Combating Ransomware
How should companies respond to the increasing threat of ransomware attacks? Darren Mullins of Accuracy takes a closer look at the latest trends using case examples.
There’s no question that the most severe cyber threat of 2021 and for the foreseeable future is Ransomware. Why? Money, and money that is more easily obtainable than most other forms of cyber-attack. The use of this malware brings cybercriminals significant income and will continue to do so. According to cybersecurity technology company Bitdefender, global Ransomware reports during 2020 saw a 485 per cent year on year growth[1], as attacks have begun to focus on maximising profits by going after selective high value victims.
The most recent global survey by email security company Mimecast found that 78 per cent of businesses in the UAE responded that they had been a victim of a Ransomware attack in 2020, [2] a considerable increase from the 66 per cent of companies that reported such disruptions in the preceding year.
Further, Ransomware attacks may not get the attention that they deserve because such attacks are rarely reported to the police, with Europol recently confirming that “approaching police to start a criminal investigation was not generally a priority for victims”[3]. Due to reputational damage or a focus on recovery, an unknown number of attacks never get reported. In addition, while a global survey showed that over half of Ransomware victims pay the ransom, only a quarter of victims (regardless of whether they pay) see their complete data returned[4]. Therefore, whilst these surveys suggest that Ransomware is the most significant cyber threat facing everyone from governments to private companies, the actual impact may not be readily apparent to the individual on the street, resulting in more substantial risk.
Ransomware
Ransomware has many forms, but it generally refers to extortion software that can encrypt data and then allow a criminal to demand a ransom for the data’s return. Conditional on the form of Ransomware, either the complete operating system of a computer or individual files are usually encrypted. There is even a Ransomware attack that may not have encrypted any data at all. This is where the user is subjected to ‘scareware’, a class of malicious software that tricks a user into believing they have a computer virus. However, in all cases, some form of ransom demand follows. This can be in the form of a request for a payment in cryptocurrency or that the ransom paid as a purchase of software to ‘remove’ the Ransomware.
It is imperative to keep in mind that the individuals and groups that operate Ransomware schemes are criminals. Paying the cybercriminals doesn’t guarantee that you’ll get your data back as negotiations are common, with only partial data being returned once the initial ransom has been paid. Sometimes the criminals take the money and run and may not have even built decryption functionality into the malicious software. However, any such malware will rapidly get bad press and will reduce the likelihood of producing future income, which is contrary to the methodologies that make Ransomware a success. Further, cybercriminals are becoming more and more innovative and looking to expand their money-making schemes by developing new methodologies.
Latest trends
A new trend in the modus operandi of Ransomware criminals is the disclosing or selling of data stolen from victims who refused to pay the ransom to unencrypt data. With this kind of threat, known as ‘double extortion’, the victims, who might even have a backup of the original data, are extorted to pay more based on the threat of having their sensitive data leaked or sold on the Internet. Some cybercriminals take it to an even further level, ‘triple extortion’ mode, by threatening not only to leak the data but to inform the media, customers, stakeholders, boards, and other third parties of the leak.
The notorious ransomware operators known as Maze were the first to use this extortion method, and other cybercriminals saw the advantage of using it. They are businessmen and women, and as such, they commit time to cultivate their reputation and actively engage with the media, commenting on rumours and refuting false information, thus achieving increased publicity.
The most well-known Ransomware criminals at the moment is the group known as Darkside, after their Colonial Pipeline attack in the USA. They are also being innovative and establishing new lines of business to increase profits. For example, they are openly enticing stock traders to contact them and—for a fee—receive intelligence on the group’s latest industry ‘clients’ (targets) so that the stock traders can short sell the targets’ stock before any wrongdoing goes public. A ploy that can equally be used as a threat to strengthen any ransom demand against a target. As stated by the Darkside Leaks website: “Now our team and partners encrypt many companies that are trading on NASDAQ and other stock exchanges. If the company refuses to pay, we are ready to provide information before the publication so that it would be possible to earn at the reduction price of shares. Write to us in ‘Contact Us,’ and we will provide you with detailed information.”[5]
Next steps
This year will undoubtedly highlight the role of Ransomware in every company’s list of business-critical threats. The US government is reportedly considering how to respond to the Darkside attack, which resulted in four states declaring a state of emergency. Ireland’s health service is battling the repercussions of an attack that placed many hospitals in offline mode. Thus, the world is beginning to wake up to a threat that has the potential to cause much more profound devastation than just a superficial digital bribery attempt.
