Ransomware has become one of the most widely reported cyber threats in recent time. It has affected countless individuals worldwide as well as organisations of all sizes across a diverse range of industries and sectors.
For those new to the term, ransomware typically involves the introduction of malware onto a system that locks (encrypts) files and systems until a fee (ransom) is paid. Theoretically, if a ransom demand is paid on time (usually via cryptocurrency such as Bitcoin) then the criminals behind the attack will provide the decryption key to restore the locked files and systems.
It used to be a simple choice; pay up and hopefully regain access, or don't pay and lose access. The latter option leaves the restoration of systems from backup as the only viable recovery option. Unfortunately, ransomware operators have developed their tactics, techniques, and procedures to introduce new dynamics and dilemmas to this already awful practice. This tactical shift has been especially apparent since the introduction of new data privacy laws. These laws demand greater degrees of accountability as well as potentially substantial financial penalties for breaches.
Weaponising sensitive data
Today, many of the big ransomware players such as REvil aka Sodinokibi, Maze, Ragnar Locker etc now seek to infiltrate an organisation's network and exfiltrate sensitive commercial and personally identifiable information (PII). Once this has been achieved, they will then initiate their encryption tools and exact their ransom demands as before. The information stolen prior to encryption is used to blackmail the victim and acts as additional leverage to encourage prompt payment. Should the ransom go unpaid, then the information is publicly released or auctioned off to the highest bidder. This practice of weaponising sensitive data has been highly effective, leading many other ransomware operators to follow suit.
Collaboration and 'celebrity' status
A concerning development in the world of ransomware is the collaborative approach being taken by operators that were previously rivals. For example, Maze have recently formed a 'cartel' where they pool resources and share their data leaking platform with other ransomware operators, presumably for a mutually beneficial arrangement. Successful collaboration of this nature between criminals does not bode well for future victims.
A particularly frustrating and unhelpful trend has been observed involving certain cyber security news vendors. These vendors are regularly reaching out to ransomware operators for quotes as well as reporting on their every move and intention in a paparazzi-esq manner. This grubby style of reporting is unhelpful on multiple levels, as it serves only to elevate these criminal gangs to a pseudo-celebrity status. Not only does it provide both limelight and a platform for the operator's nefarious activities, but it also applies additional, unwelcome pressure and embarrassment to the victims. There is certainly a requirement to report on ransomware incidents with a view to raising awareness and prompting action, but this current trend is unhelpful and distasteful.
To pay or not to pay?
The UK's National Cyber Security Centre (NCSC) and National Crime Agency (NCA) does not "encourage, endorse or condone the payment of ransom demands". This is an entirely sensible line to take, as paying a ransom effectively sustains the criminal market and will only encourage further attacks. In principle it is very easy to follow this approach, but when an organisation that's very survival depends on regaining access due to failed/insufficient/no backups; or from it being unable to weather the financial and reputational fallout resulting from leaking PII and commercially sensitive information, it is a huge dilemma. A modern ransomware situation is analogous withhostage taking; all very easy to say "we do not negotiate with terrorists", but it must surely feel like an altogether different story when it is someone you care about that is at risk. Being a decision-maker in a ransomware attack scenario is not an envious position to be in, so don't be quick to judge.
Unfortunately, it would seem that ransomware is not going anywhere, especially when it is proving so lucrative to criminals with its low risk, high gain business model. Now would be a good time to get your defences in order as well as ensuring that backups and contingency planning are in place and are tested regularly. If you need any help reviewing and improving your cyber security, then please get in touch.