When data is being held hostage: Ransomware attacks on the rise

March 1, 2023

Sheena Jacob, Partner and Head of Privacy & Technology at CMS Singapore
Dr Fiona Savary, Senior Associate IT, Technology and Data Protection at CMS Germany

Critical infrastructure, businesses, and government entities are facing growing cyber threats – to the point where it has become a question of “when” rather than “if” they are attacked. The numbers are staggering. In 2021, 57% experienced an increase in the volume of cyberattacks overall, 59% saw the complexity of attacks increase, and 53% said the impact of attacks had increased1. While cyber threats can take on many forms, so-called ransomware attacks have seen a particularly steep increase. While some variations exist, ransomware is a type of malware that typically encrypts a business’ data and threatens to permanently block access to it and/or post the data publicly, in an attempt to pressure victims into paying a ransom.

According to various reports for 2022, there has been a sharp increase in ransomware attacks compared to previous years. Sophos reports that 66% of organizations were hit by ransomware in 2021, up from 37% in 2020.2 Similarly, a Cybereason report shows that 73% of respondents said their organization had been the target of at least one ransomware attack over the past 24 months, an increase of 33% percent from the 2021 survey.3

Ransomware-as-a-Service – a lucrative business model

One of the driving factors behind this significant rise in ransomware attacks lies in their resounding success. Ransomware attacks have long been established as a business model, with the growing success of the Ransomware-as-a-Service model making the use of ransomware more accessible by reducing the skill level required to deploy an attack.4

According to the latest Sophos study, average ransom payments have increased considerably over the last year. During the course of 2021, the proportion of victims paying ransoms of USD 1 million or more has almost tripled up from 4% in 2020 to 11% in 2021. During the same period, the percentage paying less than USD 10,000 dropped from 34% to 21%. Overall, in 2021 ransom payments averaged USD 812,360, almost five times the amount of the 2020 average ransom payment.5 Atleast in part this is due to ransomware attacks becoming increasingly sophisticated. For example, attackers are becoming more successful at encrypting data in their attacks. In 2021, their success rate was 65% up from 54% encryption rate in 2020.6

Hitting where it hurts – increasing cyber attacks on governmental organizations and critical infrastructure

During the last couple of years, partly driven by the COVID pandemic, digital transformation has accelerated not only in businesses, but also with respect to critical infrastructure, such as water and energy supply, transportation systems and digital communications infrastructure. As physical critical infrastructure is increasingly digitalized and digital communications infrastructure becomes increasingly critical, the threat of cyber attacks, in particular ransomware attacks, has become more prevalent. In many countries, targeted ransomware attacks on governmental organizations are on the rise. Just looking at recent news gives a glimpse into how wide spread such ransomware attacks are, both in geographical terms and with respect to the affected sectors: From the University of Duisburg-Essen in Germany to the Queensland University of Technology in Australia, from a major hospital in Toronto, Canada, to a hospital in Louisiana in the USA – all of them were affected by ransomware attacks in recent days and weeks and are still struggling to resume normal operations. Other providers of critical infrastructure such as transportation provider Bay Area Rapid Transit in San Francisco, USA, have also recently fallen victim to ransomware attacks.

Digital warfare: Russia’s attack on Ukraine does not stop at the trenches

While the some of the horrors of Russia’s attack on Ukraine’s infrastructure are very much of a physical nature (attacks on bridges, roads, railway and other transportation infrastructure; attacks on residential buildings; attacks on electricity infrastructure, water plants and even nuclear facilities; trenches reminiscent of World Wars I and II), there is also a digital dimension to Russia’s warfare. In the first few months of the war alone, Microsoft observed threat actors associated with the Russian military launched multiple waves of destructive cyberattacks against almost 50 different Ukrainian agencies and enterprises.7 Theseattackswere aimed at paralyzing Ukrainian government agencies.

Apart from governmental organizations, other priority targets included the information technology, media, communications and transportation sectors.8

However, Russia’s cyber warfare is by no means limited to Ukraine. As an example, in Australia over the last few months there have been two well publicized attacks on a major telecom provider and a major health insurer by what was reported by some media to be REvil or its affiliates, a Ransomware-as-a-Service operation with strong ties to Russia. In both instances, relatively minor ransom was demanded, and refused as a matter of policy by the Australian government. More than ten million clients were then left to their own devices to sort out the damage and the risks, and bear the cost, with their personal and sometimes sensitive data sold on the dark web. Unfortunately, this is by no means an unusual occurrence these days.

Multidimensional financial impact

Being hit by ransomware can be very expensive for any business (or governmental organization for that matter). The majority of organizations that reported losses from a ransomware attack, had suffered combined losses between USD 1 million and 10 million.9 Interestingly, the ransom itself – if paid at all – typically reflects only a fraction of the overall costs, which include:

  • Disruption or even interruption of business operations
  • Penalties from supervisory authorities
  • Reputational damage
  • Class action (e.g., by affected data subjects)
  • Legal action by contractual partners (contractual penalties, claims for damages etc.)
  • Costs of restoring IT infrastructure and business operations
  • Loss of valuable IP/know-how
  • Ransom fee.

