Large UK businesses are holding bitcoin to pay ransoms

Based in Fort Lauderdale Florida, Citrix is a software corporation founded on a core principle, “to make the world’s apps and data secure and easy to access.” Over 400,000 organizations and over 100 million users across the globe use Citrix solutions, generating the company $3.28 billion in revenue during 2015.

The American multinational corporation recently commissioned Censuswide to quizz 250 IT and security specialists in UK companies with 250 or more employees, “to glean further insights as to their strategies to defend against cyber and ransomware attacks.”

“Ransomware risk could cripple British businesses with many not ready.”
— – Citrix

The poll focused on large UK enterprises, those with 250 or more employees, and not small and medium-sized enterprises (SMEs) with fewer than 250 employees.

The research shows that 33 percent of the companies surveyed are “stockpiling Bitcoins to pay up,” in the event of a ransomware attack or other crypto related scams.

Businesses with more than 250 employees accounted for 0.1% of UK enterprises at the beginning of 2015. However, “the 7,000 large businesses in the UK make a large contribution to employment and turnover,” states the UK Department for Business Innovation & Skills. The group accounts for £2.0 trillion in turnover, 53% of the private sector total, and employs 10.3 million, 40% of the private sector workforce.

More than half of firms with 501-1000 employees are already storing cryptocurrencies, while 36 percent of businesses with 250-500 employees are doing the same. Among companies with between 1,000 and 2,000 employees, 24.4 percent keep a ready stock of digital currency such as bitcoin, Citrix told BraveNewCoin.

Only 18 percent of businesses with more than 2,000 employees see a need for building their digital currency stockpiles. However, 35 percent of this group are willing to pay £50,000 or more to regain access to important intellectual property (IP) or business critical data.

An independent 2016 Crypto-Ransomware Report, commissioned by Intermedia and executed by market-research consultancy Researchscape International, found that paying for restored access is more about losing productivity during downtime than it is the cost of the ransom. Their report revealed that 72 percent of infected business users could not access their data for at least two days following a ransomware outbreak, and 32 percent lost access for five days or more.

"Experts observed significant data recovery costs, reduced customer satisfaction, missed deadlines, lost sales and, in many cases, traumatized employees."
— – Intermedia

Stopping the spread of the infection within an organization is also an important consideration. Felix Yanko, President of Technology & Beyond recently explained that ransomware, such as CryptoLocker, can take down multiple offices in one fell swoop.

“Business that tries to restore from a ransomware attack off of traditional backup usually loses weeks of work due to lost files, plus a day or more of downtime while computers are wiped and reloaded,” Yanko states. “Companies must have measures in place to mitigate the devastation of ransomware."

According to a report issued by cybersecurity think tank ICIT, “If the ransom must be paid, then the organization should pay in bitcoins or some tangible asset.”

“Victims should never pay with their credit cards or financial account information,” reads the ICIT report. “Even when paying for bitcoins or currency vouchers, the organization should not pay with their credit cards or financial account information. If no alternative exists, then the card or account used to pay should be frozen or closed immediately after the transaction to prevent cascading breaches.”

While there have been some successful attempts at defeating ransomware, as demonstrated by Kaspersky last year, ransomware is on the rise. The problem is so serious that Joseph Bonavolonta, the Assistant Special Agent in Charge of the Cyber and Counterintelligence Program in the FBI’s Boston office, has advised victims that “the easiest thing may be to just pay the ransom.”

“The ransomware is that good… To be honest, we often advise people just to pay the ransom.”
— – Joseph Bonavolonta, FBI

Police stations, government offices, universities, and even hospitals have been among the recent victims of ransomware. In February, a widely-publicized attack on the busy Hollywood Presbyterian Medical Center in Los Angeles created a life-or-death situation for some patients that earned the attackers 40 bitcoins, worth around $17,000 at the time. Since then, at least two more hospitals have fallen victim too.

