DAV EY WINDER
As the ransomware threat continues to boom, Davey Winder asks those who know best some tricky questions about payments and processes
As the ransomware threat continues to boom, Davey Winder asks those who know best some tricky questions about payments and processes.
I’m often asked what the single biggest cybersecurity threat to business is, and my answer remains the same as it did a decade ago: not getting the security basics right. That may come as a surprise to those who thought I would say ransomware, but ransomware attacks are just a symptom of the insecurity disease that’s running rife through many businesses large and small. It is, however, an increasingly common and costly symptom.
You might counter that poor basic security hygiene isn’t to blame for the ransomware epidemic when some variants such as MountLocker are using Windows Active Directory application programming interfaces (APIs) to worm their way through enterprise networks. But even then I’d argue it is.
Blue Hexagon founder Saumitra Das reckons that by using native API for propagation, the MountLocker threat actors have made it a “challenge to spot” using “just observational tools such as log monitoring and sandboxes”. And he’s not wrong: isolating the noise from legitimate API calls from those malicious ones isn’t straightforward. But behavioural systems can at least flag such activity for further checking (so-called detection and response systems).
As Edgescan CEO Eoin Keary says, “continuous vulnerability scanning and patching is a solid place to start to secure some of the most popular entry points,” especially when MountLocker attackers look to hide where network visibility is poorest. It still comes back to getting the basic security hygiene into place to stand the best chance of not becoming another ransomware statistic.
A recent Sophos threat report found that, on average, an attacker can spend 250 hours totally undetected in target networks. That same research found that 90% of attacks use the Remote Desktop Protocol (RDP), mostly for lateral movement once on the network. So, visibility, monitoring, detecting and securing RDP access would cut a massive swathe through attack success rates. The National Cyber Security Centre (NCSC) has published some excellent advice when it comes to ransomware mitigation ( pcpro. link/323ncsc) and that article is a good place for businesses to start. It talks about everything from having a solid data backup and business continuity plan (yes, backing up is still important, despite the move towards data exfiltration as additional payment demand leverage) to a defence-in-depth approach to malware prevention.
An evolving threat
The likes of the REvil crime group pioneered the use of data exfiltration as an evolutionary approach to the ransomware threat. Before the attackers encrypt data and lock down networks, that data is copied to be used as part of ransom demands. There’s a win-win for the attacker here: if the ransom isn’t paid then, as in the case of REvil, high-value data can be auctioned off to the highest criminal bidder. The winning doesn’t stop there, either: data can be leaked to the ransomware gang media sites on the dark web – and yes, that’s a thing – in an attempt to tarnish the reputation of the victim.
Yet, still, the threat remains a simple one: take something hostage, demand a payment to free it. REvil was also one of the first to popularise the ransomware-as-a-service (RaaS) model whereby the actual attack part of the equation is outsourced to “affiliates” who get a cut of any ransoms paid. DarkSide, the group behind the Colonial Pipeline oil supply attack, has become the poster boy of RaaS, not least because it’s likely changed the way such schemes work in the aftermath of taking on something as important to the US economy as fuel.
It immediately tried to shift the blame for the attack onto a rogue affiliate, issuing statements that it was an apolitical group just out to make money and it would be strictly moderating all proposed affiliate targets in future. A future that DarkSide went on to say was over by suggesting it would be disbanding after the “disruption” of its dark web sites, with the attacker suddenly attacked: it could no longer access its blog, payment servers or DOS servers. What’s more, or so it claimed, “funds from the payment server (ours and clients’) were withdrawn to an unknown address”.
I’d take such talk of disbanding with a pinch of salt, not least as DarkSide is thought to have been formed by former REvil actors who jumped ship when things got a bit hot there. As an aside, DarkSide pointed to an article of mine in the “What is DarkSide?” section of a site aimed at new affiliates; I’m not sure if I should be flattered or horrified.
Whether DarkSide goes quiet for a bit and returns under a new name with slightly tweaked code or not is by the by. It was another group that moved the ransomware threat forward with criminal innovations such as an attack management console that included a cold-calling option to allow an affiliate to speak
with victim organisations to convince them to pay, denial of service (DDoS) attacks from the same console for added leverage and even the threat of giving dodgy stock traders details of an attack before going public so company stock could be shorted.
Another group using both RaaS and cold-calling is Conti, the actors behind the Irish Health Service Executive attack and, according to the FBI, dozens of similar attacks against healthcare services in the US. Conti tailors ransoms to each victim, based upon ability to pay and the cost of not doing so, as well as how much cybersecurity insurance the victim has. It also doesn’t seem to have any moral compass as far as impacting human life is concerned. Forgive me for not being impressed by the group handing over the decryption tool to the Irish health service for free to get the system up and running again; it’s still demanding a ransom for the stolen patient data and it still hit a national healthcare target in the first place.
