While an organization can be attacked in a variety of different ways, some techniques get a great deal more visibility than others. Ransomware is one of the more commonly-known malware variants, and new evolutions in how ransomware attacks are carried out make it an even greater threat.
Impacts of “Traditional” Ransomware
Ransomware has gotten a reputation as the most famous type of malware in recent years, and for good reason. Worldwide ransomware epidemics like WannaCry demonstrated the potential global impact of a ransomware worm. On a more personal note, individuals and organizations that fall for a phishing email carrying a ransomware payload could lose access to family photos or a trove of intellectual property, customer data, and other valuable files.
Ransomware is such an effective threat because it’s so simple. When a ransomware infection hits a computer, it quietly encrypts all of the files on the computer with an encryption key known only to the attacker. Since modern encryption algorithms are unbreakable on modern computers, this leaves ransomware victims with no way to decrypt files on their own.
If the victim doesn’t have backups or is unwilling to write off the encrypted files as lost, they are forced to pay the ransom to purchase the decryption key and decryptor for their files. Even then, there is no guarantee that the criminal will provide a key or that the decryptor will even work. For example, the Ryuk ransomware decryptor contains a well-known programming bug that causes it to improperly decrypt certain types of files.
Ransomware Plus Data Breach
Current best practice says that an organization or individual should never pay a ransom. Just like the signs at outdoor cafes, the logic is that if you “feed the animals”, they’re just going to come back for another handout. An organization that is infected with ransomware once is unlikely to have their security completely locked down even after the attack. Providing the attackers with hundreds of thousands or millions of dollars in ransom money simply gives them the resources needed to go after the same targets (or even other ones) all over again.
Despite the personal costs of failing to pay the ransom, including lost data and a higher price tag for recovery, many organizations have done so in recent years. However, since this practice makes ransomware unprofitable for the attacker, they have taken additional steps to ensure that ransoms get paid.
In the past, a ransomware attack meant that the organization lost access to their encrypted data. Now, a ransomware attack means that the attacker may expose stolen data if victims refuse to pay the ransom.
While these threats have been around for some time now, recently, ransomware authors are actually following through. The Maze and REvil ransomware variants in particular have either exposed stolen, sensitive data or made it clear that they will do so if a ransom is not paid.
The New Ransomware Dilemma
In the past, the choice with ransomware was whether it was better to lessen the cost of a ransomware attack (i.e. by paying the ransom) or to avoid “feeding the hackers”. With the new threats by ransomware authors, the price tag of not paying has gone up significantly.
If a ransomware infection is able to encrypt extremely sensitive information on a target machine, this means that it is able to access that data as well. When selecting data to act as “hostages” in these new ransomware attack, the malware can deliberately select customer data (protected under GDPR or similar laws) and intellectual property that would be devastating if sold to a competitor.
With ransomware authors willing and able to leak data stolen during a ransomware attack, the decision of whether or not to pay takes on new dimensions. Beyond the price tag of failing to pay, including regulatory fines and loss of competitive advantage, doing the “right thing” involves allowing a hacker to breach customers’ sensitive data. This new development in the ransomware threat landscape makes it much harder to “not feed the animals”.
Protecting Against Ransomware Attacks
As the stakes of a ransomware attack go up, it becomes increasingly important for organizations to shore up defenses against ransomware attacks. In order to be effective, ransomware malware, including its new data exfiltration capabilities, needs to have privileged access to machines containing the types of sensitive data that a cybercriminal could use as leverage to force targets to pay the ransom.
Protecting against the new threats of ransomware-driven data breaches requires controlling access to these repositories of sensitive data. In order to accomplish this, an organization needs to be able to identify where sensitive data is stored (regardless of location), test to determine if these data stores are vulnerable to known attacks (which could allow an attacker to bypass authentication requirements), and monitor and control access to the sensitive data (enabling them to identify and block attempted exfiltration of data in preparation for a ransomware attack).
While a strong backup policy is a necessary component of protecting against ransomware, it is no longer enough. Organizations need a strong data security solution capable of protecting all stores of sensitive data on their network. With such a solution in place, this new development in ransomware may be more of an asset than a liability since detecting the attempted data theft may allow organizations to identify and eradicate a ransomware infection before it begins encryption.