Cornell University professor and Bitcoin researcher Emin Gün Sirer noted recently on Twitter that his employers weren’t bitcoin-friendly before the threat of ransomware. “At Cornell, it was difficult to buy/own crypto for research," he tweeted. "When ransomware came out, the treasurer created coinbase acct to be ready.”

An independent study by Slovakia-based IT security company ESET, carried out at Infosecurity Europe in June 2015, revealed that over a third of UK companies have either personally been held to ransom by hackers, or know someone that has had their networks infected by ransomware.

84 percent of the 200 security professional respondents believe their company would be seriously damaged if it was ever infected by ransomware, while 31 percent admitted that if they were infected by ransomware they would have no choice but to pay the ransom.

“Ransomware is one of the most frightening types of malware due to its destructive power. The results from our study are very concerning as it seems that IT security professionals still do not understand how to properly deal with ransomware.”
— – Mark James, ESET security specialist

Citrix’s results concur, finding that 20 percent of UK businesses surveyed have no contingency measures in place in case of a ransomware attack, with 48 percent failing to back up their company data at least once a day. “While these findings suggest smaller firms are perhaps placing a greater emphasis on cybersecurity,” Citrix explained, “over one in ten (13 percent) have admitted to never serialising their backup data files, leaving them more vulnerable to a ransomware attack.”

32 percent of IT and security specialists responding to the Citrix poll believe the government is not providing adequate guidance on how to avoid cyberattacks. The firms pointed out that the government last updated its 10 Steps to Cyber Security guidance nearly 18 months ago. “These findings suggest that those in charge of safeguarding their company’s all-important data are calling for more from leaders,” Citrix concludes.

“This research has further highlighted the sheer volume of questions to be answered by companies across the UK, with many simply not prepared for a cyberattack that could result in the loss of mission critical data, reduced revenues and a decline in public trust.”
— – Chris Mayers, Citrix chief security architect

While the Cyber-security Information Sharing Partnership (CiSP) was launched in March 2013, the UK Government, like others, appears to be lagging behind. The joint industry/government initiative to share cyber threat and vulnerability information in order to increase overall situational awareness of the cyber threat. The CiSP service is free and has over 2000 organizations and 5,300 individuals signed up as of April 2016.

Through CiSP, the UK National Computer Emergency Response Team (CERT-UK) formed in March 2014 in response to the National Cyber Security Strategy. CERT-UK provides regular advice and guidance on a range of cyber issues, with the aim of sharing information and encouraging best practice amongst their partners.

“Unfortunately, whilst ransomware itself is usually easily removed, without the decryption key the files remain encrypted in a way that researchers often consider infeasible to break. Nevertheless, there’s no guarantee that payments will be honoured and many security firms advise against agreeing to any transactions.”
— – CiSP/CERT-UK

A report from the Institute for Critical Infrastructure Technology (ICIT), 2016 Will Be The Year Ransomware Holds American Hostage, showed that the average cost of a demanded ransomware payment is $300 per infected host. However, "targeted attacks against businesses and critical systems have led to significantly higher ransom demands," ICIT stated.

Earlier this year ransomware was the highlight of a new, larger attack platform called CryptXXX that bundles many different types of attacks together, including password-sniffing keyloggers and a botnet installer. It also looks through an infected system for bitcoins. Highly sophisticated, and launched on an advanced attack platform, CryptXXX is expected to flourish this year.

Ransomware as a Service (RaaS) has also emerged. "Cybercriminals went even further and contrived an affiliate ransomware distribution scheme,” InfoSec explained, “the idea is to draw a distinct line between the crypto ransomware creators and the individuals or groups who spread the infection." InfoSec has published a list of of known RaaS instances that have been discovered since early 2015.

“When using a RaaS kit, the ill-minded clients are obliged to share their revenue with the ‘merchant’ who will typically ask for 20% of the ransoms submitted by victims.”
— – InfoSec Institute

This article has been updated to include data on companies with 1,001-2,000 employees.