(844) 627-8267 | Info@NationalCyberSecurity
(844) 627-8267 | Info@NationalCyberSecurity

Ransomware attacks are on the rise—and so are ransom payments | #ransomware | #cybercrime

In January 2021, JBS—the world’s biggest meat-processing company—announced it had paid an $11 million ransom in Bitcoin to cyberattackers. In May of that same year, Colonial Pipeline, the largest refined-products pipeline in the U.S., suffered a severe attack that caused the company to shut down operations and freeze its IT systems; the energy giant wound up paying a $4.4 million ransom (also in Bitcoin) to restore its operations.

What was common in both events? Ransomware.

Ransomware—that is, malware built to deny a user access to data on their computer—comes in different shapes, sizes, and codes. But the end goal is the same: to cripple critical systems in exchange for a ransom. 

It’s a cruel technique, and it works: In 2022—a year when the number of ransomware attacks reportedly spiraled down—71% of companies worldwide were affected by ransomware, according to a Statista survey. Data from global security leader Palo Alto Networks show average ransom payment reached $925,162 last year. The stats are worrisome: Even in a year when ransomware attacks supposedly tumbled, attackers still made a killing. And now ransomware attacks are rising again, with security company Black Kite reporting a ransomware resurgence in 2023.

Yet despite the frequency of ransomware attacks and the large sums organizations pay as bailouts, the exact negotiation tactics for ransom payments rarely make the news. That’s partly because law enforcement agencies like the FBI and Cybersecurity and Infrastructure Security Agency strongly advise against payouts. 

But that warning is often not heeded, with many organizations determining payouts to be the quickest route to recovery.

How ransom payments work

Like a thief at night, a ransomware attacker thrives on anonymity. After encrypting data from critical systems, they swiftly define the mode of communication and, later, payment channels through a ransom note. “The criminals will dictate the method of communication and payment, which is almost always Tor and cryptocurrency due to anonymity,” Greg Hatcher, founder and CEO of White Knight Labs, explains via email. 

Cryptocurrency offers speed, anonymity, and access—three features malicious actors adore—thanks to its decentralized nature and irregular regulatory issues. The anonymity also explains why ransomware gangs, aka Ransomware-as-a-Service (RaaS), moved away from email communications.

The 2020 State of Crypto Crime Report from Chainalysis strengthens the link between crypto and ransomware, with the report noting that Russian-based BTC-e was the predominant platform for collecting nearly all the ransomware funds between 2013 and 2016.

The good, bad, and ugly side of ransom negotiations

Once encryption is successful, ransomware attackers know they have the upper hand, which they plan to exploit to get what they want. As Terence Bennett, general manager at DreamFactory Software, puts it, “If a company has proper backups, they can often ignore the ransom request, kick the attacker off their network, and back up systems as normal. But if the data is unencrypted and it’s sensitive, then the attacker can threaten to leak that data.”

The ransom note usually signals the start of negotiations. Ram Elboim, CEO of cyber technology and services company Sygnia, explains that ransomware attackers play the waiting game to put affected organizations under pressure.

“As an example, a common [negotiation] tactic is that they [ransomware attackers] want to buy time, so they won’t respond to specific messages for 12 hours,” he says. Delaying messages creates panic and fear, the exact emotions threat actors want to exploit.

The affected organizations are aware they have more to lose. Their willingness to negotiate also means they’re ready to “play the game” to get the “best deal” possible. The best deal means paying little or no money while securing the stolen data. To make this happen, Elboim explains that negotiators sometimes assume a woman’s persona to build empathy and trust with threat actors. Often, he says, this tactic creates a sense of “friendship,” which may smooth negotiations.

Building “friendship” is only half the job; the other half is understanding the hackers’ mindset. For Elboim, this means “understanding the tools, tactics, and infrastructure attackers use.” The operational tactics define the sophistication of the attack, not the malware kits. “Not many people get this, but an attack can be very sophisticated without sophisticated tools. . . . What you need to have is an operational map to invade a company and stay hidden from IT security to maneuver the system,” Elboim explains.

Understanding an attacker’s mindset is not a walk in the park. It’s why Kfir Kimhi, founder and CEO at ITsMine, believes organizations shouldn’t “try to play smart” by negotiating directly with attackers because they’ll be fighting in unfamiliar territory. Instead, he suggests enterprises involve cyber insurance to handle ransomware negotiations.

“Don’t be smart. You had enough time to be smarter before the attack happened. . . . Now that there’s a breach, involve cyber insurance to handle your IR [incident response] and negotiation alongside your dedicated cybersecurity team. They [cyber insurance providers] are experts, and you need them,” Kimhi says.