Should you just pay the damn ransom?
In the relatively early days of the modern ransomware resurgence (the threat actually dates back to the AIDS Trojan in 1989, which asked for a $189 fee to decrypt files), I took the firm stance of don’t pay the damn ransom. Remember that the victims were not highly targeted to begin with and most were consumers, so business continuity matters didn’t factor into that advice. Advice, I should add, that was always ended with “make damn backups”.
Of course, the threat has evolved since then and now it’s fairly rare for consumers to get caught up in an attack, while the ransom payment question has become much less black and white than it once was. “Choosing to pay a ransom is a complex decision that must be weighed up carefully by an organisation and its counsel,” Andrew Beckett, managing director and head of cyber risk at Kroll, told me. “There are many factors to consider, such as whether suitable controls and expertise are in place to aid recovery, the condition of system backups, and potential reputational and regulatory risks.”
There’s also the small matter of that data exfiltration double-dip threat to take into account, as the theft of sensitive data is something of a spanner in the works of any neverpay-the-ransom argument if you ask me. And if you ask Assaf Dahan, the head of threat research at Cybereason, which I did. While Dahan says that most of the major ransomware groups will provide decryptor tools that are generally reliable (more of that in a moment) it doesn’t address what happens to stolen data.
“How can anyone be sure that this data was deleted from their servers for good?” Dahan asked. “And how do we know that they haven’t sold it clandestinely to a third-party?”
The answer is that neither we nor anyone else can be sure of either scenario. Threat actors will often hand over access credentials to a cloud-based store where the data can be deleted, or retrieved, by the victim. They will say you should take them at their word because it’s their reputation at stake and nobody will pay a ransom in future if they break that promise. But they’re criminals at the end of the day, no matter how much of a business shine they like to put on their operations.
Speaking of reputation, this is something else that factors into the decision to pay or not. “In the case where an organisation hit by ransomware refuses to pay and sensitive information is leaked,”
“Choosing to pay a ransom is a decision that must be weighed up carefully”
Dahan said, “they could be exposed to reputational damage, business disruptions, third-party lawsuits and fines from regulatory bodies. At the end of the day, companies should conduct a risk assessment before deciding whether or not to pay.”
By now, you’ll have hopefully realised that there can be no definitive answer to the question of whether paying a ransom is the right or wrong thing to do. “In the UK, it’s currently not illegal to pay the ransom following an attack, however it’s actively discouraged by all national cyber authorities and law enforcement bodies,” James Weston, principal consultant for cyber and digital at Gemserv, explained. Those same bodies will emphasise that paying a ransom encourages further attacks and funds criminal activity. The latest National Crime Agency assessment of serious and organised crime classifies ransomware as a major crime that causes harm on a significant scale. Which is why, as Weston says, “paying a ransom will remain a very polarising action to take, and broadly scrutinised and reviewed after the fact”.
If ransom payment is the only option, how does that work?
What if an organisation decides to pay the ransom either because it has no other viable business continuity option or, as Pascal Geenens, director of threat intelligence at Radware points out, “the time and cost to recover might be more expensive than the ransom”?
The process, in theory at least, appears to be an easy one: pay the demanded sum to the designated crypto
wallet, receive a decryption key and get back to normal. In 99% of cases, that’s not how it works at all.
Ransomware groups like to see themselves as a business operation and are aware of the need to negotiate prices with their customers to close the deal. While communication methodologies do vary, most threat actors will point the victim to a dark web, Tor-based, site where private discussion can take place. As to what happens next, I’ll let Tim Mitchell, a senior security researcher at Secureworks, explain:
“Generally, once the victim (or their representative, if they have an insurer or a ransomware negotiation firm engaged on their behalf) visits that site they will be entered into a chatroom. The criminals behind these schemes make an effort to maintain privacy around these negotiation sessions, but occasionally third-party researchers are able to access them and observe the conversation.
“In our experience, ransomware operators will always start the negotiation high, probably based on some arbitrary calculation considering the size and profitability of the victim but will likely have a price in their heads that they will settle for, which can sometimes be as low as a third of where they started at. They may offer to decrypt a limited number of files for free as a sign of good faith.
“If a price can finally be agreed, payment details will be provided.
The ransomware operators will provide a location from which a decryption tool can be downloaded and will also commit to deleting any data they have stolen, to potentially include some theatre where they do that onscreen or give the victim access to do it themselves.
“And finally, some ransomware operators will finish by disclosing how they initially gained access and provide advice around how the victim can secure their network to prevent such an attack being successful in future. For obvious reasons, any organisation suffering one of these attacks should conduct their own investigation to understand what happened and how to prevent it.”