It is not just a question of whether to pay
Weaponized ransomware attacks are accelerating globally against public and private organizations. Ransomware is malicious software, or malware, used to deny victims access to their systems.
Hackers weaponize ransomware through a double-extortion tactic to intimidate victims into paying large ransoms. The scheme involves two steps. The hackers first promise to decrypt a victim’s computer systems if the victim pays. Then, they pressure the victim by threatening public release of the victim’s sensitive files, often increasing the ransom demand.
There are two categories of ransomware: crypto and lockers. Crypto ransomware encrypts data files on systems, requiring victims to pay to obtain a decryption key to recover data files. Locker ransomware blocks login or file access, requiring victims to pay to obtain an unlock code.
Some victim companies capitulate to the hackers’ demands and pay the ransom. On December 31, 2019, hackers used Sodinokibi/REvil ransomware to attack Travelex, a foreign exchange company. Prior to attempting to extort U.S. $6 million, the hackers accessed Travelex’s server for several months and exfiltrated 5 gigabytes of sensitive data, according to a January 7, 2020, report by the BBC. In the end, Travelex paid a ransom of about U.S. $2.3 million, according to an April 9, 2020, report by The Wall Street Journal newspaper.
Other victim companies resist paying, only to face the data breach consequences. In 2019, hackers used the Maze ransomware to attack a security staffing company, Allied Universal, for 300 bitcoins, or about U.S. $2.3 million. Unbeknownst to Allied Universal, the hackers exfiltrated large volumes of confidential data before encrypting the network.
Maze hackers then increased the pressure on Allied Universal by contacting BleepingComputer, a computer help website, with details about the data breach. The hackers threatened to release 700 megabytes of Allied Universal’s confidential data, according to a November 21, 2019, report by BleepingComputer. They increased the ransom to U.S. $3.8 million, but Allied Universal did not pay. The attack became public when the hackers posted the information on a Russian hacker and malware forum.
The Maze ransomware attack against Allied Universal was the first reported use of the double-extortion tactic. Before this incident, victims had not considered ransomware attacks as data breaches. Shortly after that, Clop, Nemty and DoppelPaymer hackers began adopting similar tactics.
Implications of Shifting Tactics
Organizations with cyber insurance policies can be easier targets for hackers to extort because insurers persuade them to pay the ransom, according to a September 17, 2019, report by ZDNet, a business technology news website. Cyber insurance companies want to limit ransomware claims costs and will recommend ransom payment even if victim organizations can recover from backups because that tends to cost more than paying a ransom. Therefore, insurance companies played a role in escalating ransomware attacks by authorizing ransomware payments by clients, according to an August 27, 2019, report by ProPublica, an independent, nonprofit news organization. Hackers profited from ransomware payments authorized by insurance companies, fueling a cycle of ransomware crime.
To break this cycle, 225 mayors in the United States signed a July 2019 resolution to stop paying ransoms to hackers. In October 2019, the U.S. Federal Bureau of Investigation issued a ransomware public service announcement urging victims, including private sector organizations and local governments, to stop paying ransoms. By November 2019, hackers began to use the double-extortion tactic, which included sensitive data exfiltration.
Adding data exfiltration to ransomware was a game-changer. In the past, victim companies did not treat ransomware attacks as data breaches because the attacks only restricted access to their networks by encryption. Now, with double-extortion, hackers exfiltrate sensitive data, so victim companies must follow applicable regulatory reporting requirements and consider third-party liability exposure.
Third-party liability includes injury to others, such as customers or vendors, and can cover claims for breach of contract or payment card industry penalties. For example, Sodinokibi/REvil hackers claimed to have attacked a New York entertainment law firm, Grubman Shire Meiselas & Sacks. They posted screenshots of entertainers’ legal contracts, including those of Madonna and Christina Aguilera, on the dark web and threatened the release of data in nine phases, according to a May 8, 2020, report by Cointelegraph, a website covering the crypto industry.
The attack on Grubman Shire Meiselas & Sacks highlights how a law firm can incur third-party liability costs from exfiltrated client data. Hackers can use the stolen data, such as email, phone numbers and relationship information, to launch attacks against the law firm’s supply chain, including clients, other law firms and media companies, or to sell the information on the dark web. These actions increase a victim organization’s third-party liability exposure, which then escalates insurance claims.
Cyber insurance providers are incurring higher costs because of the recent shifts in ransomware tactics. As a result, U.S. cyber insurance rates are increasing as much as 25% because of the rising costs of ransomware, according to a January 22, 2020, Reuters report.
Data exfiltration requires high-level skills to break into networks and remove sensitive data. Therefore, some ransomware hackers began teaming with highly skilled hackers to launch a new type of attack not only against a victim’s network but also against its supply chain, according to a November 21, 2019, report by AdvIntel, a fraud prevention company. The skilled hackers use advanced persistent threat tactics to remain in a network undetected for an extended period. Their main objective is to steal sensitive data, but they may also destroy network backups and exploit the victim’s supply chain through credential stealing and infection of software updates. Ransomware hackers then unleash ransomware to encrypt a victim company’s network and secure a high payout. Meanwhile, the skilled hackers collected information to exploit the victim’s customers and vendors, placing them at risk of a third-party attack.
