Hybrid work is fueling a spike in ransomware and costs are rising

by Kevin L. Jackson, CEO, GC GlobalNet and AT&T Business Influencer

This post was sponsored by AT&T Business, but the opinions are my own and don’t necessarily represent positions or strategies of AT&T Business.

The global transition from the COVID pandemic to its endemic phase will not lead to the workforce shifting back to the way things were before. Experts now expect workers to never return to work solely from the office. Price Waterhouse Coopers estimated that 83% of employees would want to work once a week from home, and 55% would want to continue working remotely. This continuing dependence on hybrid work, cloud infrastructure, and software-as-a-service has multiplied the amount of data that needs protecting. This trend, in turn, has also fueled the dramatic rise in importance of these risks as the most common attack vectors for the $265bn USD dark economy industry referred to as ransomware.

Most ransomware attacks start with simple spam and phishing emails, and many more occur because of poor cybersecurity training and weak passwords. Multiple studies reveal that human error plays a role in 85% of ransomware attacks, with over 90% of cyberattacks caused by email infiltration. This malware variant encrypts files on a system, making them inaccessible until the victim pays a ransom before receiving the decryption key. The variety and complexity of new ransomware threats make it difficult for IT teams to effectively detect and respond to these attacks while managing the rest of their cybersecurity duties.

Ransomware attacks are on the rise for utilities, education, and beyond

The first documented attack of ransomware was rudimentary. Delivered in 1989 via floppy disk containing a malware program, it told its victims to pay a $189 ransom via a Panamanian post office box. These early attacks have now morphed into malicious acts targeted to cause severe disruption to public services and the broader society. This model leverages a tendency to pay the ransom quickly to get public services up and running as soon as possible. Cybercriminals succeed by exploiting dangerous vulnerabilities across different devices and operating systems. Such success leads to significant attacks that shut down telecommunications networks and fuel pipelines, extracting millions from affected enterprises.

In September 2022, TTEC, a global provider of online customer support and sales services, was disrupted by a network security incident resulting from a ransomware attack1. Ragnar Locker, a Windows and Linux application that exfiltrates information from a compromised machine, hit the company's network. It encrypts files using the Salsa20 encryption algorithm and demands that victims pay a ransom to recover their data. The Ragnar Locker Ransomware family also seems to have targeted energy sector victims, including DESFA, a Greek pipeline company, Colonial Pipeline in the United States, and at least two other European energy companies. Given that energy and utilities now find themselves in the news frequently, they prioritize these attacks higher than other industries.

Ransomware attacks against telecommunications 5G core networks and industry endpoint devices paint a vivid picture of the need to protect the most critical infrastructure network components and operational technology (OT) devices.

In Barracuda's fourth-annual threat research report on ransomware attack patterns between August 2021 and July 2022, attacks on municipalities increased only slightly, while attacks on educational institutions more than doubled, and attacks on the financial and healthcare verticals tripled2. For the 106 highly publicized attacks, research has pinpointed the dominant targets as education (15%), healthcare (12%), municipalities (12%), infrastructure (8%), and financial (6%).

Damages from ransomware costs rose from $8B in 2018 to over $20B in 2021. According to Cybersecurity Ventures, this tally will increase to $265 billion (USD) annually by 2031, with a new attack every 2 seconds as perpetrators progressively refine their malware payloads and related extortion activities3. Viewing this from the individual victim's point of view, Coveware placed the average ransom paid in 2020 at $170,404, while $3.2 million was the highest payment reported by survey respondents. The most common amount was $10,000. Recently, Palo Alto Networks reported that the average ransom payment in 2021 hit $570,000—82% higher than 2020's average of $312,0004. These ransomware costs can be debilitating for a business.

Beyond money, the more profound ransomware costs include the following:

  • Downtime and interruptions to business – The Colonial Pipeline ransomware attack disrupted gasoline service for half of the US East Coast for six days. An attack on Baltimore County Public Schools kept more than 100,000 students out of classes, and an attack on a Vermont health center prevented hospital admissions.
  • Stronger cybersecurity protections – A ransomware attack will likely lead to higher cyber defense budget allocations. Initial attacks also make businesses a target for repeat attacks, leading to tightening insurance providers' requirements.
  • Cyber insurance claims and costs – The increasing number of ransomware claims have led to increasing insurance premiums.
  • Legal fees and costs – Attacks affecting consumers can lead to multiple class-action lawsuits. Target and Home Depot paid settlements in the tens of millions of dollars following cyber breaches.

