Over the 4th of July holiday weekend, an affiliate of the Russia-linked criminal syndicate known as REvil succeeded in executing the single largest global ransomware attack on record with over one million firms affected worldwide. As a result of the intrusion, thousands of companies have reduced or entirely ceased operation. For example:
- Swedish grocery chain Coop was forced to close over 800 stores;
- Fujifilm shut down parts of its global network, as the company has been unable to accept or process orders; and
- Groupo Fleury, a Brazilian medical diagnostic company with over 10,000 employees, disclosed that its processing systems are currently unavailable worldwide.
In the United States, security experts estimate over 200 businesses have been affected with more and more companies posting notices on their websites apologizing for a disruption in online services.
On Sunday, REvil announced on its website, Happy Blog, that it would decrypt all machines affected by its attack in exchange for a payment of $70 million in cryptocurrency. Not exactly pocket change.
Seeking a large ransomware payment in exchange for returning affected systems to normal operation is nothing new; indeed, that is the entire business model for any criminal enterprise employing ransomware. But REvil’s offer to restore all affected machines to normal operation in exchange for a single payment is novel. Rather than negotiate payment with hundreds of thousands of victims one-on-one, REvil is incentivizing victims, insurance carriers, and world governments to pool together the necessary funds to restore global business. In other words, REvil’s offer signals a potentially new trend in ransomware attacks: Hit multiple targets at once and demand a large enough ransom that no single victim can pay on its own. In short, “Go big, or go home.”
In our post “NYDFS Answers Age Old ‘To Pay the Ransom or Not Pay the Ransom’ Question with Definitive DON’T,” we explained that the decision to pay ransomware is nuanced and requires victims to conduct a business-based cost-benefit analysis. But this weekend’s attack demonstrates that it is no longer just about the single victim; attackers are explicitly looking to trade with stakeholders of the society they harm (think insurance carriers, governments, contracted third parties… anyone willing to throw some money into the collection jar) as opposed to the targeted victim. As a result, the decision to pay the ransom or not pay the ransom may be up to the aggregate of victims and its constituents, resulting in a victim’s business being reliant upon everyone else chipping in on the ransom.
Rather than wait around for the other shoe to drop, companies can take practical steps today to reduce the likelihood of an attack while also minimizing the potential harm a ransomware compromise could bring. You can implement multi-factor authentication (really, you should do it immediately) and incorporate recommendations set forth in last month’s White House Memorandum on protecting against the threat of ransomware.
REvil’s ransomware attack proves the threat is constantly evolving and that it is not all about you. Attackers are banking on companies having insufficient funds to pay a ransom in the hopes that those companies lobby fellow victims, insurance carriers, and governments to pay the enormous price tag to resume operations. While each of these stakeholders deliberate and negotiate, your company is left in the cold unable to operate and generate revenue. We encourage you to review your data governance practices, consult with experts (including legal counsel) and maintain constant vigilance to protect your business systems and data.