Ransomware has become one of the most dreaded problems in the cyber world and it’s only getting worse. Much worse!
Traditionally, ransomware was a trojan horse malware program which when it found a new host computer simply went off, encrypted all the data it could find, and sent the user an onscreen message to pay a particular ransom amount using an untraceable cryptocurrency. That was bad enough. These days, ransomware has become much worse and a great backup isn’t going to save you. How has it gotten worse?
Analysis, Then Exploitation
The first major change is that when ransomware breaks in, it doesn’t just encrypt a single computer and send the ransom message. Ransomware criminals have become thoughtful, taking the time to maximize the potential damage and payoff. These days the ransomware (or some other related dropper program) breaks in or gets accidentally installed and then it “dials home” and tells the criminal manager that they have achieved initial root access into a new environment.
Then the attacker, at a time of their choosing (could be minutes or could be many months later) leverages the initial root access to do further exploits and exploration within the newly compromised organization. Most ransomware hackers use a host of other tools to break into other computers on the same network and to find particular types of data.
They look around, read email, find data troves, and figure out two things: First, they discover what data and computer resources compromises the organization’s crown jewels. What if suddenly encrypted would cause the most panic, pain, and operational disruption? Second, they find out how that data is backed up and what they can do to interfere with that process. Ransomware hackers are commonly known to delete or additionally encrypt online backups. If you can touch your data backup online, so can they.
They Know How Many Days Of Backup Corruption They Need
They are even smart enough to figure out how many days of backup corruption they need to do to ensure the company isn’t going to have a chance at restoring the data on their own without the ransomware decryption key. Many organizations think that if they store some backups offline or offsite that they are protected. This isn’t always true if the hacker can corrupt or encrypt that backup while it’s online before it gets moved to an offline status. Many ransomware victims thought they had good, solid backups that attackers could not manipulate only to find that it was all a mirage.
The early days of ransomware immediately executing and encrypting what computer it is on are long gone! Today, the ransomware adversaries do their forensic analysis to guarantee their victim will sustain maximum damage and operational risk. And they are getting pretty good at it. A few years ago, less than quarter of the victims paid the ransom.
These days over half and edging over three-quarters of victims pay up
These days, it’s well over half and edging over three-quarters of victims. Some of the firms who focus on helping ransomware victims recover their operations say they rarely see a victim who doesn’t pay the ransom. Even many of the ransomware recovery companies who claimed to have great success recovering a victim’s data without the ransomware decryption key were later found out to be secretly paying the ransomware hacker to get and use the decryption key, and just lying to their customer about how the data was recovered.
The old adage of “Never pay the ransom, it only encourages them!” has been replaced with “Pay the ransom and you’ll be up weeks earlier with far less lost money.” Ransomware has gone pro.
It used to be that if the targeted firm had a really good, tested, backup and restore program, that ransomware had less fangs. The potential victim could tell the ransomware hackers to go eat grass. The targeted organization could shutdown their network, stop the spread of damage, restored the impacted systems, go on with life, and frustrated the hackers. Job well done!
But a few years ago, the ransomware hackers started to take an additional insurance policy for their side – they started to steal the crown jewel data before they encrypted it and threaten to reveal it to the world if they were not paid. Good luck getting saved by a great data backup. No company wants their personal and confidential data and intellectual property released to the world.
Sony Pictures was one of the first major companies to have their internal emails and data publicly released (https://en.wikipedia.org/wiki/Sony_Pictures_hack) in 2014. The private email conversations alone, revealing intimate conversations between top executives, sometimes disparaging some of their top movie stars, led to business consequences they are still feeling to this day. Think about it. Does your company ever discuss customers and sales tactics that are perhaps not intended for the customer or general public? Does your company have intellectual property and operational details and plans they would rather their competitors not know? Ransomware is now making the threat of malicious data leaks a new major reality.
