Recent research by John Sakellariadis for the Atlantic Council delves deeper into the emergence of ransomware over the past ten years. It is well worth reading for CISOs trying to comprehend this sector.
The Rise of Ransomware
Cybercriminal gangs and marketplaces that use targeted ransomware have adjusted their initial ransom demands due to the almost infinite demand for this kind of malware. This has allowed them to raise their extortion demands. Additionally, they benefited from increasingly efficient methods to transmit their payloads, encrypt data, collect fees, and exert pressure on victims. The most significant criminal organizations received rewards totaling more than $10M in 2020, the latest year for which data was available, and one (REvil) received $100M. The paper details these changes as well as how the gangs improved their operations and gained profit.
For instance, REvil announced they were spending $1M to find new hackers. The Conti ransomware organization had more than 70 individuals working for them, with payments being made in cryptocurrencies. Some have evolved into full-service providers, renting out their botnets and setting up affiliate networks to attract a wider audience.
The “double extortion” tactic of demanding a second payment to prevent the stolen data from being released on the dark web has also been swiftly adopted by ransomware gangs.
Ineffective Policymaking and Handling of Cryptocurrency Payments
Numerous victims with inadequate protection, the absence of strict enforcement in the cryptocurrency sector, the challenge of pinpointing the precise perpetrators, and the patchwork of legal systems that have allowed these criminals to operate freely across international borders.
According to the paper, global money laundering networks that enable bitcoin cash-out schemes prevent the federal government from promptly or inexpensively implementing efficient regulatory frameworks.
The thieves will continue to look for and target these easier targets as long as successful cybersecurity measures are expensive and demand ongoing expenditures in employees and defensive mechanisms. According to the survey, small–to–medium-sized businesses frequently pick between security and affordability.
Negotiating with Attackers
When you choose to pay the ransom, what happens? How do you recover your data while negotiating with dishonest and perhaps unpredictable adversaries?
Demand “proof of life.” How do you know that, if you pay, the crooks will genuinely be able to decode your data? New ransomware solutions have invaded the darknet markets, some of which are poorly made and may unintentionally delete your data. In other instances, disorganized thieves could not truly own or be familiar with using your key. Professional negotiators now often demand “proof of life” from the offenders and urge them to decode a test file to demonstrate their capabilities.
Analyze a ransomware negotiation like a commercial transaction. Be composed, sane, and rational. Approaching it in this manner increases the likelihood that you will obtain the greatest result for your company as it IS a business agreement for the crooks. Criminals frequently take less money if they believe they will receive it sooner.
Don’t try to fool the assailants by acting differently or in any other way. Nowadays, thieves sometimes spend weeks or even months investigating your network before they install ransomware and take you captive. They get knowledge about your company at this period.
A ransomware negotiation is usually made more challenging by attempts to deceive the attacker. The thieves instantly hit back: “Not according to your financials.” Another instance had the company’s IT administrator pretending to be a high school student and saying he could only pay a few hundred dollars a little ransom. This was a falsehood, and the crooks knew it.
Regarding ransomware, don’t anticipate the standard hostage-taking principles to be applicable. Criminals do not need to care for, shelter, or watch over a living captive, as in human hostage situations.
Unusually, they trace any specific case, particularly when the ransom is minimal.” If you wait too long, the attackers may lose the capacity to decrypt your data because they switched to a different attack strategy, ransomware strain, victim, etc. They also tend to erase old decryption keys as they locate new victims.
Avoid making inflated promises. Although it sounds absurd, a ransomware discussion requires some degree of confidence on both sides. If you offer the criminals something like money by a specific date by wire transfer, keep your word. Otherwise, they can decide to stop replying or even take retaliatory action by disclosing your information. A fairly prominent incident involving an orthopedic clinic served to emphasize this point. They later said they would be open to a wire transfer. Some of the public breaches of patient information were a direct result of failing to perform what it had promised the hackers it would do. At other times, they failed to reply by deadlines [the criminals] had given them, enraging the hackers.
Utilize a group effort. There is a common interest between the criminals and you in the outcome. When speaking with the criminals, use the word “we” to emphasize this point.
Hire an expert to help. Dealing with a ransomware negotiation is challenging, to put it mildly. Bring in a skilled ransomware negotiator if you’re being held captive.
How Can You Prevent Ransomware Attacks?
Policymakers must gauge their effectiveness in combating targeted ransomware in terms of the total amount of ransomware payments, not merely the absence of assaults on high-risk targets. It’s time to begin making investments for a more stable future.
Both people and businesses should follow the following recommended practices to avoid becoming ransomware targets:
- Before assaults, be aware of the threats.
- Maintain system updates.
- Invest in trustworthy security software and take advantage of it.
- Back up your files frequently.