At a glance.
- Ransomware in 2021.
- Double-extortion ransomware.
- The growing futility of paying the ransom.
- Industry reaction to the Bobuk attack on the Washington, DC, police department.
Ransomware trends in 2021.
Coveware has released its Quarterly Ransomware Report, and it shows that in Q1 of 2021, ransomware attacks that couple data encryption with data exfiltration, a method affectionately called “double extortion,” is still rampant. In fact, numbers have reached the point at which ransomware attacks have become more likely to incorporate data theft than not. A whopping 77% of attacks included a threat to leak stolen data, up from 74% in Q4 of 2020. That said, even with the added pressure of extortion, it seems more victims are refusing to pay up, a smart choice given that Coveware’s research shows that giving in rarely leads to smoother mitigation. The average ransom payment was $220,298, a 43% increase over Q4 of 2020, largely due to the CloP ransomware group (responsible for the infamous Accellion FTA attack) and their predilection for targeting large enterprises and making exorbitant demands. The most common ransomware variants were Sodinokibi and Conti V2, while compromised remote desktop protocol connections were the most common attack vector, surpassing email phishing scams.
The double-edged sword of ransomware extortion.
Speaking of double extortion, Check Point Software offers an in-depth look at this tactic and its rise in popularity in recent months. Put simply, in a double extortion attack the threat actors not only infiltrate the victim’s system and encrypt their data, but also exfiltrate the data, often publishing a sample as proof. The strategy increases pressure on the target to pay up, not only because they want to prevent the release of the sensitive data, but also because the theft publicizes the attack, exposing the victim to penalties from data regulation authorities and forcing them to notify impacted customers and partners whose data was compromised. Recent victims include digital infrastructure company Equinix, and K-Electric, the largest power supplier in Pakistan, both hit by Netwalker ransomware, as well as game developer Capcom, US military missile contractor Westech, and UK soccer club Manchester United. To avoid falling prey to a double extortion attack, Check Point advises looking out for any signs of a Trojan infection, often used as the delivery vector for ransomware, and keeping antivirus software up-to-date. Remote desktop protocol servers with vulnerabilities or lax security are often another point of entry, so protecting RDP is key.
Once a crook, always a crook.
What doesn’t work in protecting against ransomware attacks? Payment. With the release of their latest State of Ransomware report for 2021, Naked Security examines why paying up, while tempting, is rarely the right choice. The problem is that even once payment is received, there’s no guarantee that the cybercriminals will meet their end of the bargain because they’re, well, criminals. The report shows that of the targets who met the attackers’ ransom demands, one-third of them got less than half of their data back. Approximately 50% of them lost more than a third of their data, and while just 8% got all of their data back, 4% got nothing for their money. The true catch-22 is that, when negotiating with ransomware groups, the victim is not just paying for the return of their data, but they’re also paying the attackers to keep their promise that they’ve properly destroyed any stolen data. And this is a promise that’s simply impossible to prove, especially when many attackers accomplish the theft by running a series of upload scripts to copy the files to an account in an online file-locker service. Even if the crooks insist that they deleted the account, there’s always the chance that access to that account fell into the wrong hands before it was destroyed. In short, the best way to secure your data in a ransomware attack is to make sure the attack never occurs.
Babuk and the Washington PD: industry reaction.
As reported in the New York Times and elsewhere, the Washington, DC, Metropolitan Police have been hit with Babuk ransomware, and sensitive data are at risk of exposure, with some of the doxing having already begun to increase the pressure to pay. We've heard from several industry sources who offered comment on the incident. Jeff Brown, CEO of Open Systems, sees the episode as presenting additional motivation to adopt a zero-trust approach:
“The Washington, D.C., police department today confirmed it is a victim of ransomware, as bad actors accessed its servers and are leaking confidential data about arrests and persons of interest. This is reportedly the third police department hit by ransomware in six weeks, and ransomware overall has soared 62% since 2019. Though the exact cause of this breach is unclear, all organizations must consider employing zero trust network access enforcement (ZTNA) to protect against ransomware attacks. ZTNA is a policy-based approach to cybersecurity that provides more thorough authentication, granular policy controls and greater scalability and simplicity, and its key principle is to never trust, always verify.”
Paul Bischoff, privacy advocate with Comparitech, points out the serious personal danger some forms of doxing bring with them:
“I would be very worried if I was a DC Police informant right now. Even if DC Police pay the ransom, there is no guarantee that the stolen data, including identities of informants, is safe. There is no way to ensure that hackers delete stolen data upon receiving a ransom. Government organizations aren't barred from paying ransoms to cybercriminals. Several local governments have done so. DC might pay the ransom in order to decrypt their data, but they'll never be able to guarantee data is out of the hands of criminals.”
Niamh Muldoon, global data protection officer at OneLogin, reminds us of the value that data have in the contemporary economy:
“This cybersecurity attack is a reminder to all that data is ‘liquid gold’ with both impacts and consequences from both cybersecurity and privacy perspectives. The data stolen can be used and can be harvested to understand user behaviors. Again this is a reminder to all organizations the importance of putting multi-factor authentication (MFA) in place to support both cybersecurity and privacy requirements. Furthermore, malicious actors/attackers have also begun to prey on individuals as more of us are working outside protected office environments without appropriate security, leaving the door open to more cyber vulnerabilities. Security and risk teams should be supporting the business and IT functions to make informed risk-based decisions on how employees and contractors can work from home securely by applying MFA.”