New Subclass: Data-theft Ransomware
Data-stealing ransomware has become so common that it has its own subclass known as data-theft ransomware. Several ransomware strains and gangs now concentrate on it. Stories about data-thief ransomware started to come out in 2018 and the year 2019 proved to be its introduction to the larger world. Here’s an example: https://www.zdnet.com/article/another-ransomware-strain-is-now-stealing-data-before-encrypting-it/. Data-hostage taking is only going to get worse and more popular in 2020 and beyond.
Brian Krebs revealed (https://krebsonsecurity.com/2020/01/the-hidden-cost-of-ransomware-wholesale-password-theft/) that a corporate ransomware victim, which was previously thought to be fairly on top of the attack was having some additional long-term repercussions because the ransomware hackers stole passwords to other used sites and services.
When the company proactively detected the ransomware, disconnected from the Internet, changed their network passwords, and cleaned and rebuilt infected computers, they thought they had contained the damage. It’s what most companies would have thought. Turns out the hackers stole other logon information to external sites and services, and started to use that against the company and its other business relationships. Lesson learned, now you have to change every password used by your company and not just the traditional computer and network passwords.
Phishing Your Customers
Ransomware hackers are also collecting your contact lists and reading emails to figure out how to leverage your existing contacts and the trust you have fought to foster with your customers and other business relationships to do further harm. They often send spear phishing emails from your own computers to companies and people you already have an existing relationship with.
And what the send and ask is often only a slight deviation from what you have legitimate sent before. Perhaps they ask the receiver to send a payment to a new bank account, to pay a new invoice, or inject themselves into an existing, ongoing email thread and ask the user to review a new document. Either way, even if you clean up and eradicate the ransomware, the hackers could be using your organization and its goodwill to spider out to further victims.
Ransomware hackers have woken up to the fact that the inside access they have gained to any organization can be worth so much more than simply encrypting data and causing operational interruption. When they are inside your company, they can do nearly anything they want, only limited by the hardware, software, sites, services, and connections your company uses to conduct its own business.
The Real Problem
The real problem isn’t ransomware and what it does once it’s in your organization, but how it got in. Ransomware is a symptom of a larger problem. It got into your organization by social engineering, phishing, unpatched software, a misconfiguration, a password attack, or some other root cause, and in doing so bypassed your anti-malware detection software and every other defense you have.
Any malware or hacker attack that gets by your existing defenses indicates a weakness in your defense-in-depth that any malware program or hacker could exploit. Put another way, the world could stop every ransomware attack in the world and the world’s computers would still not be safe. When hackers and malware are able to get inside your organization, whether it’s only for a few seconds or months without detection and removal, you have a problem. Criminals and malware can do anything they want to your environment. Malicious encryption is just one.
What To Do About It
You must do your best to prevent ransomware and all malware and hackers from getting access within your environment. And what you can’t prevent, you need quick, early detection followed by crisp incident response to minimize damage. Prevention and detection requires that you implement the best technical controls and security awareness training possible.
Technical controls include every piece of software, hardware, and service that you deploy to prevent bad cyber things from getting into your environment, including access controls, authentication, endpoint protection, event monitoring, and backup.
No matter how great the technical controls, some amount of badness will get by to your end-users. You must give them solid security awareness training to help recognize those threats and how to treat. How to have the best security awareness training program used to be a guessing game. It isn’t any longer.
The best security awareness training happens by training all employees to have a health level of skepticism and the ability to spot and handle potentially malicious threats. You do this by best by doing regular training (even if it's only 5 minutes per month) and sending frequent simulated phishing campaigns (at least once a month), and using both training tools to build the best level of healthy awareness of the most likely attacks. You want to train and test your employees before the hackers do. Don’t let the bad guys be the first one to test your employee’s ability to spot malicious emails.
Lastly, figure out the top reasons of how hackers and malware get into your organization. Is it social engineering and unpatched software, like most organizations, or do other threats have to be considered? Then go about implementing the best technical and training controls to minimize those root causes. For most of us that means better fighting social engineering and better patching the most likely exploited software programs.
Ransomware is hackers and malware gone professional. We thought the encryption of data was bad enough. It’s about to get much worse and a good data backup alone is not going to save you.