Ransomware; Hype or Reality ?
“Our data has been encrypted, and we have to pay” — We have heard this statement a few times already this year from companies all-over the world: companies with different maturity levels, companies with important cybersecurity budgets, and big teams. Big, small, in manufacturing, in retail, they have all fallen victim of a ransomware attack.
Ransomware or “ransom malware” attacks have been often dealt with internally within the organization without public knowledge, with companies paying millions of dollars in ransom to cybercriminals to retrieve access to their data. Unfortunately, nowadays cybercriminals performing ransomware attacks not only demand a ransom, but increasingly threaten to leak confidential data, which might include personal data.
Watch the webinar:
Yet, let us understand the definition of a ransomware. A ransomware is a type of malicious software; commonly known as malware. The most popular one encrypts systems or files and requests ransom payments to recover access. Recently, a new trend has emerged where cyber criminals are trying additional ways to ensure ransom payment. They steal confidential data and threaten to release the data if the victims do not pay the ransom. Cyber criminals are able to do that, as they have been already able to gain access to the company’s systems and files using their initial attack vector.
Therefore, a ransomware attack nowadays might not only be simply a “business interruption” cybersecurity incident, but it can be associated in additional with a data breach.
And, the message evolves to “If you don’t pay, we disclose your data”. Cybercriminals figured out that ransom demands could be reinforced by a data theft.
Ransomware has been around since 2000s, and it was originally targeting individuals. Today, ransomware varieties have increasingly developed and built advanced capabilities for spreading, evading detection, encrypting files, and pressuring users into paying ransoms. This led to the new-age ransomware attacks involving a combination of encryption and data theft.
“Maze” is one of the most dangerous ransomware attacks which steals the data it finds. Other ransomware families such as REvil, also known as Sodinokibi have followed afterwards, continuing the trend. The Sodinokibi malware actors successfully attacked e.g. in December 2019 an IT vendor, serving hundreds of dentistry practices, infecting computers by exploiting a vulnerable remote access tool. [1] They then announced their intention to use stolen data from victims to persuade them to pay a ransom. Since then, we read about those attacks almost every day.
Nefilim is another ransomware that has recently started reporting data thefts.
A ransomware attack, previously perceived as a business interruption or operations paralysis attack, is leading today to an unauthorized access to data, and an eventual data breach. So, let us understand how a ransomware attack happens. Traditionally, the attack begins with targeting an organization and sending e-mails, mal-spams or phishing emails to its employees. Those emails contain a file that embeds the malware. When an employee opens the file, the malware starts its installation, resulting in a ransomware executable being downloaded. The malware scans the system for files to encrypt. It deliberately bypasses certain specific folders and files to keep booting of the system possible, and the data is then encrypted while the software creates files with strange extensions. The last step is creating and showing a ransom note to the victim.
Often, victims do reach out to us requesting advice on companies providing recovery and decryption after becoming a victim. Interestingly, there have been situations, where companies claiming to support victims paying their ransom, negotiated a lower amount with the cybercriminals, and took a margin. Sadly, if ransomware attacks your computers, you could become a double victim. Some “file recovery” companies actually negotiate a lower ransom with criminals, pay the ransom, but charge themselves a ransom + margin. Moreover, the margin may be significantly higher than the ransom value.
Download a free #Ransomware Preparation Best Practices Guide and learn what questions you should be asking to prepare for a potential attack: https://bit.ly/3sioLZO
In 2018, there was a Russian company offering decryption, with full warranty. In May 2019, ProPublica revealed more activities of this type. A man named Jonathan Storfer, a former Proven Data Recovery employee, revealed that the company regularly donated money to SamSam ransomware operators. [2] A Florida-based firm is another company that sells ransom brokerage, according to ProPublica. Both of the companies’ employees contacted the cybercriminals under pseudonyms, while the victims were not informed about it and did not have the knowledge about the method used to recover valuable files.
In addition, if cybercriminals target an organization, they will often use the latest encryption, and ensure that their decryption keys have not been published somewhere on the Internet. For example, if the attackers use the 256-bit AES encryption, it will take millions of years for a company to crack it. [3]
Following our previous warning about recovery and decryption methods and firms, it is important to clarify that sometimes files are really recoverable, and some companies offer honest file recovery services. Those are rare and do not guarantee recovery.
In general, paying ransom if not recommended as it is considered financing criminals. However, as per the latest findings, the majority of companies falling victims to ransomware attacks, pay the ransom. In many cases, paying the ransom will be cheaper than recovering resources otherwise. Nowadays in most cases, cybercriminals demand the ransom payment via cryptocurrency.
The scariest attacks are evolving into scenarios where cybercriminals destroy the data but still demand a ransom. Such wiper-ransomware seems to be an ideal cyber weapon, as it can inflict enormous damage while supporting the profit-driven criminal activity. Typical wipers have been the domain of government-sponsored attacks, but now, ransomware with destructive mechanisms is beginning to interest cyber-criminal groups.
Keep tuned for more articles about ransomware.
References
[2] https://features.propublica.org/ransomware/ransomware-attack-data-recovery-firms-paying-hackers/
Who am I ?
I am a keynote speaker, a serial entrepreneur and a senior cyber security expert. I am currently leading the cyber business for an international Fortune 500 insurance-broking firm in Asia.
I am a strong activist for women in security, and I founded the Women of Security Singapore Chapter (WoSEC), supporting female professionals in the industry.
I am a member of the Advisory Board for the Executive Summit at Black Hat Asia, and I am the co-founder of Responsible Cyber Pte. Ltd., a Singapore-based start-up with NUS Enterprise, the entrepreneurial arm of the National University of Singapore, and Singtel Innov8, the venture capital arm of the Singtel Group, as its shareholders. The company has been valued at 7 Million SGD in May 2020.
I have a PhD in Telecommunication Engineering issued by Telecom SudParis and speak fluently 5 languages.
My research topics have been focusing on Cyber Security, the future of localisation and positioning, education and more. My writings around cybersecurity have been featured by IEEE, RSA Conference, CYBERSEC, World Congress on Internet Security (WorldCIS-2016), CYBER RISK LEADERS Magazine, among others.
I speak about cybersecurity in general with a focus on cyber risk management, hacking and diversity and inclusion in the field.
I welcome you to watch some of my insights on Channel News Asia for a Documentary on the Dark Web (at 18:09mn approx): https://www.channelnewsasia.com/news/video-on-demand/the-dark-web
Follow me on Social Media:
- LinkedIn: https://www.linkedin.com/in/m49d4ch3lly/
- Facebook: https://www.facebook.com/m49d4ch3ly/
- Twitter: https://twitter.com/m49D4ch3lly
- Instagram: https://www.instagram.com/m49d4ch3lly/
