Ransomware attacks have soared in Australia in 2020 and the price of ransoms has grown even faster, experts warn, with criminals now demanding several hundred thousand dollars from firms with no room for negotiation.

And despite growing demands, one in three Australian business owners are paying up to salvage their livelihoods — a figure that rises to 80 per cent of companies with cyber insurance.

News Corp can reveal ransomware attacks — in which software is used to lock a victim’s files so they cannot be accessed without a digital key — have become so pervasive they have shut down businesses every month this year, affecting everything from foreign currency exchanges and wool sales to aged care homes, beer production, building supplies and TV ratings.

The Australian Cyber Security Centre is this month launching a national security campaign focused on ransomware, and security analysts warn most companies are still unprepared for an attack; risking money, trade, and the personal data of their staff and customers.

Bitdefender threat research director Bogdan Botezatu, who last year helped police dismantle a major ransomware gang outside Russia, said the criminals behind ransomware attacks were often based in countries and states where they would not be prosecuted or extradited, and considered themselves untouchable.

Most gangs are thought to hail from Eastern bloc nations, with many ransomware programs written so they cannot attack victims in countries such as Armenia, Belarus, Kazakhstan, Ukraine and Russia.

The gangs were increasingly chasing bigger ransoms this year, he warned, targeting companies with highly sensitive personal data, like healthcare firms, and using extortion for bigger paydays by threatening to release customer data on the Dark Web.

“It gives them yet another bargaining chip in the form of stolen information they threaten to publish online and bring trouble to companies who are not willing to pay,” Mr Botezatu said.

“This, of course, destroys reputations. There’s also GDPR in Europe and the Australian Privacy Act that punishes companies which lose information.”

Cybersecurity firm CrowdStrike recently revealed one in three Australians firms had chosen to pay ransoms when their businesses were attacked, with each incident costing $1.25 million on average.

Emsisoft estimates Australian companies have lost $1.45 billion in ransoms and downtime to ransomware attacks in the past year, while a new report from Atlas VPN found ransom payouts had soared by 178 per cent this year to $234,000 per victim.

But that figure appears set to rise. Emergence founder and managing director Troy Filipcevic said businesses with cyber insurance were even more likely to pay ransoms, with more than 80 per cent of the company’s clients paying to retrieve their files.

Mr Filipcevic said the insurance firm recently paid a $350,000 ransom to criminals on behalf of a Queensland client and was currently “dealing with another and working through the ramifications of whether or not we pay up”.

He said ransomware attacks had become “a business model that is working” for criminals, and hackers were taking time to research how much a company could afford before issuing demands.

“We helped one of our clients respond to a ransomware attack where they were demanding $200,000,” he said.

“We tried to negotiate with the hacker and they said ‘no, we’re not negotiating, we know who you are, we know your financials, and we know you’ve got cyber insurance so you can pay the ransom’.

“They’ll often sit there in the system for 180 to 200 days prior to the attack. They’re looking at files and financial statements.”

Mr Botezatu said some sophisticated ransomware gangs were also actively recruiting affiliates, offering them customised ransomware tools to use against victims in return for a cut of their profits — a move helping to boost the number of ransomware attacks — and hiring call centres to help victims pay in cryptocurrency.

Business owners are advised to make regular backups to protect their data from ransomware attacks, as well as isolating risky parts of the network, like human resources, and updating all computers on their networks.

Akamai security technology and strategy director Fernando Serto said companies should also educate employees to scrutinise their email, as phishing attempts were still one of the biggest ways hackers entered networks, and advised business owners to ignore ransoms.

“Our recommendation is don’t pay,” he said. “If you pay the first time, they’re going to come back for the second and third.”

‘THEY SAID THEY HAD INAPPROPRIATE VIDEOS AND PHOTOS OF US’

Successive ransomware attacks could have destroyed the award-winning business built by Rebecca and Nick Bishop.

The couple, from Maryknoll in Melbourne’s southeast, created Elite Building Services over seven years only to see vital files frozen by overseas hackers demanding money.

Ms Bishop says the first online attack, in 2018, shocked them.

“We came in one morning and we couldn’t function,” she said. “We use a server that has all our building templates on it. We couldn’t send out documentation, we couldn’t issue building permits.”

The hackers not only encrypted all their information and demanded a ransom, she said, but threatened to leak the stolen data to the Dark Web if they didn’t pay up.

“They said they had access to inappropriate videos and photos of us and they would release that data too,” she said.

“I knew we didn’t have videos like that. I was just pissed off. I was angry that someone could take your whole business and hold your livelihood to ransom. It’s disgusting.”

Ms Bishop said being unable to access any of the company’s stored files made her question whether to “give into these idiots” but, with the help of an outside IT consultant, they were able to replace the information without paying them “a cent”.

The company did lose money and time to recover from the attack though, she said. One database took three weeks and $4500 to recover as it hadn’t been backed up.

Changes to the way they stored files helped last year, however, when they were attacked a second time, Ms Bishop said she hadn’t reported the incidents to police, and it was hard to find out what measures to take when companies were attacked.

The Australian Cyber Security Centre recommends victims log attacks on their ReportCyber page, where they can be investigated by police or used to monitor cyber crime activity.

Bitdefender threat research and reporting director Bogdan Botezatu said companies of all sizes should also take precautions, including making regular backups, segregating high-risk computers, ensuring employees changed passwords often, and encouraging them to report suspicious activity.

Originally published as Foreign ransomware gangs steal millions from Australian victims as attacks and prices soar