Cybercriminals shift tactics from disruption to data leaks.
Rick Howard: Hey everyone, welcome to "CyberWire-X," a series of specials where we highlight important security topics affecting security professionals worldwide. I'm Rick Howard, the chief security officer, chief analyst and senior fellow at the CyberWire. In today's episode, we are talking about double extortion ransomware. A program note - each "CyberWire-X" special features two segments. In the first part, we'll hear from an industry expert on the topic at hand. And in the second part, we'll hear from our show's sponsor for their point of view.
Rick Howard: I'm joined by Wayne Moore, the chief information security officer for Simply Business, a business insurance company based out of London. And Wayne is one of our regular subject matter experts here at the CyberWire's hash table. Wayne, thanks for coming on the show.
Wayne Moore: Oh, it's nice to be back. Thanks, Rick.
Rick Howard: So, Wayne, here in America, it feels like we've turned around twice and all of a sudden, double extortion ransomware is everywhere. And probably our highest-profile double extortion ransomware attack to date is the Colonial Pipeline and ransomware attacks of 2021. Are you all seeing the same thing across the pond in the U.K.? Is double extortion ransomware just the standard practice now everywhere we are?
Wayne Moore: Yes, definitely. It seems to be the default approach now.
Rick Howard: So just explain to our audience what that is. What's double extortion ransomware? Why did we give that really fancy name?
Wayne Moore: Well, it started out with - originally ransomware was once they'd infected your systems, they'd demand some money for you to get some keys to restore those systems. But as we got wiser and smarter - I hope most of us anyway - we learned that good backup strategies were what was going to help us get through and mitigate that risk. But obviously, as we got better at restoring our systems and meeting those RTOs, our adversaries realized, well, they've still got to make their money. And they found another novel way to extort us for some cash. So they decided that they would start publishing, or threatening to publish, the information that they have managed to exfiltrate as part of the attack to either - publicly online or to competitors or wherever. But it's that additional threat after your systems have been locked up, to try and get you to pay, regardless of whether you can restore your systems or not.
Rick Howard: So five years ago, the standard defense against the old-fashioned ransomware, like you said, was simply just to have a good backup program. So even if the bad guys encrypted all of your data, like they did in the Colonial Pipeline attacks - that was a hundred thousand gigabytes of data - we would just restore from backups, and everything would be peachy. But that's no longer adequate, is it? If the bad guy's also exfiltrating a hundred thousand gigabytes of data and selling it to God knows who on the darknet, that data is exposed, even if you do have a good backup and restore program. So what are you doing in addition in your program, in addition to the backup program, to safeguard against that?
Wayne Moore: When you start looking at the threat of this data being published or sold on and things like that, we're talking about - reputation risk starts to come into it, more than operational risk. Or it's not only about operational risk anymore, shall we say. So your mitigation strategies need to be working out - well, how are you going to manage that reputational risk? So things that we're seeing people do now are having much better PR communication strategies, making sure that those comms plans are more readily executed than they may have been prior. And you're more likely to be in a position now where you may need to consider paying that ransom because paying that ransom may buy you some more time to work out, how are you going to get ahead of the messaging that might be coming out with it being published?
Wayne Moore: So you need to be having those conversations with your boards and your senior managers about - there's - even more likely, we may need to pay the ransom to buy ourselves some time. Are you comfortable - is that something you want to do? So looking at comm strategies, looking at decisions around paying ransom - and if you are looking at potentially paying ransoms, it's about having people out there - providers to help you negotiate that ransom. There are whole entities set up for handling that. Incident response plans need to change, as well, to make sure that you are potentially executing on those PR comms plans much sooner than you would normally in an operational recovery scenario.
Rick Howard: So what you're talking about here is resilience planning and crisis action planning. And like you said, deciding whether or not you're going to pay the ransomware - that's not something you should be doing in the middle of battle - right? - in the middle - in the heat of the moment. That should be a long conversation you have with boards and senior leadership about whether or not they'd be even willing to do that. So how do you broach that subject with your senior leaders about whether or not they want to do that or not?
Wayne Moore: I think it's running the scenario with them and just being open. This is a real scenario that we may encounter. So I prefer to just approach it directly and say, look, this is the scenario in our industry. And in financial services, there are some real examples to draw on as well, which really brings it home. And the next thing is painting this scenario - a situation where you're unable to recover and that could impact your customers, your ability to provide services, your shareholders, everyone. And if your only option to save the business is to pay the ransom, would you do it? It's really putting it in those realistic terms and some real scenarios and drawing on what's happened in the industry out there really helps with that.
Rick Howard: Those kinds of things don't have to be that complicated. I know we can do these exercises where it's an all-day affair and all the executives have to spend the whole day participating, but it doesn't have to be that complicated. I know in my last job, I would just invite the senior leaders into a lunch. They would come because it's a free meal. Even senior leaders want a free meal. You just drop the scenario on the table, what if we got ransomed? Would we consider paying the ransom? And just get their thoughts, at least initially, so we could draft a plan. Do you guys have kind of a range of scenarios you run the executives through, or is it all very formal?
Wayne Moore: Before even approaching the board or senior leadership, it would be with my stakeholders that I'm meeting with on a regular basis, just running the scenario and saying, listen, what are your thoughts on this? And it's interesting listening to different leaders in the business, how they see things. Legal will have a different view from, say, someone who's looking after the operations side of things. That's really interesting, understanding the different perspectives on the same problem, 'cause they can come at it very differently sometimes. So I like to get that kind of understanding before bringing it maybe a little more formally to a meeting with the board or senior management or something like that.
Rick Howard: Does the topic ever come up on the probability of the - in the criminals actually delivering on the keys 'cause it's not 100%? It's a lot less than that. Is that part of the equation they have to figure out?
Wayne Moore: Definitely. I mean, what I'm saying about being open and honest - I've also got to paint the reality there. I think last stats I saw was, like, I think about 50% of cases aren't recoverable because either the bad guys made a mistake with the encryption algorithms or they delivered a bad key or some kind of mess up. I mean, they're human as well. They make mess-ups. It's definitely part of the equation to say, listen, there's only a 50% chance that if we pay - I mean, I'm assuming those numbers are correct - that there's a probability associated with whether recovery is reasonable after that payment. So that's definitely going to be part of it. Otherwise, you're providing assurances that are not real.
Rick Howard: And even if you got the key and whether or not - how easy it is to recover it, 'cause sometimes you get a messy process to unlock everything. So that all has to figure into the equation.
Wayne Moore: Exactly. Sometimes just burning it all and restoring from scratch is much simpler than trying to surgically unpick all the problems that have been introduced.
Rick Howard: I was reviewing the Colonial Pipeline attacks last week, and that company - the Colonial Pipeline - they clearly had a plan 'cause the message popped up on one of the operator's consoles to say, hey, we got your ransomware. Within an hour, they started shutting down the pipeline flow. And that same day they notified the FBI and had $5 million in bitcoin ready to go, and they gave it to the DarkSide ransomware group that day. So they were ready to go. So they had already decided that we're going to pay the ransomware and not worry about it. That's called crisis planning, I think.
Wayne Moore: Yes. I mean, that's an excellent example of good planning. You know, I think with the double extortion, your planning and practicing has also got to be on how you're going to engage with the public on that as well. It's not just being ready to pay and get your systems back up and running and report to the right entities. It's also how are you going to manage that message if it leaks out? And that may be something that we don't practice often enough.
Rick Howard: Yeah, that was part of the Colonial Pipeline plan. They announced day - or the next day to the public, and they did every day until the crisis was averted. So yeah, they definitely had a plan in place to go forward. One of the other tools that we could use to prevent the second part of the extortion ransomware is encrypting our material data. If we encrypted our data so that they couldn't pass it to anybody else, then cause us harm, what - isn't that an option on the table that we should be thinking about, too?
Wayne Moore: Yes, absolutely. And then it puts more emphasis on how you're protecting the keys. If it's all very well and good encryption - and you should do that, and especially - if it's not all encryptable, you should certainly be prioritizing your most sensitive data. But if you aren't looking after those keys - and during the operation, they have enough time to kind of work out how your key management system works, intercept all of that - they could technically still get it.
Rick Howard: So let's go back to the comm plan too - I mean, 'cause that takes practice. That's not something you roll out during the crisis either. You need to have a pretty firm idea of what you're going to do 'cause there's kind of two options here, right? You can either announce early with incomplete information - and then that runs the risk of when you change the information later, customers and other people thinking that you're withholding information or lying about it, so that's one thing you had to worry about. And then the other way you could do it is wait till you have perfect information. And then you get accused of withholding information and not telling your customers what's going on. So your leadership has to decide which way to go there, right?
