Cyberattacks Against Endpoints Rising, Reaching $9 Million Per Attack In 2019
This information makes attacks on healthcare costlier than those in finance (close to $6 million) or pharmaceuticals ($5.1 million). The pharmaceutical industry shows successful defense against cyber attacks, as the cost of data breaches lowered from 2021 ($5.4 million).
Cyberattacks against endpoints rising, reaching $9 million per attack in 2019
The department also announced today the seizure of $6.1 million in funds traceable to alleged ransom payments received by Yevgeniy Polyanin, 28, a Russian national, who is also charged with conducting Sodinokibi/REvil ransomware attacks against multiple victims, including businesses and government entities in Texas on or about Aug. 16, 2019.
For the private sector, cyberattacks can result in catastrophic economic losses and irreparable damage to intangible assets like intellectual property and goodwill. Ransomware attacks, which grew 66% in 2021, pose significant risk in this regard.12 Companies facing such attacks must select from two losing options: paying out sizeable ransoms or forfeiting proprietary or customer data. Last year, on average, affected companies spent over US$800,000 per ransom payment and US$1.4 million to remediate the economic and intangible impacts of an attack.13
As a result, President Biden issued a far-reaching executive order in 2021 to modernize federal cyber defenses, making cybersecurity a rare area where the President can direct spending increases without worrying about Congressional gridlock. And recent spending approved by Congress through the Infrastructure Investment and Jobs Act, bipartisan support is leading to an additional US$2 billion in cybersecurity spending.19 In Europe, the EU recently made progress toward setting up a cybersecurity emergency response fund to counter large-scale cyberattacks.20 And we expect public sector cybersecurity spending to direct funds to cybersecurity companies worldwide in the immediate and long term, which could benefit cybersecurity stocks.
There are several mechanisms of vulnerability that are specific to hospitals asdiscovered through a literature review and interviews of hospital cybersecurityexperts (S. Larsen, interview, April 2020, unreferenced; M. Wilkes, interview,August 2020, unreferenced; B. Woods, interview, August 2020, unreferenced). Theseare well described by Ayala12 and are synthesized in Table 1. Of special concern are attacks that can disable systems andencrypt data precluding their use as caused by, for example, ransomware, distributeddenial of service (DDoS) and theft of sensitive data. Also concerning, during themost critical stages of the COVID-19 pandemic, within 2020, a time when hospitalsworldwide were overwhelmed, cyberattacks against them doubled.13 Some varieties of cyberattacks, such as Business Email Compromise (BEC), haveless effect on performance of the hospitals or the patients they serve, but canstill come at a cost In fact, the overall cost of BEC in the U.S. in 2018 was US$3.6billion. In 2018, the healthcare sector was the sixth largest target for this typeof attack, accounting for 5% of the total targeted victims.14
Since the beginning of the COVID-19 pandemic, an exponential increase acrossthe spectrum of cyberattacks has challenged organizations. Some observerscoined the term cyber pandemic to characterize the current evolvingcyber environment.4 The Federal Bureau ofInvestigation (FBI) reported in its 2020 Internet Crime Report that, comparedwith 2019, complaints of suspected internet crime ballooned by over 300,000,to nearly 800,000 incidents, leading to aggregate reported losses in excess of$4.2 billion.5 Such malicious activity isnot expected to abate in 2021, as cyberattack attempts are projected toincrease to every 11 seconds, more than double the frequency of every 39seconds noted in 2019.6 Observers projectdamages from cyber events could reach $6 trillion in 2021 globally.7
As mentioned, endpoints are usually the preferred targets for cybercriminals.Remote devices are especially vulnerable due to the sheer volume of users,which fosters greater opportunities to exploit an endpoint, making themattractive targets to hackers. Endpoint devices provide points of entry toaccess corporate networks, so they are susceptible to cyberattacks designed tosteal or encrypt data or even take control of a device to execute an attack.
Pyongyang could engage in economic warfare to steal massive amounts of money or undermine the stability of the international financial system or worldwide markets. The regime could conduct ransomware attacks on banks to gain money or to disable or destroy computer networks as well as flood the SWIFT system with fraudulent transactions. In 2019, more than 11,000 SWIFT member institutions worldwide sent approximately 33.6 million transactions per day through the network.REF
Augment regulation of cryptocurrency exchanges. As banks and financial institutions responded to North Korean cyberattacks, Pyongyang shifted toward cryptocurrency exchanges and DeFis both as targets and as means to launder money. The U.S., in conjunction with other nations, should review existing legislation and regulations that are applicable to cryptocurrency exchanges to ensure sufficient security against cyberattacks and prevent money-laundering.
