By Pete Nicoletti, Field CISO, Americas, Check Point Software.
The ransomware ecosystem doesn’t just stop at ransomware. It extends to DDoS attacks, stolen customer information, credit card numbers, and more – resulting in catastrophic damages, both financial and reputational, to the victims. Furthermore, this ecosystem extends to affiliates, partnerships, and even an integrated ticketing system to manage in-process ransomware related services and other innovative ways to monetize the initial hacks.
Ransomware groups are even setting up legitimate front companies and hiring employees, competing with security researchers going to universities and public companies because the illicit business is so lucrative and there is so much money to offer.
The affiliate system is also widespread. For example, the Darkside ransomware group launched an affiliate program and offered a 75-90% share of the ransom. REvil was also reported as having paid 30-40% of every ransom to affiliates. These affiliate systems even include call centers, translations, management of encryption keys, and encrypted voice calls that are involved in triple-extortion ransomware attacks.
There is a whole economy in which ransomware providers are competing with each other over price and service – all because businesses are paying and losing the fight.
Forms of leverage
Ransomware utilizes the model of leverage to get people to pay to regain access to their data, and this has evolved in various ways. Before I discuss how ransomware has evolved in modern times and how disturbing this is, let me give you some background information on ransomware’s history.
In the beginning, it was simply a matter of compromising a server…then scanning around for additional vulnerable hosts, encrypting them, and demanding a payment in exchange for the encryption keys.
Later, this evolved into double-extortion. Hackers would steal data before encrypting the machine. Then demand another payment to get the data back before it is publicly released.
For example, a company in Korea was hacked, and the plans for an Apple device were stolen. The hackers demanded $50 million or else they would release the blueprints to the next Apple device. What happened next? Apple made it go away quietly, and there’s not been a lot of chatter on what Apple did – so we can only speculate on what actions they took.
Now, we are seeing triple and quadruple levels of extortion. Their leverage has increased and their techniques have become more advanced, and they are making more money off our security failures.
A quadruple extortion ransomware consists of the following elements:
- Encryption of the data and demanding bitcoin to provide a decryption key
- Threatening to release stolen data if an additional ransom is not paid
- DDoS attacks launched against the victim’s site unless yet another ransom is paid
- Blackmailing the individual customers whose data was involved in the initial breach
By applying more pain to the victim’s organization and others affected by the compromise, hackers have been able to demand and receive higher ransom amounts.
We have also seen double downs, where the company pays for the decryption key and gets their business back online only for the hackers exploit and extort for a second time.
July 4th long weekend Kaseya attack
The ransomware attack on Kaseya, a software firm, was a true supply chain attack. So what exactly happened, and why was it significant? All the particular aspects of this attack have set a very bad precedent.
The companies that were using the software were beholden to the software update process, and they trusted the firm to manage their vulnerability management and their remote administration. There were many MSSPs using this tool on behalf of their customers as well, and the hackers knew that. They learned from the SolarWinds attack that if you attack one company, you can amplify your attack, and that’s exactly what occurred in this case, where one attack led to the exposure of over 1,700 companies.
So how did the FBI handle the situation?
The FBI had secretly obtained the encryption keys for all the different victims…but…held onto them for 17 days. I had a contact tell me that the FBI figured it was more valuable to take down the ransomware group than to have the businesses suffer losses.
Now, when you start adding up outage costs, the amount of money lost is substantial. Back when I was at Hertz, an outage could cost up to $20,000 a second. So when you do the math with the Kaseya incident, and add all the extra legal and recovery costs on top of lost revenue, then the total losses are in the hundreds of millions of dollars.
Somewhere in Washington, someone thought that the benefits to our justice system exceeded the costs that these businesses suffered. Personally, I submit to you, that was the wrong decision.
Do arrests matter?
There were arrests made, but will threat actors care?
If you look at the FBI’s most wanted cyber criminals, there are rewards for up to $50 million for some of these threat actors. The FBI just arrested two people, one in Poland and one in Lithuania, and recovered a considerable amount of ransomware payments. They also announced another 10 million dollars for information leading to the arrest of the other leaders of REvil.
However, this does not deter hackers. The rewards are too substantial to hackers, and if there are no extradition agreements and they operate out of Russia, then they will continue launching ransomware attacks.
The tools and ecosystem is already out there, the affiliates are willing to do all the work, and our companies keep leaving their guards down and paying. So as long as that formula is in place, we’re going to continue to see ransomware attacks.
Is prevention a lost cause? Not quite – here is what you should do
If you are still using Gen III firewall and related protection technologies, or best of breed tools that aren’t talking to each other, or you don’t have API integration in place or SEIM and SOAR tools all talking together, then you have to assume your company could suffer a ransomware attack.
Here’s what you need to start doing.
Backup your systems and invest in vulnerability management. These weren’t zero day vulnerabilities. These were known vulnerabilities that were compromised. Patch all your systems all of the time.
Protect your e-mail inbox; the most common attack vector for ransomware is via phishing. Phishing attacks have soared during the pandemic and will only continue to increase in number and sophistication. If you’re not deploying the absolute latest AI-enhanced API based email protection, then make sure you have immutable backups in place and keep your Incident response plan sitting on your desk because your employees will click on an enticing email.
Also, keep your recovery time objective in mind. How long does it take to restore from bare metal? If you restore through backups or snapshots, how long will it be until you’re processing credit cards, taking phone calls, and running your business? You have to recover quickly. Make sure your recovery process gets you back into business quickly.
Should organizations pay the ransom? What should organizations do if they’ve been hit and are trying to recover?
In my opinion, no, you shouldn’t. If you pay the ransom, you’re funding the ecosystem for additional hacks, and it’s a self-fulfilling prophecy that additional people will be hacked.
If your hair is on fire, you better at least have a sketch of a plan of what you’re going to do. Call in the experts, or call in an incident response team.
If you’re really in a bad situation, and your backups aren’t coming online, or your revenue loss is too high, and everyone is screaming pay the ransom – then don’t do it directly. Engage a ransomware negotiator; they can actually save you money. Instead of paying $6 million, you might only have to pay $60,000. There’s an entirely different White Hat ecosystem to fight the ransomware groups, but at least they’re the good guys and are on your side.
Are there any guarantees that if you pay, you will recover your data?
The number is that 60% of organizations actually get the encryption key. Think of it like this: if nobody received an encryption key, then it would break the entire business model for all the bad actors. It would remove any trust that organizations might still have in getting their data back. How ironic is it that we have to trust our hackers to provide the decryption key?
What to do in 2022?
In conclusion, if you want to prevent ransomware, organizations must move toward a preventative posture, not just detecting the threat. Next, fund the tools that your CISO is requesting. Ransomware is joked about as a “budgetary creation event.”
Do it now – invest in ransomware prevention, or do it with your hair on fire, spending triple or more of the amount after a hack while suffering business downtime, loss of proprietary or customer information and a dealing deathblow to your reputation. It’s time to get your tools in place for prevention and eliminate the ransomware gangs and their illicit ecosystem.
Lastly, for more insights, analyses and robust resources, sign up for the CyberTalk.org newsletter.