Wayne Moore: Yeah, 100%, because dealing with reputational risk may be a little more tricky than the operational side of things 'cause it's - but you can at least test and predict what's going to happen in the operations side of things. But it can be quite hard to predict how the public will react depending on the context and all of that. So have some empathy for the people that are going through this with you, like your customers and things like that, and understand that they also want to know what's going on. And so there's potentially a middle ground there in the sense that you could go in early and saying, listen, we know that something's up. We don't have complete information just yet. But they need to know when you're going to update them next, etc., etc., you know what I mean - managing expectations about what you know to date and certainly not lying about the situation. If you're caught out on that, then you do your reputation much more damage.
Rick Howard: Even the perception of lying, even though you weren't - that's even a trickier line to walk sometimes.
Wayne Moore: Yeah, absolutely. It's difficult, isn't it, because if you keep quiet about it, leads to even more speculation about what you're not saying...
Rick Howard: Right.
Wayne Moore: ...And rightly so. It's - that's what I'm saying. It's very difficult in that there's a lot of people that need to be trained for how to interact with the media, how to say things. It's definitely something you need to have practiced and trained for. We maybe have people trained in our businesses for that, but how often have they practiced that as well.
Rick Howard: Yeah - practice. Yeah, you need to practice. Yeah. It's a lot different when it's live, right? It's...
Wayne Moore: Yes, absolutely.
Rick Howard: ...A lot different that way.
Wayne Moore: Yeah.
Rick Howard: Let's raise it up to the strategic level. This - we're really talking about resilience here. And one of my favorite definitions of resilience is to be able to continuously deliver your services regardless of some cyber event, like a ransomware attack. If you look at the Colonial Pipeline attack, they had a great plan. They bought the keys, and they had a comm plan. But still, the United States on the Eastern seaboard - we were out of fuel for over a week. So they didn't really meet the resilience strategy objective. What are the things we could do to make sure we are continuing to deliver the service, especially for, like, your business, Simply Business. Are there things you can do on the IT side to make sure everything is working as we work through the crisis?
Wayne Moore: You can do a lot for the things that you're in control of, so...
Rick Howard: Yeah.
Wayne Moore: ...Your world and the systems you build and all of that. But where it gets really tricky is in the supply chain. That could be a quite a complex supply chain. We're talking nth degree on that chain. Options are, first of all, at least getting a good understanding of your critical suppliers, the ones that if something goes wrong, they impact your most critical business systems, you know, the ones that have almost a direct revenue impact quite quickly. You've got to understand what their security posture is like. What are they doing? What are their third parties doing for all of this? So your third-party assurance processes need to be in there. And if they are really critical and you have anything going wrong with you, it has a major impact downstream as well.
Wayne Moore: I know the FCA is looking at ops resilience in this area, where if you have a material impact to the whole industry, you have a lot more control you need to put in place. So you need to look at that and think, do I need backup suppliers in case of one of them being hit, you know? So if that's a payment provider, maybe it's so risky that you do need to spend the extra money to have another payment provider that you can swap out in the case of them being hit, that kind of thing.
Rick Howard: So it's much more than backups and encryption, is what you're saying. It's a much bigger resilience plan that we have to consider, right? That - and as the evolution of ransomware has happened, I guess that's what we're all saying to senior security executives. Think more strategically and not with the thing that's happening right now, I guess. Would you...
Wayne Moore: Yeah.
Rick Howard: ...Agree with that?
Wayne Moore: That's right. And I think that's also why, if you look at here in the U.K., the - in the financial sector, anyway, the FCA has got this sort of operational resilience initiative that they're putting in. And there's been some deliverables early this year where the financial institutions have had to look at their business processes, the resilience around those processes, their vulnerabilities and put a plan in place to shore up those risks. But a big part of it is not just about the business itself. It's like I said, it's also about ensuring that the suppliers to your business and those third parties are also getting up to scratch. So even nonfinancial institutions are now having to raise their posture to support - so that kind of network effect that that regulation is starting to have, which, you know, could have a lot of benefit in this area.
Rick Howard: Oh. It's all good stuff, Wayne, but we're going to have to leave it there. That's Wayne Moore, the chief information security officer for Simply Business. Wayne, thanks for coming on the show.
Rick Howard: Next up is my colleague Dave Bittner's interview with Nathan Hunstad, the deputy CISO for Code42, our show sponsor.
Dave Bittner: So today we are talking about double extortion and how we got there - got here and some of the things that we can do in the face of that. Can we start off with a little bit of the backstory here? I mean, I think - you know, we saw the rise of ransomware, and that led to a certain set of presumptions about how folks could respond to it.
