In this blog we look at some of the myths around ransomware and how data exfiltration prevention can facilitate compliance and mitigate the risks associated with an attack.
Ransomware is now the biggest cybersecurity concern for organizations and the most profitable type of attack for criminal gangs, so it’s unsurprising that it continues to evolve, with hackers utilizing a myriad of new techniques to target devices, industries and individuals. Gone are the days of encrypting data until a ransom is paid in exchange for an encryption key. Cybercriminal gangs now favor the double extortion technique; exfiltrating data to use as leverage to pressure victims into paying extortionate ransoms. Snapshots of sensitive data are often published immediately to indicate intent, and if the victim refuses to cooperate more data is leaked and the ransom is doubled or even tripled.
Data exfiltration, the unauthorized movement of data from a company’s network for the sole purpose of extorting the organization for a large ransom payment, has become the weapon of choice for cybercriminals.
Even more disconcerting with this new technique is that paying the ransom is just the tip of the iceberg, and it doesn’t solve the underlying problem – the security of your organization. The fallout for organizations who find themselves victimized by ransomware extend far beyond the ransom. Recovery and clean-up costs, business disruption, PR costs, and the inevitable reporting and compliance costs associated with data breaches can be crippling to organizations of all sizes.
In October 2020 the US Department of the Treasury issued an advisory that warned companies not to pay ransoms to sanctioned entities. The Department of Justice stated that victims or the companies facilitating victims in paying ransom payments to criminals would be considered a federal offense, and a threat to national security. In short, it means that the US Government has the ability to prosecute organizations or “cybersecurity consultants” deemed to be acting on behalf of victims. As per the advisory, the US Government can sanction any company found facilitating the payments of extortion money, alongside imposing heavy fines. As part of the law victims are also required to officially report the ransomware as a crime to law enforcement authorities.
Victims at the crossroads
Ransomware attacks strategically employ data exfiltration when deploying payloads, activating devices, performing key exchange and stealing data on the victims device and network. The ransom payment is only the beginning, with financial losses, data breach reporting and potential PR disasters to quickly follow. Victims often feel they have no choice but to pay the ransom before their sensitive company data is published and sold on the Dark Web.
It has now become common practice for hackers to publish all or parts of stolen data on the Dark Web, such as hacking forums where it is sold to other cybercriminals. Sensitive data such as full names, email addresses, social security numbers and credit card details can cause permanent damage to a victims’ identity. This is also a PR disaster for any company which can lead to class action lawsuits. Recently, over 533 million Facebook users’ data including full names, email addresses, phone numbers and locations was leaked online. The data, believed to be hacked back in 2019 was released in the first week of April 2021.
Considerations and legal challenges of compliance
Refusing to pay a ransom often leads to even higher recovery costs. Large multinational companies with networks involving thousands of servers can be crippled trying to restore from backups, and many find themselves resorting to pen and paper to manage operations following an attack.
Following a ransomware attack organizations quickly find themselves faced with several legal challenges and a race against the clock to make some very quick assessments and decisions.
- Do they have the in-house capabilities to respond to an attack?
- Will they hire an attorney or legal consultant to negotiate with the hackers and report the incident to state, local or federal law enforcement authorities?
- Should they pay the ransom? If yes, how?
- Can they prove that no data has been compromised in the attack?
- On paying the ransom should they take into account the OFAC’s warnings on ransom payments?
- Will their insurer pay the ransom amount?
- What plan do they have to mitigate the reputational damage?
- What solutions and plans can they implement to ensure they don’t become a victim again?
In today’s global economy time is critical. The longer an organization is offline the higher the disruption costs. Businesses under pressure often resort to paying the ransom in the hope that the cybercriminals will restore their systems as quickly as possible (often they don’t). When it comes to compliance, best practices dictate reporting the incident to the authorities and data regulator as quickly as possible. Not doing so can cause costly penalties if a data breach results from the ransomware attack. Companies who fail to disclose the incident in a timely manner are often faced with larger fines and reputational damage that can take years to repair.
