Ransomware: People Will Die

Picture: Gartner

Gartner’s security experts expect deadly attacks by 2025. Paul Proctor and Sam Olyaei explained at this year’s European IT Symposium (Nov 8 to 11) why this is almost logical. In an interview with Horst Ellermann, Publisher of CIO Magazine, Proctor named the industry which will be hit particularly hard. And he argued why paying a ransom is the worst solution of all – albeit recommended by insurance companies.

Ellermann: Paul, one of your slides says 90 percent of all ransomware attacks are preventable. How do you arrive at that 90 percent?

Proctor: Gartner analysis of clients’ ransomware preparedness shows that over 90% of ransomware attacks are preventable. By following basic security fundamentals security and risk management leaders can mitigate risk against them. Essentially, when you look at the strains used in these attacks and align them to basic security controls – one can arrive at the conclusion that these are preventable.

Ellermann: You say risk can be mitigated. It cannot be avoided?

Proctor: I like to compare ransomware to hurricanes. If you live in a hurricane region, there’s no point in staring at the weather report every day. Sooner or later one will probably hit you. And then it comes down to your investment in preparedness whether it will take you a couple of hours to clean up or devastate the organization.

Ellermann: This cleanup, can it be done faster by paying for it?

Proctor: First of all, you lose a lot of time the first time you think about paying or not paying. Organizations should think about that beforehand. And that should be a business decision, not a technical one. Ideally, you involve all stakeholders to do that.

Ellermann: You don’t really advise paying, do you?

Proctor: We do not advise paying unless it is an absolute necessity. In many countries, it’s illegal. And it doesn’t do any good: up to 80 percent of companies that have been hacked – and paid – have been hacked again afterwards.

Ellermann: Where did you get those numbers?

Proctor: This one comes from ‚Ransomware: The True Cost to Business, Cyberreason‘. But we have many sources. I can also tell you, for example, what the average amount companies paid in ransom attacks in Q2/2021 was – if they paid.

Ellermann: How high?

Proctor: $ 139,739.

Ellermann: That explains why the business is so lucrative and attracts more and more criminals.

Proctor: Fortunately, not everyone pays. In 2020, only 34 percent of (Source: 2021 The State of the Phish, Proofpoint). So two-thirds don’t pay – and that’s our recommendation, too.

Ellermann: Because of ethical considerations? Because we shouldn’t support extortionists?

Proctor: Also, but most importantly: it doesn’t do you any good. As I said, 80 percent of those who paid were hacked again afterwards – preferably through the same channels. Criminals aren’t very good at hacking. They use whatever tools they can get. And once they’ve found a gateway – and a victim willing to pay – they’ll try again.

Ellermann: But if a company is on the verge of going out of business because existentially important data is missing, isn’t it still legitimate to pay?

Proctor: Paying doesn’t give you a guarantee. Only eight percent of those who have paid have gotten their data back completely afterwards. You’re dealing with criminals.

Ellermann: How likely do you think it is that these criminals will not only encrypt data but also get access to operational technology?

Proctor: That will come. Criminals will also access OT. And then it becomes even more dangerous because they can then do mechanical damage. My colleague Sam Olyaei put it drastically: By 2025, we will have fatalities. De facto, we already have them in hospitals now. Hospitals are popular targets because they almost always have poor IT security and operational systems that have to be up and running quickly or patients will die. There’s a lot of willingness to pay in these cases.

Ellermann: I’m not sure a German hospital would even know how to pay.

Proctor: The other hospitals don’t know that either. But if they are insured against ransomware, then the insurance companies’ security experts come in and sort it out. Their favorite option is always to pay. That makes the damage easier to quantify. But these experts are gone by the time you get hacked a second time.

Ellermann: Can we actually hope that governments will do a better job of protecting us against ransomware?

Proctor: We will see more help from the government catching and punishing the threat actors. I wouldn’t count on it, though.

Ellermann: There are two other interesting numbers on your slides: 80 percent of security executives believe their organization is prepared against a ransomware attack. But only 13 percent of executives believe that. How can it be that the perception is so far apart?

Proctor: Interesting, isn’t it? I’ve been working for ten years on the question of why there is this disconnect between executives and technology leaders. Executives treat cybersecurity like magic, and security people like wizards. They give money to the wizards who cast technology spells and if the orgnaization gets hacked, they fire the wizards. This has led to some very bad investments in security.