Even unskilled individuals can monetize ransomware by renting or purchasing distribution kits from ransomware hackers. Specifically, hackers use a business model called ransomware-as-a-service (RaaS) to monetize ransomware through unskilled individuals, called affiliates. In return for access to the ransomware (for example, infrastructure, software updates and support), the affiliates share the ransom proceeds with the hackers. RaaS affiliates tend to attack smaller organizations for smaller ransoms (mostly less than U.S. $5,000), according to a January 23, 2020, report by blockchain analysis company Chainalysis. While the ransom amounts may be lower, the attacks are more widespread, making it profitable for RaaS hackers. To evade law enforcement, RaaS is sold on dark web forums using cryptocurrencies.
To purchase RaaS or pay ransoms, ransomware hackers only accept cryptocurrencies to keep the transactions untraceable. Some cryptocurrencies are traceable, according to an October 15, 2019, report by CipherTrace. Bitcoin and Ethereum use public transaction ledgers containing the sender and receiver wallet addresses, allowing law enforcement to track payments. Unlike Bitcoin and Ethereum, Monero is a high-anonymity cryptocurrency with encrypted transaction information. In March 2020, the Sodinokibi/REvil hackers began using only Monero, according to an April 11, 2020, report by BleepingComputer. Other high-anonymity cryptocurrencies used by ransomware hackers include Dash and Zcash.
Ransomware during COVID-19
During the COVID-19 pandemic, hackers from different ransomware groups stated they would not attack health care and medical organizations, according to a March 18, 2020, report by BleepingComputer. This proved to be false. In March 2020, Maze hackers attacked a British COVID-19 test center, Hammersmith Medicines Research, and Sodinokibi hackers attacked a U.S. biotechnology company researching COVID-19 called 10x Genomics.
By April 2020, the International Criminal Police Organization (Interpol) issued an alert because ransomware attacks against critical health care institutions were increasing. To keep medical facilities operational during the pandemic, security companies such as Emsisoft and Coveware offered free ransomware recovery assistance.
Recovering from Ransomware
Companies that pay a ransom receive a key to decrypt their data, but the decryption key does not always work. Some ransomware had recovery rates as low as 40%, while other ransomware variants came close to 100%, according to an April 29, 2020, report by Coveware. Because victims do not know whether the decryption key will work, they must have backups to recover from a ransomware attack.
Victims with a 3-2-1 backup strategy are in the best position to recover from a ransomware attack. With this strategy, an organization creates three backup copies of its data on two platforms, generally hard drives and in the cloud, keeping one backup copy offsite. Even with backup copies, victims will experience operational downtime.
Recovery downtime averages 15 days, according to Coveware’s April report. Victims can minimize downtime and negative impacts by planning for attacks. They should create plans — incident response, business continuity and disaster recovery — and test them.
Every public, private and nonprofit organization is at risk of a ransomware attack, but they can reduce their risk through cyber defense and cyber hygiene actions. With ransomware hackers shifting to weaponized ransomware, organizations may want to consider the following steps:
- Treat all ransomware attacks as a data breach.
- Understand and prepare for advanced persistent threat tactics.
- Identify, map and protect the organization’s sensitive data.
- Identify, map and protect the organization’s supply chain (customers, vendors, partners, software applications, etc.).
- Prepare for attacks originating from the organization’s supply chain (phishing, software updates, etc.).
Online resources are available to learn more about ransomware. The U.S. Cybersecurity & Infrastructure Security Agency provides ransomware security tips (ST19-001) through its website (www.us-cert.gov). The No More Ransom website (www.nomoreransom.org) is an initiative by the Netherlands’ Police National High Tech Crime Unit, Europol’s European Cybercrime Centre, and cyber security firms Kaspersky and McAfee. The website provides ransomware information and assists victims with retrieving their data for some ransomware variants. The MalwareHunterTeam website (https://malwarehunterteam.com) offers information about more than 600 ransomware variants and assists with ransomware identification.
Ransomware Information Resources
The Carnegie Mellon University Software Engineering Institute recommends: https://insights.sei.cmu.edu/sei_blog/2017/05/ransomware-best-practices-for-prevention-and-response.html
The National Institute of Standards and Technology released a draft version guide for ransomware and other destructive events in January 2020: https://www.nccoe.nist.gov/sites/default/files/library/sp1800/di-detect-respond-nist-sp1800-26-draft.pdf
The Center for Internet Security provides a primer for ransomware: https://www.cisecurity.org/white-papers/security-primer-ransomware/
Emsisoft identifies strategies for the detection and mitigation of data exfiltration: https://blog.emsisoft.com/en/35235/ransomware-data-exfiltration-detection-and-mitigation-strategies/
The Center for Internet Security provides configuration guidelines to safeguard systems: https://www.cisecurity.org/cis-benchmarks/
For security and privacy controls guidance on government systems, see the National Institute of Standards and Technology Special Publication 800-53 Revision 4: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf