When it comes to ransomware, conventional wisdom says that you should never pay. Often, however, the reality is not that simple. If the data cannot be recovered from its backup solution or if the encrypted information is critical to the business, the business may have no choice but to shell out. According to Kaspersky, more than one in three organizations pay. Unfortunately for them, this is not necessarily the end of the story.
About the author Patrick Martin, Senior Threat Intelligence Analyst, Skurio. Modern ransomware doesn't stop at data encryption. It also exfiles data. With that comes the very real risk that it will end up finding its way into shady dark web marketplaces to be shared or sold over and over again. As far as hackers go, ransomware is the attack vector that just keeps on giving. In this context, the best advice for companies is to prepare for the worst and know how to react. One of the most effective techniques is to include specially marked dummy data in your system. This means that when a ransomware attack occurs, you can use a specialized monitoring service to find out if any of your watermarked data is available on the dark web. Once confirmed, a rapid and decisive response to incidents and corrective action can take place.
Fearsome reputation
With its potential to disrupt all business activities, ransomware is possibly one of the most feared cyber threats. This reputation has been cemented by the fact that major ransomware-related incidents are never far from the headlines, often accompanied by an increasing number of days lost due to outages, ransom demands, and costs. the recuperation. Capitalizing on this notoriety, cybercriminals have become increasingly daring and the average ransom demand has risen to €10,000. This figure again increases the disturbance and cleanup costs taken into account. In one striking example, a severe epidemic in the city of Baltimore would have cost over €14 million to rectify and lost revenue while payment systems were offline.
Worrying events
Typical ransomware tactics include blocking access to a victim's data or threatening to post it on a public website unless a ransom is paid. If that wasn't already enough to worry about, there are signs in the last 12 months that the ransomware threat may have entered a worrying new phase. Cyber criminals have started to turn up the heat by adding data exfiltration to their attacks. The strategy of combining ransomware attacks with data mining is a relatively recent development, but it is gaining ground. Best Ransomware of 2019: Ryuk, Maze, BitPyLocker, Trickbot, Revil/Sodinokibi, and Emotet all have data exfiltration capabilities. Ryuk and Sodinikibi alone accounted for a 104% increase in ransom payments in Q32,000 (from €65,000 in QXNUMX to €XNUMX in QXNUMX).
Two-pronged assault
Sodinokibi, in particular, has acquired considerable infamy after malware was used to disrupt German auto parts maker Gedia Automotive Group, which was forced to shut down its computer network to protect connected industrial infrastructure. Gedia stood his ground and refused to comply with the ransom demand. Soon after, however, the group claiming to be responsible for the attack began advertising on a Russian underground forum for the sale of more than 50 GB of confidential information, such as blueprints, stolen from Gedia. Such tactics allow attackers to threaten their targets with a double whammy. If a victim refuses to comply with the ransom note, they must face the possibility that large amounts of highly sensitive personal information could be distributed on the Dark Web. And yet, even if they comply and pay, there's no guarantee that criminals won't leave their systems locked down or sell the captured data. Stolen data is commonly used as additional leverage to force a payment. Industry experts advise against giving in to ransom demands. The reason is that even if the criminals fully restore the stolen systems and data, everyone who pays is simply used to perpetuate the ransomware problem as effective money makers for cybercriminals. Perfect advice, in fact, until you suddenly find yourself on the reception side.
Predict the worst
Until then, a proven defense against ransomware can be found. This means that they have to face the possibility that sensitive business data could be leaked and distributed on the deep web to be exchanged on Dark Web forums. Nothing stops authors from just bluffing to successfully leak critical files during an attack. Even if the crooks share a sample of the stolen data, it is not conclusive evidence that it was taken during a ransomware attack or that they have copies of all the other data they claim to have. Instead, the data could have been stolen at another time, or even from a third party. Therefore, the first step should be to confirm if the data has been stolen.
An effective way to verify if data is coming from your systems is to label certain data sets in advance with dummy information. The technique involves bootstrapping employee and customer databases with synthetic identities: information about composite personas that resides only in their systems' databases. Watermarking data with a mix of automated and manual investigative techniques is a secure way to track your digital risk exposure well beyond your network perimeters. Automated tools can quickly detect watermarks on open web sources and less secure underground forums, while manual investigation is needed for more tightly controlled Dark Web forums.
Access to many Dark Web forums is restricted to users who have received personal invitations or recommendations from other members of the community. Newcomers are subject to scrutiny for any revealing behavior that reveals their motivations. For example, openly searching for a specific set of data could be enough to raise the alarm that a user might be an undercover investigator working for a compromised company. However, searching for a specific name, a watermark identity, for example, is more likely to elude attention. To go further, it is possible to take a snapshot of the data in a forum and then search for it offline. This means that no trace of the search will be left for the detection of the criminal community. It is imperative that no such trace remains. It would be naive to assume that no one will notice what you are looking for online. That's why you should search offline.
In short, ransomware poses a significant threat to unprepared businesses and can be costly, even for well-defended organizations, especially with the new addition of data exfiltration making recovery more difficult.