Successful ransomware attacks incur a variety of costs on the victim. Aside from business disruption, ransomware infections are often very visible outside an organization, resulting in reputational damage, loss of business and fall in stock market value. Regulators and governments can impose fines or other sanctions for breaches in data privacy, for example under the EU General Data Protection Regulation.
Norsk Hydro gave invaluable insight into how organizations should tackle successful attacks, reporting a £45 million cost in June 2019. US IT services company Cognizant expected costs of between $50 million and $70 million in the quarter after falling prey to a Maze ransomware attack in April 2020. And when travel firm CWT was attacked, it opted to pay $4.5 million ransom. Dutch telecommunications provider KPN estimated the average ransomware demand for a successful REvil infection to be $260,000.
There are two main types of ransomware commonly seen today:
Crypto-ransomware will encrypt files on a computer, essentially 'scrambling' the file contents so that the user can't access it without a decryption key that can correctly 'unscramble' it. A ransom payment is demanded in return for the decryption key. This can affect personal computers, smartphones, servers and cloud-based services. Properly executed encryption via ransomware is virtually impossible to decrypt without the encryption key
"Police-themed" ransomware will try to cloak their actions by appearing to be a warning from a local law enforcement authority, supposedly for possessing materials that are illegally downloaded, pornographic or otherwise contraband. The ransom demand is described as "payment of a fine", or similar
Ransomware works on the assumption that the user will be inconvenienced enough at losing access to the files that they are willing to pay the sum demanded.
Security researchers and law enforcement authorities, in general, strongly recommend that the victims refrain from paying the ransom. In some reported ransomware cases however, the crypto-ransomware infections have been so disruptive that the affected organizations and users opted to pay the ransom to regain the data or device access. It is worth noting that some attackers will also release data belonging to the victim organization regardless of whether the ransom is paid or not, and paying a ransom does not necessarily guarantee the victim will be able to recover their data or face further demands from the attacker.
For examples of crypto-ransomware and police-themed ransomware, see:
Crypto-ransomware
Threat Description: WannaCryptor
Threat Description: Petya
Threat Description: TeslaCrypt
Threat Description: CTB-Locker
Threat Description: Cryptolocker
Police-themed ransomware
Threat Description: Trojan:HTML/Browlock
Threat Description: Trojan:W32/Reveton
Threat Description: Trojan:W32/Ransom
For more technical details of ransomware, see:
Labs Weblog: F-Secure WCry: Knowns And Unknowns
Labs Weblog: Petya: Disk Encrypting Ransomware
Labs Weblog: OphionLocker: Joining in the Ransomware Race
Labs Weblog: OphionLocker: Joining in the Ransomware Race
Labs Weblog: OphionLocker: Joining in the Ransomware Race
Labs Weblog: Ransomware Race (Part 5): SynoLocker's unkept promises
Labs Weblog: Ransomware Race (Part 4): Adult Content, Browlock's Staying Power
Labs Weblog: Ransomware Race (Part 3): SynoLocker Under The Hood
Labs Weblog: Ransomware Race (part 2): Personal media the next frontier?
Labs Weblog: Ransomware Race (Part 1): CryptoWall ups the ante
Labs Weblog: On "FBI" "Ransomware" and Macs