One of the biggest cyber threats currently faced by organisations is the one posed by a successful Ransomware attack.
This threat has been growing for some time and has constantly evolved; in the early days’ mistakes around the encryption methods and management of private keys for decryption meant that some Ransomware strains could get decrypted by publicly released tools or keys. These flaws have, in the main, been addressed, which means if you get ‘hit’ with a Ransomware strain now the chances of decryption without paying the attackers is challenging at the very least and is more arguably non-existent.
“It is important to understand that the term Ransomware covers numerous types of attack but a key thing to note is that most of these attackers are not hacktivists but organised crime groups, who do it to generate illicit revenue. This is an important point because, in a similar way to a legitimate business, the criminals too will be subject to market and as such, the more successful ones will adapt and evolve in line with economic forces.” – Simon biggs
The ransom amounts demanded used to be quite low and attackers typically went for quantity, scanning and exploiting vulnerable targets en-masse and relying on their volume of payments. In response, awareness campaigns and remediation after attacks has meant the victim pool for this sort of attack has shrunk. The technical barrier to entry is also lower meaning there is more competition for “market share”. This has led to a worrying trend of more sophisticated attacks that then demand six or even seven figure ransoms to decrypt the data, particularly when the victim Is a global enterprise.
If the organisation doesn’t have backups, then quite often there is little choice but to pay as the victim cannot operate without the data. This then fuels a vicious cycle where organisations pay, the attackers get rewarded and this in turn incentivises further attacks. One of the best ways of thwarting Ransomware is to ensure that you have sufficient defences deployed in depth to prevent being a victim in the first place but, failing that, reliable and easily restorable backups can certainly help avoid having to pay a hefty ransom. The attackers are also aware of this fact however and the articles below report what is probably going to be a more frequent response, the exfiltration and sale of sensitive data.
When our cyber security specialists arrive onsite following a request for assistance with a Ransomware attack, the main question clients generally ask is if any data was exfiltrated. In most Ransomware cases we deal with this doesn’t appear to be the case. Exfiltrating data can be ‘noisy’ both to cyber security products and staff who are monitoring the network. This is part of the reason Ransomware works so well, it can use existing functions in the environment to achieve what it needs to do and hence be far stealthier than large scale data extraction. The other factor in play is that the attacker wants money and they can normally get this easier through encrypting the data and ransoming the decryption method. Once more, it basically boils down to economics.
The benefits of better backups as a result of education and increased security awareness means that attackers will find they get paid for decryption less often so they will need to adapt to the changing market conditions in order to continue their revenue generation. It appears that in response to this that some groups are exfiltrating data and then threatening to auction it. This is a very worrying trend for several reasons; the potential reputational damage is far greater, the regulatory fines are likely to be larger and the cost of managing the incident will be exponentially higher with the likelihood of litigation action by clients who are affected by the data leak.
The bad news is that if an attacker has been able to get enough access to encrypt all of an organisations data then they will almost certainly have the access required to exfiltrate the data, so this evolution by attackers makes complete business sense. The attackers will achieve less volume but will ask for higher ransoms to offset the drop in revenue. So, what does this mean? It means that good backups will not be enough to protect from this threat and if your organisation handles sensitive third-party information it may end up a target for a sophisticated attack. Be aware of and alert to this possibility.
What can my organisation do?
Preparation is vital and ensuring you have defence in depth is key to not being a victim in the first place. This should include:
- A Security Information and Events Management (SIEM) system
- Regular vulnerability scanning
- Regular penetration tests
- Regular cyber security training for staff
- Table-top exercises
- Identification and retention of a cyber security consultancy
- A robust incident response policy
- Simulated phishing attacks
If you have been a victim of this type of attack you may need expert advice to help deal with the incident and to learn the lessons, thereby reducing the risk of your becoming a repeat victim.