercriminals are now turning to increasingly sophisticated strategies to force companies to pay. For instance, the cybercriminal group behind the Ragnar Locker malware advertised its attack on Campari via Facebook, using a hacked account and sponsored content. In a data theft involving nearly 40,000 patients of a psychiatric clinic in Finland, the attacker demanded a ransom not only from the institution, but also €200 from each individual patient to prevent him from disclosing their personal information. Even more surprisingly, according to the FBI, in 2020 some groups called ransomware victims to urge them to pay a ransom by threatening them personally.

Cybercriminals are now turning to increasingly sophisticated strategies to force companies to pay.

Beyond the increasingly unrelenting ransom demands, the means used to penetrate information systems are also becoming more sophisticated. For instance, hackers tried to bribe a Tesla employee with $1million to introduce malware into the company's computer network. With funds amassed from previous attacks, cybercriminals can increase their assault capabilities and access financial resources usually only available to groups with ties to a State.

These last examples illustrate the importance of attack profitability for cybercriminals. One of the reasons why ransomware is the frontrunner in cyberattacks is that, even today, many companies pay to get a decryption key - if one exists. This encourages cybercriminals to persevere. 

Still it should be said that paying the ransom will not resolve the crisis swiftly. Indeed, even if the cybercriminals keep their promise and deliver a functional data decryption tool, it will need to be applied to the entire information system, which will then have to be secured to avoid a new intrusion (by the same culprits or others). Only after this could one progressively restart all services and ensure their proper functioning. As for stolen data, there is no way to ensure that it has actually been deleted. Measures will need to be taken to warn affected customers, entities or employees. Field observations show that the impact and duration of the crisis are almost identical for companies that have paid a ransom and for those that have not. Lastly, ransom payments can lead to legal problems, especially following the latest decisions by the United States to make some of these payments illegal.

A series of crises for companies

Given cybercriminal practices and the number of attacks, losses related to cyberattacks are piling up and represent major risks for companies - as seen in the recent attacks on Altran and Sopra Steria. The companies reported losing €20 million and €50 million respectively. In 2017, Saint-Gobain announced a €250 million loss following the attack it suffered.

These assaulted companies suffer successive shocks, like an earthquake. Three days of bewilderment during which the company is disoriented because it is unable to work or communicate without its information system. Then come three weeks of intense crisis, during which the company must rebuild its system and work with partial IT resources. Finally, it takes at least three months to consolidate and resume regular activity. Sometimes this final phase can last several years, especially when there are legal proceedings if personal data has been stolen.

These assaulted companies suffer successive shocks, like an earthquake.

A cyber crisis brings about various expenses in many areas and at different stages. The main financial issues tied to the first wave come from the halt in operations due to the system shutdown, the costs of crisis management (external expertise, specific employee mobilization, hardware, software...), communication and commercial management (internal communication, or communication with the authorities, customers, the general public…).

In the following months, these crisis management costs turn into disorganization costs (e.g., because of the loss of efficiency due to non-functional systems, faulty internal processes, dissatisfied customers, and then the costs of rebuilding and securing the information system).

In some cases - especially in regulated sectors or if personal data has been affected - this can incur significant legal costs. Recently, British Airways was fined £20 million following an attack on its website. Initially, the fine amounted to hundreds of millions of pounds, but it was reduced and applied two years after the incident occurred, generating very negative press.

The impact of an attack on the company’s image varies on a case by case basis, even though the internal consequences are considerable. Generally speaking, the company's attitude during the crisis is decisive. 

The next article in this series focuses on the ransomware ecosystem and on how to hinder cybercrime profitability.


Receive Institut Montaigne’s monthly newsletter in English