State-backed actors and organised crime are, for the most part, responsible for these high-profile attacks, but each comes with a knock-on effect that is felt far down the logistics chain and results in much more significant damage. The Colonial Pipeline attack left gas stations and vehicle owners feeling the impact and has served as more than just a ‘red flag’ to other businesses who are not ready for such attacks.
Improved security policies and greater use of user education will limit the potential for Ransomware to affect a company; however, this is likely only to stem the oncoming tide. More is needed to reduce the threat and impact of Ransomware.
Cyber insurance
The prevalence of cyber insurance policies offered by large insurance companies has grown steadily over the past several years to help companies recover from cyber breaches. Such policies may now include an option whereby insurance pays the ransom, offering a level of comfort should the worst happen.
The issue is that paying a ransom in such a case is now akin to negotiating with terrorists. It encourages rather than dissuades, providing the funds and encouragement for further attacks. AXA Insurance, a global name in the insurance market, recently announced that they would no longer provide coverage for ransom payments in their policies[6]. This move was very much in line with this belief that the best way to reduce the prevalence of Ransomware is to restrict potential pay-outs. However, the (perhaps predictable) result was that within days, cybercriminals successfully deployed Ransomware on AXAs systems in a division of their Asian business as a warning.
Regulate and sanction
The modus operandi of Ransomware, whereby cybercriminals target victims in different jurisdictions, makes it difficult and time-consuming for law enforcement and private sector bodies to investigate and track the perpetrators. Weaknesses in cross-border cooperation among countries further complicates the situation and is taken advantage of by the criminal fraternity. The weakness in government responses to Ransomware creates the uncomfortable question of whether the most effective means for preventing is to impose sanctions on victims or paying ransoms through cryptocurrencies.
In my opinion, the answer has to be yes, given how essential cryptocurrency is to Ransomware attacks. Most offenders further use chain hopping to skip between different cryptocurrencies to hide their tracks. Remove this avenue of anonymity, and it becomes a far more challenging task to avoid detection.
How can we regulate something as ethereal as cryptocurrency? Through the requirement that cryptocurrency exchanges, crypto kiosks, and over-the-counter trading desks comply with Know Your Customer and Anti-Money Laundering laws, regulations, procedures, and best practices. There would be obvious difficulties in implementation and how such requirements could be enforced across the globe, but it will start to cut off easy access to the ill-gotten gains. Remove the profits, and it reduces the risk.
We will have to wait and see how governments intend to tackle Ransomware in their Cyber Strategies and whether these frameworks and their recommendations will influence approaches by businesses. However, it is clear that without a concerted international effort to reduce the impact of Ransomware, it will continue to heighten the fear of operating online.
Text by:
Darren Mullins, partner, Accuracy
Footnotes:
[1] https://www.bitdefender.com/files/News/CaseStudies/study/395/Bitdefender-2020-Consumer-Threat-Landscape-Report.pdf
[2] https://www.mimecast.com/resources/press-releases/dates/2021/4/the-state-of-email-security-report/
[3] https://www.zdnet.com/article/ransomware-victims-arent-reporting-attacks-to-police-thats-causing-a-big-problem/
[4] https://www.kaspersky.com/about/press-releases/2021_over-half-of-ransomware-victims-pay-the-ransom-but-only-a-quarter-see-their-full-data-returned
[5] https://www.scmagazine.com/home/security-news/ransomware/ransomware-gang-offers-traders-inside-scoop-on-attack-victims-so-they-can-short-sell-their-stocks/
[6] https://www.insurancejournal.com/news/international/2021/05/09/613255.htm
