After Verizon issued a report saying that ransomware is now the most popular form of malware, TechRepublic editor Bill Detwiler and ZDNet editor Larry Dignan got together with Dan Patterson to discuss whether organizations should consider the quick fix of paying ransoms, or focus more on long-term solutions.
Watch the video above, or read the full transcript of their conversation:
Patterson: Atlanta is still reeling from a massive cyberattack, and the reality is that most businesses, large and small, will have to contend with ransomware at one point or another... Larry, this is a Verizon report that talks about the extent to which ransomware is in the market. But I understand, from what you've researched, that actual malware is on the decline.
Dignan: Yeah. So the Verizon data breach investigative report or investigations report ... what's interesting there, is they found malware is actually going down a bit. But ransomware is on the rise. So basically, ransomware was found in 39% of all the malware-related data breaches. And that's double from the previous year. So what we've seeing is, we're seeing ransomware sort of ramp, and malware, overall, kind of go down and that's partially because cyber criminals are basically being much more targeted about it. So they're targeting HR departments, cities.
They're targeting more the who than the how many. So they're getting much more focused and much more efficient about what they're doing. And ransomware plays into that, because the beauty of ransomware is you can make money by just withholding data, or just holding it ransom, as opposed to actually going in there, and doing all the work and sneaking it out. I mean, in a lot ways, ransomware is just an easier way to get paid. So, that's sort of ... but we're seeing that spike, and that's what Verizon has found and they've analyzed more than 53,000 incidents in the last year. So this report's getting bigger and bigger, but it's a pretty good overview of ransomware, and where things are going.
Patterson: Bill, when you talk to companies, is there any indication of the cost of disruption to business that ransomware could cost? Not just the cost of the ransomware itself, but all that downtime.
Detwiler: Oh, it can be in the millions, and especially if you take a situation like Atlanta. If you take some of the National Health Service hospitals that were hit in the UK last year, it's a significant impact on not just the bottom line, but also on reputation. Also on the customers, the citizens, the patients that you're serving. So this can have real-world impact beyond just a computer being down or not being able to access a web portal or not being able to pay your traffic tickets online.
There are significant and real world impacts caused by ransomware and that's what the perpetrators, that's what the attackers know. They understand that these have significant costs and often the amounts of the ransom are fairly low. I think the report stating the Atlanta attack that they were asking for just over $50,000 in bitcoin. And so what you have is ... would you rather have millions of dollars, weeks of downtime, thousands of hours of IT staff and law enforcement, and your just regular city staff trying to overcome this? Or would you rather pay what's an insignificant amount of money in the grander budget, to have things back up and running quickly?
So it has a significant impact on companies and a lot of time, that's why ransomware is so successful, is because they're asking ... the cost is so great versus just paying the ransom. Now, most law enforcement agencies recommend that companies do not pay this ransom, because, then again, it just further perpetuates ransomware attacks. But at the same time, most of these organizations are driven by expediency or dollars and cents. So to them, they're only interested in, "Hey look, I need to get the systems back up and running as quickly as possible to avoid a more serious problem."
SEE: 17 tips for protecting Windows computers and Macs from ransomware (free PDF) (TechRepublic)
Dignan: I think that what we're going to find is that, the whole ransomware thing, it's going to work really well. Well it's actually going be ... so there's going to be basically two ways to handle this. If you're an enterprise and the price is 50K to get all your data back, so you can actually function, just pay the money and go. Not a great precedent to set, but you can kind of get the economics. If you're a city like Atlanta, you probably don't have a $50,000 slush-fund laying around. Or you may but it's probably hidden. It's a whole thing.
So you can't go to the taxpayers or your residents, and go, "Hey we need more money because we need a slush fund to pay off people because our infrastructure's insecure." So I think when you see this ... You know, ransomware is probably going to be a larger headache for, like we've seen with Atlanta. But I think a lot of cities, a lot of government agencies, it's just harder to pull off. Because you don't have that money that you can just kind of snap your fingers and go with.
Patterson: We have policies that they won't and can't, pay extortion fees, and this is pretty common with anything that is funded by a taxpayer. So I'll ask you both, it sounds like this is probably a rhetorical question, but with ransomware becoming a commodity, it is easily purchasable and deployable through the dark web, what does the future, the short term, the next six, 12, 18 months look like for businesses and ransomware? Is this just is this just a fact, a part of doing business?
SEE: Cybersecurity spotlight: The ransomware battle (Tech Pro Research)
Dignan: Well, I don't know if it will be a part of doing business. I think what you're going to see is what you see with every big threat. You see vendors come out with this great big fix. I mean you Google ransomware right now, it's nothing but ads about people trying to, vendors trying to help you with ransomware. I think if you're a city or a government agency, you need to get your security crap together because you just can't ... you got to button things down and I don't think the security has been dedicated over time. So I think it's almost ... I mean this goes for enterprises too, obviously. But yeah, I just think we're going to see more of this. The economics are there. The technology's there. It's not hard to scale. It's just a better way of cybercrime.
Patterson: Bill, where can we go to learn more about policy manuals, advice, tips and tricks, cheat sheets, on how companies can respond to and prepare for ransomware attacks.
Detwiler: So definitely check out ZDNet and TechRepublic for all the latest news, the latest analysis on ransomware attacks. And then check out our premium-content site Tech Pro Research, where we have original research on security on everything from IoT to ransomware attacks and to cyber-warfare, and of course free downloadable policy templates for registered members that can help you craft a good ransomware, a cybersecurity policy.
- Ransomware: A cheat sheet for professionals (TechRepublic)
- Only 26% of US companies that paid ransomware attackers had files unlocked (TechRepublic)
- Ransomware reigns supreme in 2018, as phishing attacks continue to trick employees (TechRepublic)
- A new email attack could infect you with ransomware and steal your passwords (TechRepublic)
- The ransomware debate: Should you pay to get your data back? (TechRepublic)
- US hospital pays $55,000 to hackers after ransomware attack (ZDNet)
- This ransomware asks victims to name their own price to get their files back (ZDNet)
Dan Patterson has nothing to disclose. He does not hold investments in the technology companies he covers.
Dan is a Senior Writer for TechRepublic. He covers cybersecurity and the intersection of technology, politics and government.