One of the most visible attacks associated with SamSam hit the city of Atlanta on March 22, 2018. With multiple municipal computers encrypted by the ransomware, more than one-third of the 424 software programs used by Atlanta were thrown offline or partially disabled by the attack. Atlanta said it didn’t pay the $51,000 in bitcoin the attackers demanded for the release of encrypted data, but the city’s clean-up costs in the attack’s aftermath were expected to run over $10 million.
This huge remediation expense makes clear one of the realities of any ransomware attack: even if the victim doesn’t meet the attackers’ demands, the cost of dealing with the damage caused can be staggering. “For enterprise with hundreds or thousands of computers, it can be tremendously disruptive and expensive to recover from a ransomware attack, even if you have the data that the attack encrypted backed up,” notes O’Brien.
Still, as the decline in ransomware activity last year suggests, there are positive trends underway in this area. More consumers are backing up their data in the cloud, so can recover it if the data on their device is maliciously encrypted. Growing numbers of law enforcement prosecutions against ransomware attackers are having an impact. And cybersecurity vendors are getting better at detecting and blocking ransomware itself.
These improving defenses have helped drive a decline in the prevalence of ransomware attacks mounted with the aid of Web-based exploit kits. Instead, email campaigns that use spear phishing and other methods to ensnare victims became the primary method of distributing ransomware in 2018, according to Symantec’s ISTR.
Meanwhile, the sheer volume of all forms of malware is driving increased reliance on new defensive technology and techniques. “Traditionally, we’d block malware by getting a sample, making a ‘fingerprint’ of it, and getting a report if it was identified,” O’Brien says. “Now there’s so much malware, that process of manually fingerprinting isn’t efficient enough.”