Putting everything else aside, there’s one thing you can’t deny about ransomware:
It’s good business.
After all, what would most businesses do for a 56% conversion rate? How about 56% on a $300,000 product?
Ransomware, at least in the modern sense, is only about seven years old. Yet it’s already a multi-billion-dollar problem, for everyone other than the attackers themselves.
Why, though, is it so effective? How are hackers getting their victims to cough up inordinate amounts of money, so consistently? We can point to at least a few reasons:
1. Reasonable Ransom Demands
The first “modern” ransomware–the thing that kicked off this entire trend–was called “CryptoLocker.” It spread via malicious email attachments which, when clicked, downloaded a trojan horse to the target computer. The payload then contacted its command and control server and generated a cryptographic key pair which would be used to lock up certain kinds of files. Victims would see a pop-up message on their screens, asking them to cough up a ransom in exchange for recovering their data. That ransom added up to a grand total of…
(image via Ars Technica)
It may not be a popular thing to say, but ransomware attackers are typically quite reasonable. The payments they demand are, generally speaking, below what they could get away with.
A great example of this came recently, in the Colonial Pipeline attack. Headlines honed in on the healthy sum that the perpetrators (initially) walked away with: $4.4 million. While in a vacuum that might seem like a lot, it must be noted that Colonial were the specific, lone target of the attack. In other words, that figure was devised for them. And what’s $4.4 million to Colonial Pipeline? Not much. The company earns about $3.5 million in revenue every day. As one cybersecurity CPO told Forbes:
“They could have easily required 10 times that.”
From CryptoLocker to Colonial Pipeline, ransomware hackers have been demanding less than they could. There are a few reasons for this. Firstly, they really want you to pay.
The second reason is that, more often than not, they’re going after the right organizations. Ever since Ryuk, hackers have evolved from spray-and-pray attacks like CryptoLocker to targeted attacks against big business and industry. Now they can ask for the kind of money that makes them happy, without dissuading victims with irrational price tags.
Lastly, ransomware groups do their due diligence. As Darkside–the hackers behind Colonial Pipeline–wrote in a “press release” last summer:
“Before any attack, we carefully analyze your accountancy and determine how much you can pay based on your net income.”
(image captured from Bleeping Computer)
Over time, we should see ransom demands scale up to meet a market equilibrium (that being the uppermost point at which companies will still pay the ransom). We’re already seeing that happen, as hackers push the boundary further and further.
(image via Coveware)
According to Tech Monitor, i2020, the average ransom payment rose from around $115,000 to over $300,000.
2. Leaking Data
In November 2019, one ransomware group changed the game.
They were attacking Allied Universal, a security and staffing company. At first, nothing seemed particularly out of the ordinary: the ransomware, “Maze,” locked up Allied’s data, and the payment to get it back was set at about $2.6 million. Allied refused to pay, and that’s when things got interesting.
You see, the Maze attackers did something no one had ever tried before. Prior to encrypting all their target’s data, they downloaded 7 GB of it. So when Allied refused to pay up, the Maze group had a second form of leverage: leakable sensitive information. They told the company that, if they continued to hold out, the stolen data would be posted to a public website.
This tactic is sometimes referred to as “double extortion.” If there were ever a sign that 2E was a good idea, it’s that other groups immediately stole the idea. The month after Allied, a data center was 2E’d. The month after, another staffing company.
It’s not just that companies don’t want their sensitive information on the public web (although that’s certainly an unwelcome prospect). 2E can be effective for all kinds of other reasons.
For example, plenty of organizations have found that the reputational damage from a ransomware attack outweighs the cost of the ransom itself. 2E risks extending the news cycle, and causing further embarrassment. One group that understood this well was the Iranians behind “Pay2Key.” Late last year, they attacked a series of Israeli organizations in a campaign that combined economic and political motives. By dumping the data of targets that didn’t pay, they achieved what amounted to a national embarrassment.
(image via Check Point Research)
2E is also effective because data breaches are so legally perilous. When employee and customer data is on the line there are regulations and class action lawsuits to worry about. Suddenly even $2.6 million looks like a bargain.
3. Attacking Customers and Clients
When a target doesn’t pay for a decryption key, you can threaten to leak their data. But what happens if they continue to hold out, even then? Recently, REvil–the ransomware-as-a-service operation behind the “Sodinokibi” ransomware–came up with a way to handle that.
REvil’s been at the forefront of this space for a couple of years now. After the Maze attackers invented 2E, a REvil affiliate became the first group to mimic that tactic. REvil has been connected to Darkside, the group behind the Colonial Pipeline attack. But their greatest contribution has been an entirely new method of extracting ransoms: what’s been occasionally referred to as triple extortion. They invented it in an announcement back in February.
(image via Bleeping Computer)
The operative idea here is that, rather than just extorting the target, attackers can up the ante by spreading the attack around the target’s near circle: vendors, media outlets, customers. Exactly how this works in practice can vary, case to case.
For example, imagine an organization is stubbornly refusing to pay a ransom, even at risk of their data being leaked. If their attacker then calls their suppliers, warning them that their data would be exposed by the said leak, that vendor might apply some pressure themselves.
Or consider one of the earliest cases of 3E: the attack on Finnish psychotherapy company Vastaamo. Vastaamo’s hackers were able to apply massive pressure, by threatening to publish patients’ therapy records online if the company didn’t pay up. They then followed through on that promise. At the same time, they used contact information stolen from the company’s databases to blackmail customers individually, threatening to leak their personal records unless they paid (smaller) ransoms. One patient told Wired how it felt to be in that position:
“There are periods when I’m depressed and can’t sleep. And at one point, I was suicidal. But I’m going to die anyway, and it won’t take long. For my wife and children, however, this will affect them forever.”
Worried you might get attacked?
Get 29 questions to ask your CISO to make sure you’re prepared.
4. Quality Ransomware Customer Service
One of the strangest customer service conversations you can imagine occurred last July.
It began when a representative from CWT Global, a billion-dollar travel company, reached out to a support agent:
– Hello! Can I help you?
– Hello? What do we need to do to get our data deleted from your servers and unlock our files?
The support agent–indicated by a cartoon avatar of a man in glasses–replied with all the enthusiasm of your typical robotic service agent. Except he was representing a cybercriminal gang that was fleecing CWT for millions of dollars.
Putting the actual content aside, you could’ve mistaken it for any ordinary business deal. Both sides were cordial. The support agent was downright helpful.
– The plan is to pay within 24 hours if we can afford it. I understand that you probably saw a large revenue number online, but please take into consideration that we have made way less than our normal revenue since the pandemic started. No one has been traveling so our sales have plummeted to a scary level.
– We appreciate that you are ready to close the deal promptly, we are businessmen, just like you. So if you are ready to pay Within 24 hours, we can give you a 20% discount [. . .]
Through productive discourse, CWT managed to negotiate down from a $10 million ransom to 4.5. The next day, 414 Bitcoin arrived in a wallet controlled by the hackers.
(image via Reuters)
Cybercrime has always had its more professional elements–hackers that operate like businessmen, marketplaces possessing all the efficiency of any e-commerce site–but ransomware groups are by far the most corporate of the bunch. They dedicate time and resources to marketing, R&D, support and other “customer”-oriented services. As one threat analyst put it:
“You’ll get better service from some ransomware groups than the IRS, though that’s a fairly low bar.”
It’s not even a particularly new phenomenon. Half a decade ago, cybersecurity company F-Secure did a study on it, measuring which ransomware-as-a-service group provided the best customer experience.
They began by creating a fake persona–a 40-year-old woman named “Christine,” who knew nothing about technology–and went looking for trouble. They encountered malicious actors such as those behind the “Jigsaw” ransomware, who were remarkably accommodating:
The initial ransom had been $150 but the agent, communicating via email, kept it at $125 due to “Christine’s” confusion about what had happened to her files. The ransom was supposed to jump to $225 after 24 hours, which the agent didn’t enforce.
When “Christine” asked for assistance in making the Bitcoin payment, the agent was very helpful. He found her the most suitable Bitcoin vendor for her location, one who happened to accept payment using Paysafecards. The agent then found stores in Christine’s location where she could buy a Paysafecard, and explained how to use the card. He offered to stay online to assist with making the payment. He allowed more time when “Christine” explained having a holiday weekend coming up.
A researcher commented on how it felt to talk to the ransomware agent:
“It seemed like he wanted to solve the case in a way that would work out best for me. Of course, ‘best’ would be never to have had files ransomed in the first place. But that aside.”
The attacker was so cordial that, as another researcher noted, “he got our reviewer feeling guilty for tricking him.” And that’s kind of the point: logical or illogical, victims are more likely to pay attackers that appear friendly and human, and provide help instead of hostility.
The Bottom Line
It’s really, really difficult to defend against good ransomware.
Hackers just have so many ways of soliciting your money: they can lowball you, threaten to leak your data if you refuse, threaten your vendors and customers if you hold out, or, instead, provide the kind of service that gently coerces you into making the decision that benefits them.
Two prerequisites are necessary to prepare your organization against all that firepower.
First, you have to have the right kind of tools in place. That might mean installing one-way hardware–to prevent attacks from breaching the first line of defense–or advanced endpoint detection and response–to address attacks once they do get in. Classical cybersecurity solutions might miss the high-powered, stealthy malware ransomware authors have at their fingertips, but artificial intelligence- and machine learning-powered versions of those same solutions can do a better job at picking up on malicious information, or just efficiently and effectively bolstering a cybersecurity posture before they come.
But good tech alone isn’t enough. Today’s organizations also require a mind shift. A new way of thinking about this problem.
Zero trust is the theory and praxis of removing all dependencies, all forms of trust, from an organization’s IT systems. Achieving 0T can go a long way towards preventing attackers from gaining that initial foothold in a network–the launch point they need in order to lock up data and initiate their psyop.