Sophos reports that, overall, the average cost to an organization to rectify the impact of their most recent ransomware attack in 2021 was USD 1.4M.10 Compared to the average cost of a ransomware attack in 2020, there was a noticeable drop which likely reflects that, as ransomware has become more prevalent, the reputational damage of an attack has lessened. Additionally, by swiftly and effectively guiding victims through the incident response process, insurance providers and internal response teams have helped to reduce the remediation cost. Even with this reported reduction in the financial impact, more than a third of organizations were forced to lay off employees following a ransomware attack.11

To pay or not to pay

In weighing its options, an organization which has fallen victim to a ransomware attack should carefully consider various aspects:

  • Paying the ransom might not be legal in some jurisdictions (e.g., the Australian Government has indicated it is considering making extortion payments a criminal offence as part of its cyber strategy). Even if payment of a ransom is not illegal per se, doing so may involve payments to sanctioned individuals or parties.
  • Paying the ransom might result in even more attacks: of the 28% of respondents who paid the ransom, 80% of them were hit again with a second ransomware attack and for 68% percent that second hit was within a month and for a higher ransom. 12
  • Paying the ransom might not lead to the desired outcome: 92% of companies who paid ransom do not get all their data restored.13
  • Whether or not the ransom should be paid should be discussed with the insurance company (if there is a cyber insurance policy in place which covers ransomware attacks).

How to minimize the risk of a cyber attack

A cyber attack is difficult to prevent but it is possible for a company to take steps to make itself a less attractive target.

  • Ensure you maintain industry-standard security. This goes without saying and is the minimum step that must be taken.
  • Educate and train your workforce. Most incidents occur because of employee missteps. Employees who fail to understand the rationale for processes will fail to comply or break the rules often leading to serious consequences. Training should not be a “Tick the Box” exercise but one that gives every employee a good grasp of the problem and the understanding of the part they play in cyber security.
  • Manage and audit third party vendors as they remain one of the largest risk areas for a business as there is less control over systems they manage. Ensure that your business has a proper understanding of their systems and that they maintain the same industry-standard security as you do. Otherwise, you are inviting an attack through the vendor into your systems.
  • Minimize the data you retain and manage. The less sensitive and confidential information you retain, the less likely that you will be targeted.
  • Prepare for attacks. Conduct exercises to ensure everyone in the company is aware of and knows how to respond. Of the organizations that suffered a ransomware attack in the last 24 months, 63% reported that the attackers were in their networks for up to six months before being detected.14

How to respond

  • Take action immediately. Immediate action is not only legally required but it is also critical to minimize the effects of a cyber attack and to minimize loss and damage.
  • Follow your cyber incident response plan. This is not the time for creative thinking or stalling in the hope this will be over. Follow the procedures and ensure a specialized, interdisciplinary team works closely together to manage the incident.
  • Notify the relevant stakeholders. Management must be notified immediately. Cyber insurance providers must be notified and legal notifications may be required.
  • Remediate. Take urgent action to minimize the damage to unaffected systems and to prevent further issues. Assume that the threat actor is in your system and communicate outside of your systems to ensure they are not following your every move.

Government response

Governments recognize that cyber attacks are a serious threat to national security and that ransomware attacks need to be monitored across industries.

  • Governments have begun to require notifications for ransom payments in some countries to ensure they are informed of a cyber attack and can issue warnings to security leaders.
  • Centralized cybersecurity agencies such as ENISA and CISA are trying to provide an improved national or regional response to ransomware attacks.
  • Many countries have passed laws designating certain elements of a country’s infrastructure as Critical Information Infrastructure (CII). CII operators in sectors such as energy, banking, transport, defence and healthcare are legally required to meet higher security standards and notify regulators of cyber incidents.

Takeaways for Businesses / Outlook

  • Be prepared. Most businesses will suffer a cyber attack. Plan your response.
  • Be effective in the event of an attack. Ensure the team is responsive.
  • Consider the cost. Ransomware will cost its targets USD 265 billion by 2031.
  • Download the CMS Breach Assistant from the Apple or Android app store – the ultimate guide to your immediate next steps and notification procedures in the event of a breach.

1 Sophos, The State of Ransomware 2022, April 2022, available under https://assets.sophos.com/X24WTUEQ/at/4zpw59pnkpxxnhfhgj9bxgj9/sophos- state-of-ransomware-2022-wp.pdf.
2 Sophos, The State of Ransomware 2022, April 2022, available under https://assets.sophos.com/X24WTUEQ/at/4zpw59pnkpxxnhfhgj9bxgj9/sophos- state-of-ransomware-2022-wp.pdf.

3 Cybereason, Ransomware: The True Cost to Business 2022, avail- able under https://www.cybereason.com/ransomware-the-true-cost-to-business-2022.

4 Sophos, The State of Ransomware 2022, April 2022, available under https://assets.sophos.com/X24WTUEQ/at/4zpw59pnkpxxnhfhgj9bxgj9/sophos- state-of-ransomware-2022-wp.pdf; Microsoft, Microsoft Digital Defense Report 2022, available under https://query.prod.cms.rt.microsoft.com/cms/api/am/ binary/RE5bUvv?culture=en-us&country=us.