A big part of Kimhi’s resolve for cyber insurance is that it takes away the element of negotiators potentially colluding with attackers. Apart from determining the risk level before negotiations, cyber insurance also provides professionals to sort out the negotiations.

Follow the money: Are ransomware payments recoverable?

The Colonial Pipeline breach shook the security world in ways never seen before: The attack, sponsored by a hacker group that called itself DarkSide, caused gas shortages throughout the U.S. Notably, however, the FBI also “turned the table” by recovering half of the ransom payment that Colonial Pipeline made ($2.3 million worth of Bitcoin). But how did the FBI do it? Agents “followed the money” on the virtual currency wallet that DarkSide hackers used to receive money from Colonial Pipeline.

“Following the money is actually much easier to do today than it’s been in the past,” Ron Moritz, cybersecurity expert and venture partner at venture capital firm OurCrowd, tells Fast Company. “Some creative companies have figured out that the blockchain is a public ledger. But the information on the blockchain, the metadata, is just not clear to people. So it’s difficult to do the analysis manually.”

According to Kimhi of ITsMine, “It’s [still] very hard [to follow the trail] because it’s Bitcoin and crypto with multiple wallets, which are very hard to track.” Apart from tracking difficulties, Hatcher notes that tracing illicit ransom payments is “expensive and time intensive.”

Does it pay to pay?

The consensus within law enforcement agencies is that ransom payment is a slippery slope: If you pay once, you’re indirectly telling attackers you’re willing to pay again. Statistically, however, according to the State of Ransomware 2020 report from Sophos, organizations are more likely to get their data back after paying a ransom.

David Warshavski, VP of enterprise security at Sygnia, explains that most ransomware attackers often decrypt the data because the ransomware business thrives on reputation as much as fear. “It’s business, and reputation is the basic premise of the entire operation,” he says.

Although you’re likely to get your data back, the chances of getting it all back are slim. On average, organizations get only 65% of encrypted files after payment, with more than a third remaining inaccessible. And, unsurprisingly, ransom payments don’t shield you from repetitive attacks. Nearly 8 out of 10 enterprises that paid a ransom were hit a second time, with almost half of the attacks coming from the same threat actors who hit the first time.

Despite the mixed results with ransoms, banning them altogether likely will not solve the problem. Every attack is unique, and in some situations payment is inevitable. One such scenario is the Colonial Pipeline breach, where gas shortages have wide-ranging effects on the national economy.

The way forward in cyberdefense

Ransomware isn’t going anywhere soon because malicious attackers are constantly evolving their mechanisms using next-generation technologies. Asaf Kochan, cofounder and president at Sentra, says “political cooperation between state-run cyber activities and ransomware groups” guarantees future ransomware success—a sentiment that Warshavski shares. “Nowadays, a common tactic nation actors use is to masquerade as ‘hacktivists’ to cause chaos,” Warshavski says.

Given the increasing presence of RaaS groups and nation-state activities, Kochan says winning the ransomware war goes beyond the private sector. The government, he stresses, must step in. “There are certain actions the private sector can’t do, but the government can do them.”

The government plays a bigger role than the private sector in mitigating threats. “The private sector can’t collect intelligence or mitigate threats at the source. If a threat actor attacks an enterprise, the enterprise can stop the attack only when it’s hit. . . . It can’t prevent the attack or stop cyber activities outside of its network. But a country [the government] can do it,” Kochan adds.

For Bennett, regulatory compliance is a game-changer when dealing with cybercrime at the national level. The legal and regulatory framework sets the tone for security in the private sector, which is more likely to treat cybersecurity as a nice-to-have policy.

Elboim, like Bennett, believes security is the role of the government more than anyone else. “Cybersecurity has never been a competitive advantage for private and quasi-government companies. Many private companies only do cybersecurity because they have to, not because they want to. The role of the government is to make every enterprise, especially critical private enterprises, invest in cybersecurity.”

Hatcher says the National Cyber Strategy released by the Biden administration in March 2023 is a step in the right direction. Apart from addressing the current threat landscape, the strategy also states that the U.S. government now holds the private sector responsible for cybersecurity, not the user. “They’ve flipped the old adage of cybersecurity being everybody’s responsibility to now only belong to private companies’ IT departments.”

Another interesting piece of the strategy, according to Hatcher, is the line regarding how the U.S. will approach achieving its cyber objectives regarding the second of five pillars outlined in the document: “Engaging the private sector in disruption activities through scalable mechanisms.”

It remains to be seen what this line actually means. “However,” Hatcher says, “if the government tapped into the wealth of offensive cyber talent in the U.S., America’s offensive and defensive cyber capabilities would shift dramatically.”

Source link

National Cyber Security