“Ransomware actors have become some of the most technically adept in the cybercrime industry”
What happens after a business gets hit by ransomware? Davey provides a glimpse into the machinations that go on behind the scenes
Cast your mind back to the end of July when the world stopped for people who not only like to run but have an almost obsessive need to record details of every last step. Garmin, the technology titan when it comes to smartwatch GPS for runners, suffered a multi-day service outage. The outage, as many of us within the infosec community suspected, was actually a ransomware attack. It took Garmin four days to almost admit as much. I say “almost” because the nearest it came to uttering the “R” word at the time was to say that it had been the victim of a “cyberattack that encrypted some of our systems”.
This didn’t surprise me. It’s an approach I’ve seen over and over from businesses big and small, unwilling to admit to having been caught napping by ransomware actors. It’s not the most embarrassing confession to make these days: ransomware actors have become some of the most technically adept and successful in the cybercrime industry. But rather than holding Garmin’s feet over the fire, I thought it might be helpful to devote this column to how the response to a ransomware attack plays out in the real world. This comes about partly because of what Garmin was and wasn’t saying at the time, and partly due to mainly disappointing reporting that left a lot to the imagination of the reader.
According to a Sky News report at the time, an anonymous source with knowledge of the incident said that Garmin obtained the decryption key to the WastedLocker ransomware attack that took services offline. Garmin “did not directly make a payment to the hackers,” the source told Sky News. The Garmin press release also said the company had “immediately began to assess the nature of the attack and started remediation”.
When I pressed Garmin on whether it had paid the ransom or not, I was told that there was “no further comment on any additional details” beyond what was in the press releases. So what does that all mean? As I’ve said, this column isn’t about Garmin per se, but these statements confuse rather than clarify incident response. Transparency is key when it comes to any cybersecurity incident because it helps everyone understand how to do better when the sticky stuff hits the fan.
A new and profitable ransomware threat
For a moment, though, let’s look at Garmin. It was reported by Bleeping Computer that WastedLocker was the ransomware concerned long before Garmin admitted the “encrypting cyberattack” detail. Bleeping Computer had inside information from anonymous sources, but sources who supplied what appeared to be quite clear images of encrypted Garmin files with the WastedLocker path on view.
WastedLocker is a new addition to the ransomware map, although the threat actors behind it are known to have been active since 2007. Evil
Corp, a Russia-based cybercriminal group, was perhaps most infamous for its use of the highly successful Dridex malware. So successful were Evil Corp, with Dridex reported to have stolen at least $100 million, that the US Department of the Treasury’s Office of Foreign Assets Control imposed sanctions against it in December 2019.
Those sanctions mean that it’s generally prohibited for US citizens to engage in financial transactions with Evil Corp. They also state that “foreign persons may be subject to secondary sanctions for knowingly facilitating a significant transaction or transactions with these designated persons”. Garmin had been reported as being held to ransom for the sum of $10 million, which I’d describe as a significant transaction, if it turns out a ransom was paid. So it’s understandable that any company in such a situation wouldn’t shout from the rooftops that it had paid up for a decryption key. Which is where I’ll stop the Garmin references and start talking about the generalisations of ransomware incident response.
Forget about an ideal world
Anyone who understands anything at all about how ransomware negotiations work, especially at the large enterprise level, knows better than to say a $10 million ransom is the beginning and end of the story. Sadly, way too many commentators don’t have a clue and assume that a ransom is set in stone: the clock starts ticking, the victim pays up or loses everything.
That really isn’t how it works, and hasn’t been ever since criminal gangs got serious about the kind of money they could make from the ransomware threat by targeting bigger businesses instead of randomly spraying malware and praying enough people would cough up one-tenth of a Bitcoin.
In an ideal world, business disaster recovery strategies would swing into action. Incident response plans would be well rehearsed, networks shut down, the source and spread of the threat located and nullified, data restored to clean machines and the whole system restarted after testing. Yes, that could well put any organisation out of action for a day or two, and
hit the bottom line hard. Some firms might either discover that they can’t do this, or the cost of doing so far exceeds what the perpetrators are demanding by way of ransom.
If a call is made to pay the ransom, the negotiations begin. Not directly between the organisation itself and the likes of Evil Corp, but rather through the services of a specialist incident response team that will handle the remediation from the point of contacting the ransomware gang through to the restoration of data.
This involves many steps, including the initial one of how much money it will take for a decryption key to be released. Traditionally, the ransom demanded has been a starting point and, with most enterprises having data backups anyway, will drop down to a figure that fits that “less than doing it ourselves” option.
Evil Corp’s evil twin
That all changed when the likes of Evil Corp’s BitPaymer ransomware evolved into DoppelPaymer and exfiltrated data as part of the attack. This exfiltrated data could then be used as leverage in the payment negotiation. The ransom then included return of the stolen data, with non-payment meaning it would be sold off on the dark web or exposed in public in a piecemeal fashion. It’s obviously not a good day for any business to see its data published or sold, but the cybercriminals are smart and know that if they have data involving third parties, those in the supply chain, the stakes go up exponentially.
