Ransomware Attacks. PHOTO: Cybercrime Magazine.

Global Ransomware Damage Costs Predicted To Exceed $265 Billion By 2031

Fastest growing type of cybercrime is expected to attack a business, consumer, or device every 2 seconds by 2031

David Braue

Melbourne, Australia – Jun. 2, 2022

2022 Ransomware Market Report is sponsored by KnowBe4

It has been five years since a report from Cybersecurity Ventures predicted ransomware damages would cost the world $5 billion (USD) in 2017, up from $325 million in 2015 — a 15X increase in just two years. The damages for 2018 were predicted to reach $8 billion, for 2019 the figure was $11.5 billion, and in 2021 it was $20 billion — which is 57X more than it was in 2015.

Ransomware has evolved and expanded dramatically in the interim — and despite authorities’ recent success in busting several ransomware gangs, this particular breed of malware has proven to be a hydra — cut off one head and several appear in its place.

All signs are that the coming decade will be even worse as ransomware gangs continue to refine and intensify their attacks, vastly outflanking businesses that are juggling the need for ransomware defenses with a broad range of security, data protection, privacy, and corporate risk priorities.

Ransomware will cost its victims more around $265 billion (USD) annually by 2031, Cybersecurity Ventures predicts, with a new attack (on a consumer or business) every 2 seconds as ransomware perpetrators progressively refine their malware payloads and related extortion activities. The dollar figure is based on 30 percent year-over-year growth in damage costs over the next 10 years.

Yet even those estimates may prove to be conservative, given that the recently-released 2022 update to the Verizon Data Breach Investigations Report (DBIR) found that the number of ransomware attacks increased by 13 percent between 2020 and 2021 — a larger jump than the past five years combined.

This growth was severe enough to be labelled “alarming” by a security analysis team that has spent the past 15 years watching cybercrime attacks grow and morph  — and has seen human-generated risk, in particular, continue to dominate infection mechanisms.

Indeed, the human element was responsible for 82 percent of attacks analyzed during 2021, according to the DBIR, with 25 percent of breaches caused by social engineering attacks.

The continuing surge in ransomware infections points to ongoing challenges around security awareness training, a corporate capability that has become so important that the market is expected to surge to be worth $10 billion annually just five years from now.

Cybercrime Radio: Why doctors hack.

Did you hear the one about the cardiologist who rents ransomware kits?

Ransomware is a global threat

Executives have gotten their own education about ransomware risk over the past year, with the May 2021 Colonial Pipeline attack — which shut down gas supplies across the United States Eastern Seaboard and ultimately saw the payment of a multi-million-dollar ransom — sending shudders through C-suites and boardrooms across the world.

That massive attack highlighted the vulnerability of critical infrastructure systems to ransomware and motivated the Australian Parliament, for one, to introduce new legislation that imposes a mandatory 25-year sentence for anybody found to have targeted critical infrastructure with a ransomware attack.

It’s not just an idle threat: authorities are getting better at tracking down ransomware criminals, as evidenced by a growing list of arrests — such as the Justice Department’s Nov. 2021 indictment of two foreign nationals for ransomware attacks and related charges that could see them jailed for 115 and 145 years, respectively.

Working in partnership with authorities around the world, FBI director Christopher Wray said the organization has worked “creatively and relentlessly” to crack down on ransomware criminals that, he said, “pose a serious, unacceptable threat to our safety and our economic well-being.”

“We will continue to broadly target their actors and facilitators, their infrastructure, and their money, wherever in the world those might be.”

Not only are ransomware criminals coming from all over the world — a malware democratization that has been aided by the ready availability of ransomware-as-a-service (RaaS) offerings allowing anybody to launch previously niche attacks at discount prices — but their real identities are often unexpected.

Witness the recent laying of charges against Moises Luis Zagala Gonzales, a Venezuelan cardiologist who was found to have not only created and sold his own ransomware tools at $500 or more per month, but to have also trained malicious hackers in their use.

Zagala’s numerous ransomware tools included features such as a ‘Doomsday’ counter that kept track of how many times the user had tried to eliminate the ransomware — ultimately erasing the entire hard drive if too many attempts were made.

Speculation about why a seemingly high-earning professional would go to the bother to write ransomware has abounded; some have speculated that the country’s runaway inflation rate, which hit 686.4 percent in 2021, means that the only way to get ahead is to find a way to generate large quantities of foreign currency or cryptocurrency.

