Victims now need to consider a minefield of risks and potential costs when considering paying ransomware attackers.
In the last two years, so called “big-game” ransomware attackers have targeted businesses to compromise their networks, identify critical information assets and encrypt important files, rendering them inaccessible and unusable. Some of these attackers have adopted tactics and operational methodologies previously used by some nation states. Attackers favour entry via external services, show persistence, are able to map out and traverse networks and identify vulnerabilities which allow them privileged access to corporate systems. They even maximise their disruption by seeking out backups and disabling security tools designed to limit the impact of such attacks. Their ultimate goal is to find critical information, encrypt and steal the files which will have a debilitating impact on business operations such as customer databases or product ordering systems.
Ransom demands have been driven upwards to astronomical levels, partly because many businesses decide they have no choice but to pay. In 2020 we saw unconfirmed claims of multimillion-dollar payments by Garmin and Travelex and more recently we saw the claim of a $34m demand against Foxconn.
The payment of ransom fees is controversial for obvious reasons: paying ransoms to organised criminal groups, which is what many of the attackers are, helps fund their activities and creates incentives to carry out further attacks. Law-enforcement and others routinely warn against making payments on these grounds but also for moral and ethical reasons. But some businesses, particularly those that are unprepared to deal with this situation, are left with the choice between not paying and seeing their customers neglected, their businesses fail, and their colleagues and employees lose their jobs, or paying and having the chance to recover.
Dual ransom demands to avoid leaks
Attackers know how to apply maximum pressure to their victims to elicit payments. Ransomware groups now routinely steal data in parallel to encrypting files, sending it to themselves and demanding two fees of their victims; one to decrypt their files and one to ensure that the stolen data is not published online. Data leaking websites are now commonplace; we are aware of several-dozen ransomware groups that use this tactic to pile on the pressure to their victims. The screenshot below shows an example of such a “name and shame” site. Attackers have even quoted GDPR legislation to their victims in an effort to exert more influence.
Those forced to pay ransoms may also incur high costs of recovery. Recent research found that businesses that paid ransoms typically incurred nearly double the cost of recovery in comparison to those that did not. This was due to the complexity of decrypting data and getting systems back up and running and, of course, factoring in the cost of the ransom.
Trust me, I’m a cybercriminal
It may not be surprising that some cybercriminal groups were not true to their word. Recent reporting declared that several ransomware groups had failed to honour their promises not to publish data obtained from their victims even after payment of a ransom. While there are reported instances of attackers not respecting the bargain negotiated with their victims, in most cases, they are true to their word in providing decryption keys and not publicly shaming their victims when ransom payments are handed over. It makes good “business sense” for victims to trust their attackers’ track records as this will likely influence their decision as to whether or not to pay. It is, however, less clear what the ransomware attackers will do with the data once it is in their possession. Any promises to delete the data they have stolen should be treated with caution by businesses hoping for this outcome. For example, the Conti ransomware group reportedly provided a victim’s falsified files in an effort to prove deletion. Cybercriminals are motivated by profit and victims should be aware that it is likely that they will look to sell the data to the highest bidder or share them among likeminded criminal communities to gain favour and credit.
Increasing risks of sanctions fines
Last year we also saw the EU announce sanctions against cyber attacker groups and the US Office of Foreign Assets Control (OFAC) underline their intention to enforce against businesses which facilitated ransomware payments to sanctioned entities. While these measures are targeted at discouraging the payment of ransoms following such attacks, it remains to be seen if it will result in a significant reduction in payments. It may also drive deceptive behaviour by businesses who wish to hide their involvement, either by hiring proxies to do their dirty work, moving payments beyond the reach of the US or EU sanctions regime, or by misrepresenting the payments. Regardless, we expect to see regulators enforce fines on companies breaking these rules in the next six to twelve months.
Although it may seem like the right thing to do, businesses should be mindful that paying ransomware groups not only incentivises further attacks, but generally leads to higher recovery costs and exposes the companies concerned to the risks of sanctions breaches and the levying of very substantial fines. The risks that the attackers will not respect their agreements must always be factored into the risk calculus.
Our State of Cybercrime 2020 report took a look at the key events of 2020, of which “big game” ransomware was a key component, as well as providing a look forward to the world of cybercrime we can anticipate in 2030.
Our consultants regularly help businesses prevent, detect and mitigate ransomware attacks by ensuring they take an intelligence-led and risk-based approach to security, prioritising defense against the popular tactics, techniques and procedures used by ransomware actors.
To get updates like these, details about MDR cyber events and news please subscribe to our mailing list.