Ransomware attacks are rising, payment security consortium warns

A payment security standards group released a warning this month about the growing threat of ransomware, echoing forecasts from the U.S. government and others that an uptick in such attacks, which coincided with the pandemic, will likely continue.

The Payment Card Industry Security Standards Council, formed by Visa, Mastercard and other major credit card companies in 2006, said Feb. 10 its ransomware bulletin was one of only two it would release this year. The National Cybersecurity Alliance joined the standards council in releasing the notice.

Lance Johnson, executive director of the PCI Security Standards Council, said that as working from home became commonplace during the pandemic, there has also been “a significant increase in ransomware attacks.” According to the bulletin, “cybercriminals see new opportunities due to the disruption created by the global COVID-19 pandemic.”

As to the kinds of entities at risk, Lisa Plaggemier, the executive director of the National Cybersecurity Alliance, said that all organizations, “large and small, public and private” face the threat of ransomware.

According to an October data release from the U.S. Financial Crimes Enforcement Network, the first half of 2021 saw a greater volume of ransomware-related financial transactions than the whole of 2020 — $590 million in six months compared to $416 million during the whole of 2020.

The Fincen data comes from suspicious activity reports, known as SARs, filed by financial institutions and associated businesses pursuant to the Bank Secrecy Act of 1970.

“If current trends continue, SARs filed in 2021 are projected to have a higher ransomware-related transaction value than SARs filed in the previous 10 years combined, which would represent a continuing trend of substantial increases in reported year-over-year ransomware activity,” Fincen’s October report stated.

A report released the same month from Microsoft pointed out that the “publicly reported profits from ransomware and extortion attacks gives these attackers a budget that would likely rival the budgets of nation-state attack organizations.”

In November, FinCEN released an advisory about ransomware highlighting trends and typologies of the attacks. Among the top points, the agency said cybercriminals were increasingly engaging in extortion and double extortion schemes, in which the groups hold the release of sensitive data as leverage over ransomware victims.

“Other extortion schemes have also emerged whereby the cybercriminals use the system breach to target additional parties related to the initial victim, such as the victim’s business partners and customers, in an attempt to identify follow-on targets,” the agency’s November advisory said.

Ransomware attacks can be highly sophisticated, even when they target smaller businesses, according to a 2021 report from the cybersecurity firm Sophos.

The firm surveyed 5,400 IT professionals from 30 countries at the beginning of 2021. Of the 500 U.S. respondents, 51% reported they had been impacted by a ransomware attack, slightly lower than the 59% who said the same in 2020.

“While the overall number of attacks is lower, our experience shows that the potential for damage from these targeted attacks is much higher,” the Sophos report said.

Among respondents in the 2021 survey who said that they expected their organization to be hit by ransomware (65%), the most common reason cited (47%) was that attacks are increasing in sophistication.

To avoid ransomware, Plaggemier said, the best and least expensive defense strategy for companies and nonprofits "is by educating themselves and their teams about cybersecurity threats.” The National Cybersecurity Alliance provides a playlist of videos about ransomware, explaining how it works, how to use data backups to minimize their impact, and more.

For businesses that use online payment systems, Johnson said adherence to the Payment Card Industry Data Security Standard is “considered a best practice.” The group highlighted some particular standards in the bulletin that concern ransomware defense, including training employees to identify phishing emails, regularly patching systems to close technical backdoors and backing up systems to have a copy of data that might be lost in a ransomware attack.