By Adam Bromwich, CTO & Head of R&D of Symantec Enterprise Division\n\nWhen it comes to choosing their victims, ransomware attackers have become brutally adept at finding pain points.\nTheir targets range from hospitals, schools, and local government to key infrastructure \u2014 such as water treatment and fuel pipelines \u2014 and they\u2019re succeeding. Ransomware gangs have aggressively honed their tactics over time while ransomware creators franchise their tools to affiliates in exchange for a cut of the loot. Hardly a day goes by without news of another organization being hit by one of these groups.\nCalculated disruption\nThe May 2021 Conti ransomware attack against Ireland\u2019s National Health Service (HSE) starkly illustrates the gravity of the threats we now face. In the middle of a global pandemic, attackers crippled its network, causing massive disruption to vital services and forcing it to cancel medical appointments. While the attackers subsequently released a decryption key, they are still attempting to hold the HSE to ransom by threatening to release sensitive patient records stolen during the attack.\nAttacks such as these can require a high degree of interaction from malware operators \u2014 both to successfully deploy the ransomware across the victim\u2019s network and, at the same time, to profile the victim to better estimate the amount of ransom they\u2019re likely to pay based on the success of the attacker\u2019s activity and the quality of the data available for exfiltration. The group behind the HSE attack proceeded because they knew the disruption it would cause at this key point in the Irish response to the COVID-19 pandemic could lead to a major payoff. The criminals behind targeted ransomware are now among the most technically proficient and well-resourced threat groups operating today. Blockchain analysis company, Chainalysis, estimated ransomware gangs netted just under $350 million in 2020, a massive 311% increase over 2019.\nThe scale of ransom payouts now means the most successful groups will have a bigger operating budget than the victim\u2019s network defenders in all but the largest of organizations. This allows them to operate both at a massive scale and also to persist in their attacks until they\u2019re successful.\nUnhealthy ecosystem\nThe Irish government is to be commended for not bowing to pressure and paying a ransom. This is a stance that may be put under increasing pressure in the weeks and months ahead, particularly if the restoration of services proves slow or if sensitive medical data is leaked online. Nevertheless, it is the right decision.\nIt is an unfortunate fact that there will be occasions when some victims will find themselves with no choice other than to pay the ransom. However, we are deeply concerned about how regularly the response to a ransomware attack has begun to resemble a professional transaction \u2014 a simple business cost. All too often, ransoms appear to be paid because it is calculated as being lower than the short-term cost of restoring the victim\u2019s IT systems from backups, or because the ransom payment is covered by cyber insurance. These decisions are based on a short-term calculus, ignoring the long-term consequences of continuing to invest in an unhealthy ecosystem where ransomware attackers thrive and multiply.\nThe threat of cyber criminals selling or publicizing stolen data is also forcing organizations to pay ransoms. This is increasingly as potent a tool in extorting a ransom as the outright crippling of IT systems, especially for public bodies that have a legal obligation regarding the protection of customer or user data. More can be done to reduce the impact of this type of crime.\nTough decisions\nWe can\u2019t pretend fixing the toxic dynamic around ransomware is going to be easy. It is also clear things are continuing to get worse and will only get better by combining effective detection and defense against ransomware with an increased focus on reducing the financial attraction of this activity to cyber criminals. As we saw with the addition of stolen data blackmail being added to ransoming IT systems, ransomware gangs have shown themselves adept at finding new techniques to pressure their victims and will certainly redouble their efforts if they encounter resistance.\nWe can put the odds back in our favor by making it harder for ransomware attackers to get away with it. That means more effective detection and defense. At the same time, equal effort needs to be made to reduce \u2013 or remove entirely \u2013 the money that feeds the criminals at the center of the global ransomware ecosystem.\n Learn how to navigate ransomware with Broadcom Software\n\nAbout Adam Bromwich:\n\nAdam leads a global team of engineers and analysts who develop the game-changing security technologies, attack intelligence, and security content that protects Symantec Security customers.