The cost of a lost reputation also shouldn't be underestimated. In the United States, the estimate is more than $537 billion5.

Ransomware threats are evolving—and becoming a business model

Like all malware, ransomware codes vary in sophistication and modularity. Almost all of them, however, follow a predictable five-stage pattern:

  • Initial access
  • Post-exploitation foothold
  • Reconnaissance/credential harvesting/lateral movement
  • Data collection and exfiltration
  • Ransomware Deployment

Constantly evolving, a critical closely related threat is ransomware-as-a-service. These malicious actors start by stealing credentials, focusing on those that give access to servers and other corporate assets, although individual non-admin accounts are not immune. This vector differs because the thieves don't use the stolen credentials to gain entry. Instead, they act as Initial Access Brokers (IABs) or sell these credentials sets to IABs, who quickly sell these credentials to Dark Web customers and affiliates. While the model isn't necessarily simple, this is a frequent entry point for many ransomware attacks.

How to respond to a ransomware attack

CISA, the Cybersecurity and Infrastructure Security Agency, strongly recommends responding to ransomware by these steps6:

  • Determine impacted systems and immediately isolate them.
  • Disconnect devices from the network or, if unable to do so, power them down to avoid further ransomware infection spread.
  • Triage impacted systems for restoration and recovery.
  • Consult with your incident response team to develop and document an initial understanding of what has occurred based on initial analysis.
  • Engage your internal and external teams and stakeholders to understand what they can provide to help you mitigate, respond to, and recover from the incident.
  • Take a system image and memory capture of a sample of affected devices (e.g., workstations and servers).
  • Consult federal law enforcement regarding possible decryptors available

The Joint CISA Multi-State Information Sharing & Analysis Center (MS-ISAC) Ransomware guide states, "Paying ransom will not ensure your data is decrypted or that your systems or data will no longer be compromised. CISA, MS-ISAC, and other federal law enforcement do not recommend paying the ransom. In addition, attackers have begun following their ransom demands to decrypt the data with a follow-on extortion demand to keep data private."

Ransomware becomes media-worthy when executed as an outcome or objective of an attack. Therefore, all industries should proactively address ransomware at the tactical and board levels to have a plan in place in the event they fall victim to this threat. The tactical groups include line-of-business and IT leaders who can provide input on the ramifications and costs of a successful ransomware attack. Businesses should also pursue a layered approach to cybersecurity.

At the same time, the C-suite and the board need to consider the potential liabilities of paying a ransom versus attempting a cyber-recovery.

For more on preventing ransomware and mitigating the cost of this risk, organizations should review and follow preventative actions to ransomware outlined by the National Institute of Standards and Technology.

  • Assess – identify gaps including people, process, and technology (where are we today?)
  • Plan – take action to address gaps (enable measurement)
  • Practice – test people, processes, and technology (phishing, social engineering)
  • Measure – how are we doing? identify remaining gaps
  • Adjust – close remaining gaps

Learn more about AT&T Business cybersecurity solutions or reach out to
your AT&T Business representative.


“Customer care giant TTEC hit by ransomware,” Krebs on Security, September 15, 2021, https://krebsonsecurity.com/2021/09/customer-care-giant-ttec-hit-by-ransomware/.
“Ransomware gangs’ favorite target,” HelpNet Security, August 31, 2022,  https://www.helpnetsecurity.com/2022/08/31/ransomware-attack-patterns/.
3 “Global ransomware damage costs predicted to exceed $250 billion by 2031,” Cybersecurity Ventures, June 1, 2022, https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-reach-250-billion-usd-by-2031/.
4 Molly Clancy, “The true cost of ransomware,” The Backblaze Blog, September 9, 2021, https://www.backblaze.com/blog/the-true-cost-of-ransomware.
5 Jonas Sickler, “What does a bad business reputation cost?,” CommPro, Accessed November 10, 2022, https://www.commpro.biz/what-does-a-bad-business-reputation-cost/.
I’ve been hit by ransomware!,” Stop Ransomware, Accessed November 10, 2022, https://www.cisa.gov/stopransomware/ive-been-hit-ransomware