As this connected vehicle ecosystem expands, global automotive OEMs, Tier 1 and 2 suppliers, and other smart mobility players continue to develop various services, components, and technologies for the connected car. Consequently, as vehicle connectivity grows and demand for embedded solutions rise, the risk of cyber attacks against connected vehicles increases. According to a March 2020 GSA and McKinsey report 5, currently, cars have up to 150 ECUs and about 100 million lines of code, and by 2030, many expect them to have roughly 300 million lines of software code. This amount of code creates extensive opportunity for cyber attacks, not only on the car itself but also on all components of its ecosystem.
Gemini Advisory reached out to Simon Hunt, EVP of Cybersecurity at Mastercard. As part of a personal project unaffiliated with Mastercard, he put together a list of ransomware attacks on government entities, which are displayed in the screenshots below. Based on information that Hunt collected from open-source reporting, starting from 2019 there has been a steady increase in ransomware attacks on governmental organizations, cities, and even states. As such, in 2018 there were at least 10 ransomware attacks on cities, with a maximum amount of $40,000 paid to hackers. In 2019, the number of attacks had increased to a documented 51 attacks and the maximum payout to hackers was $600,000. Attacks are increasing exponentially, and as such, in the first two quarters of 2020, there were already 60 confirmed ransomware attacks on cities with a maximum payout amount of $2.6 million. It is important to note that in 2018 and 2019 these attacks were documented only in the United States, whereas in 2020, ransomware attacks on cities were recorded on five continents, primarily in Europe and the United States. It is worth pointing out that cities around the United States are also susceptible to other types of attacks, such as Click2Gov breaches, that Gemini covered in 2019. The various attack vectors employed in attacks against cities underline several gaps in their security measures.
While it may be possible to recoup financial losses or reputational harm, many institutions are not willing to risk human life. More and more often, hackers target medical institutions due to their inability to negotiate. Cybersecurity company Recorded Future reported that through 2019 there were 134 publicly reported ransomware attacks against healthcare providers, and in 2020 there were already 26 ransomware attacks against US healthcare providers as of July 16. Many modern hospitals rely on computer systems in order to run their daily operations, including distributing medications to patients, which are controlled by special cabinets that use computer systems to operate their locks. Naturally, most medical charts are stored on computers and many medical workers rely on specially designed medical programs that assist in diagnosing and treating patients. Additionally, modern surgeries are performed with the assistance of robotics, which is becoming more prevalent in the modern world. Ransomware could completely paralyze hospital operations and could put patients at risk if the doctors are unable to retrieve the medication that they need in a timely manner, or it could freeze a system designed to retrieve data and detect anomalies, or disrupt lab systems that perform analysis, or perhaps even force a robot offline during surgery. All of these disruptions could be life-threatening, meaning that hospitals are in no position to negotiate with the hackers and must try to get their systems back online as soon as possible, which could mean a big payday for the criminals.
For that reason, while the FBI urges victims not to pay, it also sympathizes with those who have. Many companies are reluctant to disclose cyberattacks, but doing so can help authorities in their fight against ransomware and other cybercrimes.
In May 2020, the US government revealed that foreign actors, including foreign governments, had carried out cyberattacks against the Department of Health and Human Services, hospitals, research laboratories, health care providers, and other institutions in the medical industry.7 Groups linked to the Russian and Chinese governments have been identified as likely culprits behind attacks meant to steal COVID-19 medical information and research.8
Over the last several years, cyberattacks have grown dramatically in their level of sophistication, magnitude, and frequency. One such example is the 2021 attack on the Colonial Pipeline, in which a criminal ring extorted nearly $5 million from a company that owns a vital 5,500-mile U.S. oil pipeline.
Putting this supply chain risk management program for DOD cybersecurity into place would be a good step in the right direction for the federal government, but private companies have a responsibility here, as well. Their work should begin with a clear-eyed look at their cyberattack risk and subsequent financial liability: The average cost of a cyberattack in the U.S. is over $9 million, according to IBM, and many cyberattacks result in damages that reach into the hundreds of millions of dollars.