5 Sophos, The State of Ransomware 2022, April 2022, available under https://assets.sophos.com/X24WTUEQ/at/4zpw59pnkpxxnhfhgj9bxgj9/sophos- state-of-ransomware-2022-wp.pdf.
6 Sophos, The State of Ransomware 2022, April 2022, available under https://assets.sophos.com/X24WTUEQ/at/4zpw59pnkpxxnhfhgj9bxgj9/sophos- state-of-ransomware-2022-wp.pdf.

7 Microsoft, Microsoft Digital Defense Report 2022, avail-
able under https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/ RE5bUvv?culture=en-us&country=us.

8 Microsoft, Microsoft Digital Defense Report 2022, avail-
able under https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/ RE5bUvv?culture=en-us&country=us.
9 Cybereason, Ransomware: The True Cost to Business 2022, avail- able under https://www.cybereason.com/ransomware-the-true-cost-to-busi- ness-2022.
10 Sophos, The State of Ransomware 2022, April 2022, available under https://assets.sophos.com/X24WTUEQ/at/4zpw59pnkpxxnhfhgj9bxgj9/sophos- state-of-ransomware-2022-wp.pdf.
11 Cybereason, Ransomware: The True Cost to Business 2022, avail- able under https://www.cybereason.com/ransomware-the-true-cost-to-busi

8 Microsoft, Microsoft Digital Defense Report 2022, avail-
able under https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/ RE5bUvv?culture=en-us&country=us.
9 Cybereason, Ransomware: The True Cost to Business 2022, avail- able under https://www.cybereason.com/ransomware-the-true-cost-to-busi- ness-2022.
10 Sophos, The State of Ransomware 2022, April 2022, available under https://assets.sophos.com/X24WTUEQ/at/4zpw59pnkpxxnhfhgj9bxgj9/sophos- state-of-ransomware-2022-wp.pdf.
11 Cybereason, Ransomware: The True Cost to Business 2022, avail- able under https://www.cybereason.com/ransomware-the-true-cost-to-busi

8 Microsoft, Microsoft Digital Defense Report 2022, avail-
able under https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/ RE5bUvv?culture=en-us&country=us.
9 Cybereason, Ransomware: The True Cost to Business 2022, avail- able under https://www.cybereason.com/ransomware-the-true-cost-to-busi- ness-2022.
10 Sophos, The State of Ransomware 2022, April 2022, available under https://assets.sophos.com/X24WTUEQ/at/4zpw59pnkpxxnhfhgj9bxgj9/sophos- state-of-ransomware-2022-wp.pdf.
11 Cybereason, Ransomware: The True Cost to Business 2022, avail- able under https://www.cybereason.com/ransomware-the-true-cost-to-business-2022.

12 Cybereason, Ransomware: The True Cost to Business 2022, avail- able under https://www.cybereason.com/ransomware-the-true-cost-to-busi- ness-2022.
13 Deloitte, Cyber Security Landscape 2022, available under https://www. theiia.org/globalassets/documents/chapters-and-affiliates/north-america/united- states/georgia/atlanta/cyber-threat-landscape-2022.pdf.

14 Cybereason, Ransomware: The True Cost to Business 2022, avail- able under https://www.cybereason.com/ransomware-the-true-cost-to-business-2022.

Sheena Jacob is a leading privacy and cybersecurity lawyer in Asia Pacific. She heads the CMS Privacy & Cybersecurity practice in Southeast Asia and is a thought leader on issues relating to technology. She works closely with clients to manage their privacy and cybersecurity compliance across the Asia Pacific region and conducts training exercises with business executives to prepare for cyber incidents. She leads a team that handles cyber incidents across various industries and is adept at managing the various stakeholders during the various stages of a cyber attack. Clients rely on her significant experience and sound judgment to guide them through these challenging situations. She assists clients with dealing with the cyber insurer, working with the digital forensics teams, the internal IT security team, managing legal notifications to regulators and to customers and employees.

Sheena has more than 25 years of international experience and is ranked as one of Asia’s Top 50 TMT Lawyers by Asian Legal Business, Top 20 Women in Cybersecurity Singapore, a Women in Business Law Expert in Privacy and Data Protection, ranked in Who’s Who Legal and Asialaw as a Leading Lawyer. She holds two certifications in privacy from the IAPP, CIPP(A) and CIPM, and is qualified to practice in New York, England & Wales and Singapore.

Dr Fiona Savary is a senior associate at CMS Germany in Munich. She specializes in all legal aspects of information technology and digitalization, assisting clients with the planning and implementation of IT projects as well as e-commerce matters. She also advices on data protection law and the legally sound structuring of internet platforms.

Fiona joined CMS in 2019. She is admitted as a lawyer in Germany and Switzerland. During her PhD studies at the University of St. Gallen she spent time researching at Harvard University’s Berkman Klein Center for Internet and Society. She has written her PhD thesis on the subject of “Regulation of Dominant Internet Platforms – Characteristics, Challenges and Approaches in the Light of Economics, Innovation and Law”.