Nathan Hunstad: Yeah, absolutely. So, you know, ransomware has been around for quite some time. The earliest instance of ransomware, I think, dates back all the way to 1989, actually. But it didn't become a huge security issue until around 2014 or 2015, in that timeframe. And like you said, when it started taking over the headlines and affecting organizations, there was really just one attack. And that was the ransomware creators would gain access to an organization's network and sensitive data, and they would just encrypt the data and keep the data there, encrypted, and request a ransom to provide the decryption key. And so at that time, since the data was just sitting there, it was, you know, unreachable. But if you had good backups and recent backups and you had thoroughly tested and so forth, an organization could choose to not pay the ransom and restore their data from backup and go on their way. And so that was the operating principle that a lot of security teams and organizations used when they were talking about how to deal with ransomware. And that changed starting a few years ago.
Dave Bittner: So today, we are talking about double extortion and how we got there - got here (laughter) and some of the things that we can do in the face of that. Can we start off with a little bit of the backstory here? I mean, I think, you know, we saw the rise of ransomware. And that led to a certain set of presumptions about how folks could respond to it.
Nathan Hunstad: Yeah, absolutely. So you know, ransomware has been around for quite some time. The earliest instance of ransomware, I think, dates back all the way to 1989, actually. But it didn't become a huge security issue until around 2014 or 2015, in that time frame. And like you said, when it started taking over the headlines and affecting organizations, there was really just one attack. And that was the ransomware creators would gain access to an organization's network and sensitive data. And they would just encrypt the data and keep the data there, encrypted, and request a ransom to provide the decryption key. And so at that time, since the data was just sitting there, it was, you know, unreachable. But if you had good backups and recent backups and you had thoroughly tested and so forth, an organization could choose to not pay the ransom and restore their data from backup and go on their way. And so that was the operating principle that a lot of security teams and organizations used when they were talking about how to deal with ransomware. And that changed starting a few years ago. And that's when the ransomware proprietors started adding another tactic. And like you said, it led to what's called double extortion ransomware, where they're not only encrypting the data now, but they're also exfiltrating it. And so that does change kind of the response for security teams because it's not enough to simply be able to restore from a backup and get your business operating again. Now you have to be concerned about the loss and the public exposure of the data that they were able to exfiltrate while they were encrypting it.
Dave Bittner: And so where does that put organizations these days in terms of, you know, best practices to protect themselves?
Nathan Hunstad: So it's still incredibly important to have those backups in place and to regularly test them. It's not enough to simply say that you've backed up the data. If you're not testing your restoration processes, then you don't know how good your backups are. So that remains, I'd say. What is new is dealing with the data exfiltration side of it, because this really needs to be treated as any kind of data exfiltration event. And so knowing what data was taken, knowing what the sensitivity of that data is and knowing what legal or regulatory consequences there are to the public release of that data is something a security team also need to keep in mind when they're dealing with these kinds of attacks.
Dave Bittner: Can you walk me through some of the specifics of that? I mean, if I'm in an organization and I receive, you know, a notice from one of these ransomware groups and they say, hey, you know, guess what? We've taken a bunch of your data. And if you don't pay us, we're going to start releasing it. First of all, how do I know that they're telling the truth, that they're just not trying to, you know, put one over on me to get me to write them a check?
Nathan Hunstad: Yeah, that's a really good question. That's where you're likely going to want to engage a forensic investigator, if you don't have those skills within your own security team, to look for those indicators of compromise. And most likely, if they are telling the truth and not just trying to pull a fast one on you, you will see that evidence of encrypted data in your environment. From there, you need to talk with asset owners and the business to understand, all right, what's in that encrypted file? What's the value? And where do we take it from here?
Dave Bittner: Yeah, so, I mean, it really becomes a risk conversation, then, I suppose. Is it - I mean, is that a fair way to say it?
Nathan Hunstad: Yes, absolutely. And the risk is much more open-ended than it is with just a simple, you know, denial of service or business interruption kind of ransomware case where you may be down. Your servers may be inoperable. But if you can restore from backup, you're basically to the point where you were before the ransomware attack started. With this double extortion ransomware, that's not the case. You can still be up and running from a business and operational perspective. But the risk is still there with regards to the possibility that that data may be publicly exposed. So it is much more of an open-ended risk conversation that security teams need to have.
Dave Bittner: You know, I've heard folks talk about using some technology to try to mitigate this sort of thing, you know, having - encrypting everything, you know? All of our data, even while at rest, is going to be encrypted. We'll decrypt it on the fly for our own use. And that way, if someone takes something from us, it'll be useless to them because we've already encrypted it. Where do we stand with that? I mean, is that a practical solution that folks are actually adopting?
