When it comes to ransomware conventional wisdom says you should never pay. Often, however, the reality is not as simple as that. If the data cannot be retrieved from your backup solution or if the encrypted information is business critical the company may have little choice but to shell out. According to Kaspersky more than one-in-three organisations pays up. Unfortunately for them that’s not necessarily the end of the story.
About the author
Patrick Martin, Senior Threat Intelligence Analyst, Skurio.
Modern ransomware doesn’t stop at data encryption. It also exfiltrates the data. With this comes the very real risk of it eventually finding its way onto the shady markets of the Dark Web to be shared or sold on over and over again. As far as the hackers are concerned ransomware is the attack vector that keeps on giving. Against this backdrop, the best advice for businesses is to prepare for the worst and know how to respond.
One of the most effective techniques is to include specially tagged dummy data in your system. It means that when a ransomware attack hits you can use a specialist monitoring service to trace if any of your watermarked data is out there on the dark web. Once confirmed, quick and decisive incident response and remediation steps can take place.
With its potential to grind a business’s entire operation to a halt, ransomware is arguably one of the most feared of all cyber threats. This reputation has been cemented by the fact that major ransomware incidents are never far from the headlines, usually accompanied by ever-rising numbers of days lost to disruption, ransom demands and recovery costs.
Capitalizing on this notoriety, cyber criminals have become increasingly bold and the average ransom demand has inflated to £10,000. This figure rises further once disruption and clean-up costs are factored in. In one prominent example, a serious outbreak suffered by the city of Baltimore was estimated to cost more than £14 million to rectify and in lost revenue while payment systems were offline.
Typical ransomware tactics include blocking access to the victim’s data or threatening to publish it on a public website unless a ransom is paid. If this wasn’t already enough to worry about, there are signs over the last 12 months that the ransomware threat may have entered a troubling new phase. Cybercriminals have started to ramp up the pressure by adding data exfiltration to their attacks. The strategy of pairing ransomware attacks with data exfiltration is a relatively recent development, but it’s one that is gaining traction.
The top ransomware of 2019 – Ryuk, Maze, BitPyLocker, Trickbot, Revil/Sodinokibi and Emotet – all feature data exfiltration capabilities. Ryuk and Sodinikibi alone accounted for a 104% rise in ransom payments in the fourth quarter (up from £32,000 in Q3 to £65,000 in Q4).
Sodinokibi, in particular, earned considerable infamy after the malware was used to disrupt German automotive parts manufacturer Gedia Automotive Group, which was forced to shut down its IT network to protect connected industrial infrastructure. Gedia stood firm and refused to bow to the ransom demand. Shortly after however, the group claiming to be responsible for the attack began advertising on a Russian-underground forum for the sale of over 50GB of sensitive information, such as blueprints, stolen from Gedia.
Tactics like this allow attackers to threaten their targets with a double blow. If a victim refuses to comply with the ransom demand, they must face the possibility that large amounts of highly confidential, personal information may be distributed on the Dark Web. And yet, even if they comply and pay up, there is no guarantee that the criminals will not leave their systems locked down or sell off the captured data. Stolen data is commonly used as additional leverage to coerce a payment. Industry experts advise against ever yielding to ransom demands.
The reason being that even if the criminals fully restore the systems and stolen data, everyone that pays up simply serves to perpetuate the problem of ransomware as an effective money spinner for cyber criminals. Perfectly sound advice, indeed, until you suddenly find yourself on the receiving end.
Plan for the worst
Until such time a future-proof defense against ransomware can be found organisations have little alternative but to plan for the worst. This means they must face up to the possibility that business confidential data may well be exfiltrated and distributed to the deep web to be traded on Dark Web forums. There is nothing to prevent perpetrators from simply bluffing about successfully exfiltrating critical files during an attack. Even if the thieves share a sample of the stolen data, it is not conclusive proof it was taken during a ransomware attack, or that they have copies of all the other data they are claiming to hold. Instead, the data could conceivably have been stolen at another point in time, or even from a third party. The first step must therefore be to confirm whether the data has really been stolen.
An effective way of verifying if data has come from your systems is to tag certain data sets in advance with dummy information. The technique involves seeding employee and customer databases with synthetic identities – information pertaining to made-up personas that only reside inside your systems’ databases. Watermarking data together with a combination of automated and manual investigation techniques is a sure-fire way to track your digital risk exposure well beyond the perimeters of your network. Automated tools can quickly detect the watermarks in open-web sources and less secure underground forums, while manual investigation is needed for the more tightly controlled Dark Web forums.
Access to many Dark Web forums is reserved only to users who have received personal invites or recommendations from other members of the community. Newcomers are under intense scrutiny for any tell-tale behavior that gives their motives away. For example, openly searching for a specific set of data could be all it takes to raise the alarm that a user could be an undercover investigator working for a breached firm. However, searching for a specific name – a watermarked identity for example – is more likely to escape attention. Going a step further, it is possible to take a snapshot of the data on a forum and then search it offline. This means no trace of the search will be left for the criminal community to detect. It is imperative that no such trace is left. It would be naive to assume that no one will notice what you searched for online. Hence why you should search offline.
In summary, ransomware poses a significant threat to unprepared businesses and can be costly for even well-defended organisations – especially with the new addition of data exfiltration complicating the recovery. Planting discrete watermarks in their datasets and proactively monitoring for evidence that breached data is circulating online helps organisations understand the extent of their risk exposure and take prompt measures to take back control of the situation.