Both the federal government and private organizations warn of a coming storm of escalating ransomware attacks that threaten companies in the U.S. and abroad.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) declared that the rise in ransomware attacks in 2019 was close to qualifying as a "large-scale cyber event." In an August 2019 publication, the CISA stated that ransomware "has rapidly emerged as the most visible cybersecurity risk playing out across our nation's networks."
Meanwhile, "Forrester's Guide to Paying Ransomware," released in June 2019, reported that the rise in ransomware attacks increased 500% over the prior year and estimated that the attacks will cost businesses $11.5 billion in 2019 alone.
Enterprise leaders need to see such reports as a warning -- and a call to action.
"More people should be alarmed," said Candy Alexander, president of the Information Systems Security Association (ISSA). "The malicious actors have found ransomware to be quite effective, so why wouldn't it continue to escalate?"
The ransomware attacks that hit the state of Louisiana this past summer illustrate the growing threat.
Louisiana Gov. John Bel Edwards declared a state of emergency in July after ransomware hit five school districts in the state, shutting down phones and locking up systems and data. The government and private industry security leaders quickly organized to contain the attacks by drawing on plans that state leaders had been drafting over the past two years, said retired Army Col. Kenneth Donnelly, executive director for the Louisiana Cybersecurity Commission and cybersecurity manager for the Louisiana Military Department.
Louisiana officials helped restore the school district systems. Their fast action prevented seven additional school districts from being crippled by the ransomware attack. Donnelly said an additional 30,000 students in 40 schools could have been impacted had those seven districts fell victim.
Donnelly and others said attacks that aim to hit multiple targets and inflict widespread disruption are on the rise.
"The bad actors are invested in staying ahead of everyone else," Donnelly said. "It doesn't matter if you're big or small; we're all at risk of being hit by ransomware."
A 2019 report issued from the Cyber Risk Management project, a public-private initiative to assess cyber-risks, predicted that a large-scale ransomware attack would cost the global economy $193 billion and impact more than 600,000 businesses worldwide.
Compromises are now 'commoditized'
Experts said the success of past attacks -- when victims paid the ransom so hackers unlock the compromised files -- has emboldened the bad actors.
"They've commoditized the compromise. That's precisely what ransomware does," said Josh Zelonis, principal analyst with Forrester Research. "Now, adversaries are pulling seven-figure ransoms, and that gets the attention of sophisticated actors."
Moreover, he said, the bad actors have learned to "attack at scale," stressing that the volume and scope of attacks are likely to escalate.
Candy AlexanderPresident, ISSA
Given such expectations, Zelonis and others advise organizations to beef up their security postures now so they don't become easy targets for ransomware attacks in the future.
"We all need to be constantly growing to best defend ourselves, our companies and -- I would argue most importantly -- the end users we're here to protect and provide services to," Zelonis said. "But there will always be organizations that are not doing best practices and are leaving themselves exposed. Those organizations are the ones that are most likely to be hit."
Organizations must follow all the latest security best practices in response to the rise in ransomware attacks. This includes rigorous patch management and user education programs to help prevent users from falling for phishing scams -- a common way for ransomware to get into an organization's system, Alexander said.
They should also establish and follow a strong data governance program to help ensure data is protected against possible ransomware and other types of attacks, she said.
Critical systems and data must be backed up, with those backups stored offline, so they can restore systems and return to business without paying ransom -- something Alexander cautioned against.
"There's no evidence you'll get the data they locked up back if you pay the ransom, and if you do, then you proved them right, and they'll be back to do it again," Alexander said. Organizations should only pay ransom in the most critical circumstances, such as when patient medical records are at stake, she added.
CISA works to raise awareness among public and private sector entities of the issue and offers resources advising how they can avoid falling victim to ransomware, said Bradford Willke, acting assistant director for stakeholder engagement at CISA.
"[CISA], the federal government's lead civilian cybersecurity agency, has a number of resources to help state, local, tribal and territorial governments defend against the growing threat of ransomware," Scott McConnell, press secretary at CISA, said in a prepared statement. "This includes exchanging the latest threat information, providing technical services and expertise, and supporting incident response."
Experts said enterprise leaders should determine whether they should have cyberinsurance, which could help pay for recovery -- if not a ransom itself -- and have a plan in place for what they'd do if they do fall victim to a ransomware attack.
"Understand how, if this happens, how you can keep your company in business," Zelonis said. "Sometimes, you can't stop the worst from happening, so you should then have a plan on how to move forward."