A good example here concerns the DoppelPaymer ransomware, when it hit a company called Visser Precision based in Colorado at the start of the year. A precision parts manufacturer that supplies the automotive, aeronautics and aerospace industries, its customers included Lockheed Martin, SpaceX and Tesla. To press for payment, the DoppelPaymer gang published non-disclosure agreement documents related to SpaceX and Tesla with a warning that there would be other data to come.
The REvil ransomware group has taken this kind of holding stolen data hostage to a new level, at least as far as monetisation is concerned. When a New York law firm was hit by the Sodinokibi ransomware threat from REvil, the exfiltrated data appeared to contain documents pertaining to all sorts of celebrities and politicians. Naturally, REvil started twisting the leverage knife pretty quickly and deeply. Unless a ransom of $42 million was paid, it said it would start leaking “dirty laundry” data on President Trump.
REvil has quite the reputation in the ransomware world, what with the devastating attack against Travelex at the end of 2019. That reputation wasn’t helped when the law firm called its bluff and the first batch of Trump data turned out to be more of a damp squid (for all you The IT Crowd fans) than dirty laundry. Having seen the data myself, it looks like all they did was grep for
trump* in any context, and so people talking about being trumped, or mentioning a Trump hotel, were included. Nothing relating to Trump himself, though. REvil then started an auction site, hosted on the dark web, to sell off data from the likes of Madonna, Lady Gaga, Bruce Springsteen and more. So, as you can see, the ransomware threat is always evolving.
No data exfiltration doesn’t mean no problem
However, WastedLocker isn’t known to have developed a data exfiltration capacity, and is thought to remain a reasonably simple “encrypt and extort” threat. Which makes ransom negotiations more straightforward, and hence is the reason why it’s unlikely Garmin, if it did indeed pay, or anyone else for that matter, would hand over the full amount demanded.
The incident response team negotiators would contact the cybercriminals behind the attack, using the channels opened up by the gang for ransom payment to start negotiating the price down. WastedLocker negotiations are a grey area, what with those US Treasury sanctions against Evil Corp, and many incident response teams refuse to take on any such contracts for that very reason. Any negotiation is a two-way street, and when it comes to ransomware the dance played out is more capoeira than tango.
The ransomware gang has the advantage of time. With the clock ticking, and the potential destruction of data timer counting down, they rely upon those pressures to work in their favour. The fact that a ransomware negotiator is even involved, however, is the ace up the sleeve of the victim. The cybercriminals know that they aren’t being strung along, and provided they can agree a “fair” price then monies, or cryptocurrencies to be precise, will be exchanged at the end of the day.
You might think, then, that once a price is agreed, the ransom paid and a decrypter key provided, that would be the end of the affair. But no, far from it. Firstly, surprising as it sounds, reputation is an important thing for ransomware gangs operating at the larger end of the criminal spectrum. They know that if someone pays a ransom and then the decryption key isn’t provided, exfiltrated data is sold on anyway or the key doesn’t work, word will soon spread and further extortion becomes more difficult. This is precisely the reason why so many have, I kid you not, customer service operations that provide technical support for their clients. And that’s
“When it comes to ransomware the dance played out is more capoeira than tango”
Continued from previous page
actually what they refer to their victims as. Relying upon such help is one thing if you’re an individual or small business, but quite another for a large enterprise with complex networks and highly sensitive data.
Which is where the incident response teams tend to bring in another third party on contract. This time it’s a company, and there are only a very small handful that can efficiently and effectively extract the decryption key from the relatively unreliable decryption tool provided. By extracting the key and then incorporating it into a custom-built decrypter tool, the process of restoring networks and data can be undertaken forensically and safely. Evidence can be preserved, data protected and logs kept.
Many organisations may not be 100% transparent about their dealings with such negotiations, but they want total visibility when it comes to this stage of the remediation process. Following the successful decrypting of data and, after thorough testing (including being sure there are no further malware nasties left behind by the attackers), the network can be made available again.
To pay or not to pay, that is the question
So that leaves me to answer the, erm, $10 million question: would I recommend paying the ransom? My simple answer: nope.
Would I make that same recommendation under any circumstances? Nope again.
While paying ransoms of any sort, across any illegal sphere of life, only serves to further encourage that criminal activity, it’s not a clear-cut decision one way or the other. If there are not working backups, if sensitive data has been stolen, if the option is between going out of business and doing business with a scumbag then the latter is likely to win out.
In which case, you’d better be prepared for the old adage of no honour among thieves: make sure you factor in the expense of a specialist incident response team with expertise in the ransomware negotiation field.