According to a recent report by global insurer Beazley based on its customer data, in the first half of 2020, total costs of ransom payments doubled, along with the number of ransom demands paid compared with the same time period in 2019. Ransomware is a form of malicious software (malware) that blocks user access to a device or files, usually by encryption, until the victim pays a ransom.  Once a victim’s files are encrypted, attackers display a screen or webpage that explains how to pay the ransom (in digital currency, such as Bitcoin) and unlock the files with a decryption key. Although it has been around for decades, ransomware has become increasingly prevalent, and with so many variants available, it can now be purchased on a subscription basis (Ransomware-as-a-Service), allowing even novice cyber criminals to launch attacks.  Ransomware is traditionally delivered through phishing emails, or through exploit kits used by hackers to exploit software vulnerabilities (such as when a victim visits a compromised website), or through “free” versions of software.

According to the report, recent trends indicate that ransomware incidents are becoming more complex than the traditional attack designed to trick an employee into clicking on a bad email that then encrypts a workstation and file shares.  Today’s incidents are more likely to involve threat actors who gain access to computer networks to install highly persistent malware that targets data backups and exfiltrates the data so that the actor can threaten to expose the compromise unless the ransom is paid.  The report states that today’s ransomware incidents are more likely to include the threat to release data in addition to data encryption alone.

The report describes a recent attack against an automotive group hit with eGregor ransomware.  The ransomware encrypted servers hosting employees’ personally identifying information (PII) as well as the back-up systems for that information.  The attacker was unable to obtain customer data, which was protected on a separate platform.  Initial contact was made with the attacker thorough the automotive group’s IT provider and the initial extortion demand was nearly $500,000.  The attacker provided proof they had exfiltrated employee data.  The automotive group obtained the assistance of legal counsel, a third-party forensic firm, and a ransom negotiator.  Forensics confirmed the infection likely occurred through a malicious email sent from a compromised email account outside the organization. The negotiator was able to reduce the demand to $50,000 and because the data backups were compromised, the organization decided to pay the ransom in exchange for the decryption key, which it received, allowing the organization to return to normal operations.  The attacker also confirmed the deletion of the exfiltrated data.

While the automotive group in this example was able to obtain access to their data and receive confirmation of deletion of their stolen data for approximately one-tenth of the original demand, this is not always the case.  The report points out that in some cases, stolen data was posted before payment of the extortion demand and in others, the same attacker re-extorted the victim weeks later.  Additionally, in some cases, attackers sold network access or the stolen data on the dark web.

The report recommends a multi-layered approach to protecting against ransomware, including employee training to recognize phishing emails; managing access to systems across the organization; securing remote access; establishing secure, offline backups; encrypting data at rest; monitoring for network intrusions; and staying current with vulnerability patches for systems and applications. Implementing these strategies, and others, will increase the ability of businesses to defend against this increasing threat.

Businesses hit by ransomware shouldn’t go it alone.  The professionals at WRVB can help your business prepare for and respond to a ransomware attack.  Contact us for more information.