Yet the most interesting thing about Zagala’s campaign, KnowBe4 data driven defense evangelist Roger Grimes told Cybercrime Magazine, is the way he was coaching clients of his ransomware package about how to target potential victims.

“In this particular case,” Grimes explained, “he was instructing the ransomware spreaders to look around and see if victims had any cloud backups — and if they do have cloud backups, then not to worry about them.”

“But if they do have cloud backups,” Zagala was said to have told affiliates, “they almost always pay” — a validation of the industry’s efforts to directly fight ransomware with cloud-based protection services and rollback capabilities for cloud-stored data.

Zagala also, Grimes pointed out, recommended that affiliates don’t let their operations get too large “because it becomes difficult to manage.”

And while it’s not clear whether Zagala has yet been arrested, Grimes said, his likely plea deal would no doubt lead to his revealing the names of many clients — who “all have to be a little bit scared today.”

Crippled by ransomware’s costs, insurers are pushing back

Yet for all the success of security investigators in catching ransomware criminals, criminal indictments are a largely useless key performance indicator (KPI) for the victims of ransomware attacks, who face the financial, operational, and regulatory consequences of business interruption from the minute their systems are encrypted.

Recovering from such an incident will require an all-hands approach that will likely involve internal teams, external incident response firms, forensic specialists, and support from local or federal law-enforcement bodies as required.

It’s a major effort that incurs its own costs on top of the immediate losses for the business interruption — and executives hoping to avoid the costs by pushing insurers to pay the ransom are likely to be in for a rude shock.

Insurers may have been willing to foot the cost of ransomware ransoms a few years ago when they were in the three and four digits, but the prevalence of multi-million-dollar ransoms has changed the game completely — and in recent months, the insurance industry has thrown down its cards.

Surging ransomware losses pushed premiums for cyber insurance policies up by 92 percent during 2021, according to recent reports, while a recent industry audit by the Council of Insurance Agents & Brokers (CIAB) noted that cyber premiums surged by 34.3 percent during the fourth quarter of 2021 alone — the largest quarterly increase in premiums since 9/11.

“Cyber continued to raise alarm bells across the industry,” said CIAB president and CEO Ken A. Crerar, noting that “the increase in premiums for that line continued unabated in Q4 2021, and the frequency and severity of cyber claims continued to climb.”

“The industry must take steps to confront this unique, constantly evolving risk.”

Insurers are increasingly declining coverage unless companies can demonstrate that they are running effective security training and have implemented key security protections such as multi-factor authentication (MFA) — which, although it can in extreme circumstances be compromised, nonetheless offers better protection than passwords alone.

Hardly improving the situation is the fact that many businesses aren’t exactly being transparent about their ransomware payments.

One recent ExtraHop survey of Asia-Pacific IT decision-makers, for example, found that 83 percent had suffered a ransomware incident in the previous five years — but that 68 percent had tried to hide that fact, even though 45 percent said they had gone ahead and paid the ransom.

Fully 44 percent said they were covered by insurance policies, although with this year’s insurance-industry crackdown in full effect that figure is likely far smaller.

Ransomware criminals’ high success rate had shaken CISOs’ confidence, with just 39 percent of ExtraHop respondents saying they have a high degree of confidence in their organization’s ability to prevent or mitigate cybersecurity threats — even though 73 percent agreed that failure to do so could expose them to legal action and fines.

Every day, revelations about new ransomware attacks not only confirm that the global industry is on track to meet Cybersecurity Ventures’ prediction of $265 billion in ransomware losses by 2031 — but that, if anything, this estimate could be conservative.

Ransomware’s ever-increasing efficiency, exacerbated by companies’ continued inability to respond rapidly enough to incidents and lingering deficiencies in human defenses, ensure that it’s not going anywhere this year — or, in fact, any time soon.

Buckle up, then, and do your best to not only avoid ransomware infection in the first place, but to ensure that you have a mature, tested, and actionable response plan to ensure that when disaster strikes, it doesn’t cost your business any more than it absolutely has to.

– David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.

Sponsored by KnowBe4

KnowBe4 is the provider of the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. We help you address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. Tens of thousands of organizations like yours rely on us to mobilize your end users as your last line of defense.