Ransomware - When victims pay, everyone paysCyber Scale18th Dec 2020
Ransomware is big business, and business is certainly booming for cyber criminals.
It's becoming all too frequent to hear of the next large corporation to be hit with a Ransomware attack, taking down services and putting the personal data of millions of customers at the mercy of the now highly organised, effective and increasingly 'business-like' criminal ransomware groups.
It is not just down to luck, or natural progression and growth that these groups are now able to successfully implement attacks against large, successful and (you may think) well-protected businesses. Put simply, it's just down to good, albeit criminal business.
More and more ransomware victims are choosing to pay the ransom to get their businesses back up and running, and in doing so they are filling the coffers of criminal organisations and effectively bankrolling subsequent attacks. More money means more resources to re-invest in the business of ransomware- building better tools, more sophisticated and nuanced delivery methods and more intelligent and dynamic payloads. Ultimately this then leads to more successful attacks and more ransom money in the bank, which leads to better tools….it's one hell of a business model.
You don't need to look far for examples of this evolution in action- take these incidents from the past year alone:
- On New Year's Eve 2019 foreign currency giant Travelex was crippled by REvil ransomware, with the responsible group adding blackmail to the mix by threatening to release the encrypted data into the public domain if payment terms were not met. Travelex reportedly paid $2.3 million to end the attack, but the effects to the business have been long-lasting and they have still not fully recovered to this day.
- More recently in July this year US Travel company CWT suffered an attack of Ragnar Locker ransomware, deployed by a ransomware group with a surprisingly customer service-focused offering. A representative from the group engaged in an online chat with CWT execs to negotiate payment, and CWT ended up paying the bargain price of $4.3 million to decrypt their data and again, prevent the group from releasing the stolen files (Initially the request was for $10 million, however CWT were given a discount for responding quickly).
- Own a Garmin device? Then I'm sure you'll be aware of the breach that affected Garmin services for days, also in July this year. Garmin were infected by WastedLocker- a strain of ransomware largely believed to be attributed to 'Evil Corp', a Russian cyber crime group that was hit with US Treasury sanctions in December 2019 for affiliation with a Russian Intelligence operation to steal classified US Government documents. Apparently unperturbed by the risk of falling foul of the sanctions, it is widely reported that Garmin enlisted a 3rd party to engage with the criminal gang, allegedly paying a multi-million dollar ransom to get control of their data- and services- back online.
So even in the face of specific Government sanctions (as well as more general federal laws against funding criminal organisations) it's clear that in the eyes of Big Business, the choice to pay the ransom comes down to a simple calculation - the cost of recovery (if it's indeed at all possible) and the cost of the prolonged effect on business during the recovery time against the cost of the ransom itself. Evidently for many businesses these days, paying the ransom is the cheaper option.
In many cases the decision has already been made prior to any attack taking place. Should a business lay out the budget for enhanced security, business continuity and disaster recovery strategies to do their damndest to try and prevent and facilitate quick recovery from a ransomware attack? Or simply accept the risk, hope they won't be the next big victim and opt to pay up if worst comes to the worst?
For many businesses the risk is an acceptable one, but this feels wrong. Large organisations answer only to their Shareholders that's clear, but knowing that in paying a ransom they are effectively arming the enemy with bigger, more powerful weapons and good luck to whoever happens to be in the crosshairs for the next assault? Surely there's a moral choice to be made here, and not simply a business one. Isn't there an obligation to not line the criminal's pockets, for the 'greater good'?
The consensus among Cyber security professionals is that we are all on the same side, and should fight the good fight.
"Every time a ransom is paid to the criminals - it is comparable to 'seed funding' for an upstart technology company" says Morten Gammelgard, Executive Vice President at Danish Cyber security innovators Bullwall. "It allows them to do more, recruit more expertise and develop new features and vectors to deliver 'better and more capable ransomware strains' - only difference is the new technology from the criminals will negatively impact the world economy instead of adding to it like an upstart tech company would."
It's difficult even to argue that in paying the ransom you win the battle, if not the war. If anything, you've not only comprehensively lost that battle but are also paying for the enemy to upgrade their skills, equipment and intelligence in rallying for the next assault. More importantly, there is absolutely no guarantee that paying the ransom will mean an end to the war for your business. In fact it may well be just the beginning, as Gammelgard warns “Organisations must consider the knock-on effects that occur when a ransomware outbreak takes place, it’s not just the IT department that will be affected, it’s their whole business operations.”
Think about it. Your systems have been breached putting your data, services, customers and the entire business itself at the mercy of cyber criminals- the same cyber criminals that then gave you the decryption keys and a receipt that thanks you for your business. Can you be sure they won't be back for more at a later date? While they may provide you with the key to decrypt your files, will they 'clean up' after themselves and remove all trace of the malware that triggered the encryption in the first place? There has to be some fallout- thorough investigation into how the breach occurred and how it can be prevented from happening again, an analysis and 'deep clean' of all your systems to identify and remove any lingering trace. Yes you have your systems back, but if the business doesn't learn from the incident then they should expect many more ransom payments to come.
You may think that all these big businesses are big enough to look after themselves. If they want to put themselves and their similarly-equipped competitors in the firing-line then why shouldn't they? Because as with a war fought with artillery, there is always going to be collateral damage. In the cyber war, this means that whatever strain of ransomware can take out a big name like Garmin or Travelex, can almost certainly do the same to countless smaller businesses in their wake. Once a strain of malware is out in the wild it's essentially fair game- the malware technology will always work its way down the chain until it becomes a common, go-to tool for your everyday cyber criminal-wannabe. As the cycle turns, big companies are breached then panic and pay the ransom, funding the criminals who use the money to scale up and increase their capabilities to make it easier to attack other bigger companies who will no doubt pay more ransom, and on it goes. In the meantime the same ransomware will likely infect smaller companies with less security and less resources, for whom paying a ransom is simply not an option.
It's true that large corporates enjoy their status and their success probably due in no small part to the fact that they look after number one. But how long is that stance sustainable on a battlefield where the enemy keeps getting stronger and the targets keep pushing each other into the line of fire?
There are other options. The Cyber Security community has obtained or developed decryptors for many common ransomware strains, so all may not be lost in the event of a crypto attack. Aside from solid cyber security practices and practicing good security generally, there is a lot to be said for spending time and money on failsafe DR contingencies. While it's true that (in yet another example of the exact problem at hand) ransomware developers are adapting to counter more traditional recovery methods, by checking file systems for 'shadow copies' of data or specifically targeting backup systems, there are options to try and avoid losing everything. Immutable, air-gapped, off-site Read-Only copies of data are usually a last-resort, but preferable to paying a ransom and funding criminal groups? Hopefully with a change of viewpoint some large corporations will start to add the value of 'doing what is right' into their calculations and ALL businesses at all levels can begin to fight back.
Security firms estimate that in 2019 ransomware collectively generated $25 billion for cyber criminals, and that figure is trending alarmingly upwards. At what point will businesses realise that the cost of paying a ransom, morally or financially, is just too high?
If you would like to learn more about CyberScale you can do so at www.cyberscale.co.uk