The real cost of downtime
In October of 2020, UHS (Universal Health Services) witnessed one of the largest and the most coordinated ransomware attacks in the history of the US. The Ryuk ransomware gang was behind the coordinated attack which affected 400 sites. The attack cost the organization $67 million in lost revenue and took 3 weeks for the entire system to get back online. CompuCom, an American managed service provider (MSP) also revealed that a recent ransomware attack cost them over $20 million in losses.
Fact or fiction, common misconceptions about ransomware attacks
Myth 1: Pay the ransom and get back to business
A ransomware attack is a highly coordinated team effort which can take weeks or months of preparation, with the sole intention of disrupting a specific business and extorting ransom payments.
Paying the ransom to recover your data is only part of the equation. If data has been exfiltrated the attack must be considered a reportable data breach which has penalties and compliance guidelines that need to be adhered to. Business will be anything but normal after an attack regardless of whether or not a ransom has been paid. It can take months to recover from an attack and your expenses have only just begun. You will need to factor in the cost of insurance premium increases, business disruption, legal, compliance and additional security processes and software.
It’s also important to note that organizations who pay often become the targets of future attacks.
Myth 2: The IT engineers can easily decrypt the data
Most modern ransomware attacks cannot be decrypted without receiving the decryption key. Hackers encrypt data with a combination of AES and RSA military grade encryption standards, and no supercomputers exist on the planet to decrypt the data in a reasonable timeframe.
Once the data is encrypted, a private key remains with the hackers and is only shared with the victims if a ransom payment is made, usually in the form of cryptocurrency. Unfortunately, hacking groups (not exactly known for their ethics) may permanently wipe the victim’s data, even after receiving the ransom. Despite cooperating with the attackers and paying the ransom there is no guarantee that the victim will receive the decryption key.
Myth 3: I have a firewall and antivirus so we protected
Traditional perimeter defense techniques are no longer enough to protect you from a modern cyberattack. If a cybercriminal gang targets your organization they will eventually find a way in. The best approach is to assume that hackers will get in and focus on preventing them from leaving with your data.
Myth 4: It only impacts the infected device
Infected devices are often preceded by months of work from cybercriminals and often lay dormant on devices before launching a full attack, this is known as “dwell time”. Evident in the recent Solar Winds Orion attack that devasted the White House and branches of the US Federal Government.
Once this dormant code activates it spreads laterally within an organization and quickly infects machines throughout the network. The dwell time is often used to not only mask the intent but is used to do reconnaissance work searching for valuable sources of information before launching a full attack.
Myth 5: My company doesn’t have any valuable data
This is a myth is common among small to medium sized business in particular. The reality is that organizations of all sizes and all types are becoming victims every day, and all organizations are at risk.
Even small companies can be duped by ransomware and can be easily extorted by exposing employee data, client lists or customer credit cards, social security numbers, etc.
A cyberattack is only successful if unauthorized data is stolen or removed from a device or network, infiltrating a network or a device in and of itself does not make a successful cyberattack.
When it comes to preventing cyberattacks many organizations are still focused on protecting the perimeter to keep the bad actors out. The bad news is that no matter how protected you think your network is, the reality is that attackers are finding their way in.
Preventing modern attacks requires a new way of thinking and a new approach including a data exfiltration strategy. By making the assumption that the bad actors are going to get in regardless of perimeter defense tactics, we can focus less on how they get in and more on what data they may be trying to steal.
If your organization has a data exfiltration solution, it really doesn’t matter how they got in or how long they dwelled, their attack on your network won’t be a success if they are unable to exfiltrate your data. Simply put, no data exfiltration = no successful cyberattacks, no ransoms and no data breaches!
If you’re concerned about ransomware, contact us today for your free 7 day ransomware assessment.