Not Your Father’s Ransomware

Bill Kine

Ransomware. It’s the devil that we know and despise. After all of these years, we certainly understand it: An attacker will trick an individual to click on a disguised link or email attachment, which will then trigger a download of malware onto the victim’s computer. Next, the exploit will encrypt all of the victim’s precious data, along with that of any other systems it can reach. After that, an anonymous website from a foreign country will demand a few bitcoins in exchange for the decryption key. 

Old School Ransomware: The good news is that we’ve seen this pattern over and over again, and we know how to deal with it. The first known ransomware attack occurred back in 1989 via floppy disc, and the victims had to mail $189 to a P.O. box in Panama in order to get the key to restore their systems. Since then, ransomware attacks have dramatically increased in frequency and potency, especially over the past decade. This has necessitated significant improvements in organizations’ cybersecurity technology and processes. Almost all users now have up-to-date anti-malware programs on their workstations, tablets, and smartphones. More importantly, all valuable data is periodically backed up so that it can be reliably restored in the event of a ransomware attack. 

A Sinister New Twist: In response to these rather straightforward defenses, ransomware has also evolved. There are certainly still a lot of attacks that follow the traditional chain of events described above, but over 50% of the major ransomware attacks in 2023 so far have been focused on data exfiltration.  In other words, since most organizations already have the means to recover encrypted files, there is no incentive for them to pay for a decryption key. Instead, the attackers are now threatening to share, or even sell, their victims’ sensitive data on the dark web. 

Once a ransomware exploit is detonated within an organization, it will try to move laterally across various systems. In the process of doing so, it will collect multiple users’ login credentials, thus enabling it to access more and more vital data repositories. The malware will then copy the organization’s valuable data from these systems to a remote server controlled by the attackers. 

Exposing an organization’s data to the general public can have absolutely devastating effects. For example, a manufacturing firm’s future product plans, customer files, business proposals, and even employee records could all be posted to a dark web forum. If the victim doesn’t pay the ransom, this information could be auctioned off the highest bidder, perhaps one of their competitors. Even worse, financial firms could have their clients’ information compromised, including account numbers and credit cards. Hospitals – a favorite target for ransomware attackers – might see their patients’ medical records listed on the dark web. Or the attackers might expose the personally identifiable information (PII) of all of the children in a local school district. All of these threats tend to be (understandably) taken very seriously by the panicked victims. In many cases, including those of some recent high-profile municipalities, the victims end up negotiating and then paying the attackers. 

How To Move Forward: For the record, I absolutely NEVER recommend paying any form of ransom; this just encourages future attacks. Most law enforcement authorities also share this opinion. In fact, they often point out that even if the ransom is paid, there is no guarantee that the victim’s stolen data will actually be deleted or returned. Ironically, however, there does seem to be some “honor amongst thieves” – the attackers generally uphold their end of the agreement! 

Ransomware has grown and changed over the years. There are about 500 ransomware attacks per month, most of them targeting major industries, hospitals, or educational facilities. While many of these are traditional attacks which do, in fact, encrypt the users’ data and demand payment for the decryption key, a whole new generation of ransomware has emerged which is even more malicious. Instead of merely encrypting the data (or sometimes in addition to encrypting all of the data), the ransomware exploit will exfiltrate valuable information to a remote location and then threaten to expose corporate secrets, medical records, or even children’s personal information to the general public. 

New attack vectors require new and improved robust cybersecurity defenses. All organizations should certainly continue to deploy anti-malware programs on all of their connected devices. Beyond that, advanced threat prevention tactics are also critical. These include intrusion detection and prevention (IDP), file scanning and sandboxing (typically in the cloud), strong passwords, and multifactor authentication. Equally importantly, though often overlooked, is user education – make the employees aware of phishing emails and other social engineering tactics that the attackers often use to deliver ransomware. And finally, have an outside expert test and review the organization’s whole cybersecurity infrastructure. 

Want to be featured on ChannelBytes?