Nathan Hunstad: You know, I think that there are some benefits to that kind of solution. But it's certainly not something that I've found has been easily implementable across an organization. For very narrow and, probably, you know, your most sensitive or the data that has some regulatory requirements around it, taking that approach can help to some extent. But at the end of the day, the data has to be decrypted somewhere for it to be useful. Whether it's, you know, in a downstream system, whether it's an analyst doing some kind of, you know, just business-related work on their end point, the data is going to be unencrypted somewhere. So that kind of approach isn't going to work to completely mitigate the risk.
Dave Bittner: And so what are organizations to do? I mean, what are your recommendations as you're out and about, consulting with people, you know, working - collaborating with your own colleagues? What sort of advice are you putting out there?
Nathan Hunstad: Yeah. So the good news is that there are things you can do to help mitigate this. And it does really come down to a lot of the security fundamentals, so things like an asset inventory and knowing where all the data is in your environment and who's responsible for that data. So that can be a daunting task, depending on the size of your organization. But it's not something that's impossible to do - so talking with your business partners, putting this as part of your business continuity and disaster recovery planning or tabletop sessions, to sit down and ask, all right, what data does your business process use? Where is it? - drilling down into important details, like, does this data exist on user endpoints? Is it only a server? Where does this data travel, and what other business applications does it go through?
Nathan Hunstad: So once you have that kind of high-level inventory and some of those process and data flows of the data in your environment, then you can do two things. You can identify any gaps in your security controls where there may not be the appropriate security visibility to data in certain applications, for example. And if you ever find yourself dealing with one of these double-extortion ransomware attacks, you'll be much more certain of the data that was actually taken. And then you can have that informed risk discussion with the people within the organization who need to be a part of that.
Dave Bittner: Can we touch on reputational damage here? - because it strikes me that - you know, there are a couple elements here. I mean, obviously, there's the extortion of the data itself, if the bad guys start releasing the information that they took from you. But it seems to me like even just the fact that they could make a public disclosure that you were breached at all could potentially have reputational damage.
Nathan Hunstad: Yes, absolutely. With double-extortion ransomware, the reputational hit is much more significant than with the more old-fashioned, you know, business interruption kind of events around ransomware. So the fact that you did get hit with ransomware and you did lose control of your data can be a very significant reputation hit. So that's something that, again, organizations should keep in mind as they're having those risk decisions and maybe have some kinds of remediation plans in place or at least talk with the appropriate people in the organization to determine, how would we deal with this kind of reputational hit?
Dave Bittner: Yeah, it's a really good point. And I suppose it emphasizes the idea that, you know, being in the middle of an event like this is not when you want to be making those decisions. The importance of preplanning, of having those plans in place ahead of time - boy, it's hard to underestimate that, right?
Nathan Hunstad: Absolutely. And, you know, if you're not including a ransomware scenario in some of your incident tabletop exercises or your BCDR planning, you absolutely should because, like you said, you don't want to be making these decisions while you're dealing with an incident, under the gun with the clock ticking. It's a lot easier to do a tabletop, sit down, game out one of these attacks and then, without any pressure, have that frank and open discussion about what went well, what went poorly, and how can you prepare your organization just in case it actually happens.
Dave Bittner: Nathan, I mean, do you think that we are in a place right now where if an organization puts the right things in place, if they do the work ahead of time, can they go forward with confidence that the odds of them being hit by something like this and it having a significant impact are relatively low?
Nathan Hunstad: You know, it's hard to say that because the landscape is changing day to day, and there are new vulnerabilities that are exploitable on a weekly basis. I don't know how many times I've had to update Chrome, for example, this year...
Dave Bittner: Right.
Nathan Hunstad: ...Due to zero days. So it's really tough to be able to say that if you have the right protections, you'll have a low probability of being hit. What I think you can say, though - that if you have the right protections, you'll feel a lot better about how you'll actually deal with it if it happens, and you will have planned this out. You'll have a playbook, and you won't be making decisions, you know, on the fly and making mistakes that could be avoidable.
Rick Howard: We'd like to thank Wayne Moore, the CISO for Simply Business, and Nathan Hunstad, the deputy CISO for Code42 for coming on the show to help us understand how security leaders are thinking about double-extortion ransomware.
Rick Howard: "CyberWire-X" is a production of the CyberWire and is proudly produced in Maryland at the startup studios of DataTribe, where they are co-building the next generation of cybersecurity startups and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. And on behalf of my colleague Dave Bittner, this is Rick Howard signing off. Thanks for listening.