The Sad Tale of Ransomware: A New Cyberworld Evolves

Does your CEO’s eyes glaze over when you start to talk about APT, and encryption, and loading balancing on a DDoS attack? Well, read on …

The Sad Tale of Ransomware: A New Cyberworld Evolves

Does your CEO’s eyes glaze over when you start to talk about APT, and encryption, and the need for loading balancing within a DDoS attack? Well, read on …

So what’s the cost of ransomware? A few million dollars? A billion dollars? A few billion dollars? Well, in the case of Travelex, the answer is a few billion. Tell your CEO about that one!

And so every company must wake up to the sorry tale of Travelex — a company decimated by ransomware, and who never quite recovered from it. It is an increasingly common set of security elements: APT (Advanced Persistent Threat), data exfiltration and ransomware. If a company has data which is sensitive, an APT actor will go after it and invest a great deal of time finding a way in. Once found — and phishing, social engineering and RDP scanning are right-up their in terms of the intrusion method — they will observe the infrastructure for a time, and then take sensitive data off the site, and eventually leave with a ransomware infection. The chance of success in getting a payment for the ransom is often extremely high. And so, companies need to improve the DLP (Data Loss Prevention) infrastructure, and also have better ways of detecting the spread of ransomware.

At the end of 2019, Travelex was a billion-dollar company and a fairly strong brand. But a ransomware attack, and then COVID-19 has decimated their business. At the end of 2019, Travelex’s shares were riding high, but ransomware hit it hard, and since then their share price has crashed:

The company tried to recover, and even paid a $2.3 million ransom in April 2020:

But the resources required to rebuild an information infrastructure can be fairly extensive, and every day that their systems remained off-line, meant that their partnerships with the financial industry faded away. It is thus a story of how companies need to understand resilience and make plans for the “Black Swan” event. For Travelex, the recovery plan was just not there.

So, if your CEO is blocking that cybersecurity funding for a new SIEM system or some ransomware protection, show them a chart of how the stock price could be affected, and they could be perhaps signing it off in minutes. A few years ago we analysed stock performance related to data breaches, and analysed 96 companies who were affected by a data breach between 2013 and 2017 [here]:

We also defined the industry sector for the companies, in order to understand if some companies were more affected because of their sector. One would think that health care and finance companies would be more affected for their stock price than those in other sectors:

For this, we defined three periods: an estimation window (understanding the general trend for the stock price); the event window (the time of the announcement of the data breach); and the post-event windows (the time after the announcement):

We generally found that there was a 3-day window of activity where the stock price generally fell, but overall we did not see a massive difference in the overall stock price. Generally, a strong incident response plan was key in overcoming the initial negative nature of the media attention.

Conclusions

Our research did not cover ransomware, and now there is increasing social media and broadcast media coverage. We think these will have an effect on stock prices, as a ransomware attack will cause outages. In the case of Travelex, it brought their business down. So we are research is now mining social media for sentiment analysis, and trying to understand the true cost of cybersecurity.

With every dollar you spend on enabling your business in a digital way, you should be spending as much — or even more — on resilience, and especially understand the Black Swan event.