Categories
Security

Paying the ransom. Damned if you do, damned if you don’t

There isn’t a person on Earth who would argue that 2020 has been a good year for fighting viruses. Turns out, it’s also been a tough one for ransomware.

While ransomware attacks have been arguably ramping up since 2016, it was 2020 that rained expensive ransom threats down on companies from a wide range of increasingly dangerous and emboldened cybercriminal gangs. Ryuk, Sodinokibi, Maze, and others doubled down on their dastardly deeds by not only encrypting and withholding sensitive data, but threatening to make it public.

In a stunning end-of-the-year development, ransomware actors showed belligerent persistence by cold calling organizations that refrained from paying the ransom or targeting them with an angry Facebook ad campaign. Meanwhile, cybercriminals have increasingly been hanging onto the files of those that do pay the ransom for auction or re-exploitation. It seems like businesses are either damned if they pay the ransom, or damned if they don’t. So what’s the right move?

Ransomware authors push the envelope, emboldened by success

Ransomware authors are having a field day — or rather, a field year. In 2019, the average ransom payment was $41,000. A year later, it was $234,000, about a 470 percent increase. Ransom demands have skyrocketed in 2020, as have their frequency and potency. Even if organizations are following security best practices by ignoring ransom notes and restoring from backups, they can no longer claim victory. In fact, businesses can run into trouble whether they refuse to pay the ransom or pay in full.

Victims of ransomware attacks who don’t compensate their captors are now rewarded with a not-so-friendly phone call from cybercriminals, marking an escalation in tactics that include threatening to notify journalists of the breach or leaking data onto public sites. Ransomware gangs such as Maze, Ryuk, Conti, and Egregor/Sekhmet have been engaging in these cold calls as far back as August, often dialing from a call center and using a script. The callers make vague threats about continuing to monitor victim endpoints and issue an ultimatum: Pay up now or the problems with your network “will never end.”

To add insult to injury, the threat actors behind Ragnar Locker ransomware have cooked up a similar scheme, this time pressuring victims into paying via fraudulent Facebook ads. According to Brian Krebs, one such ad was taken out against Italian beverage company Campari Group, which had already publicly acknowledged a malware attack. Cybercriminals used hacked accounts to pay for the ads, which Facebook did eventually detect as a scam, but not before displaying them to thousands of people.

On the flip side, ransomware gangs are increasingly failing to make good on their promise of deleting stolen data once the ransom has been paid. Back in 2019, Maze introduced the idea of double extortion — ransoming data plus threatening to release it publicly — and other ransomware operators followed suit, dumping sensitive files onto data leak sites. Over the summer, Sodinokibi took this a step further. When threatening victims to pay up didn’t work, they began auctioning off their stolen data online, charging hefty prices to the highest bidder (often a competitor).

These tactics reveal an uncomfortable truth: There’s no way to tell whether a cybercriminal group has actually deleted the files they promise to delete after you pay the ransom. According to Coveware’s Q3 2020 report on ransomware, groups such as Sodinokibi, Conti, Maze, Sekhmet/Egregor, Mespinoza, and Netwalker are using fake data as proof of deletion or even re-extorting the same victim.

So, what’s an IT/security professional to do? The FBI has flip-flopped on its official position about whether organizations should pay the ransom, first staying mum on the topic, then stating unequivocally that the ransom should never be paid. For a while, many in the security industry were inclined to agree. But that’s a tough pill to swallow for individuals. Would you pay a $200 ransom to return your PhD thesis, which represents months of work? What about for pictures of your baby’s first year?

As ransomware actors become more and more aggressive — not just stealing data and threatening to release it, but interrupting operations in hospitals, schools, and cities — some in the security industry have changed their tune. There are many who believe that in rare cases, organizations should try to negotiate for their most important files back. An entire industry of ransomware insurance providers has popped up to provide companies with cover, should their files be ransomed for exorbitant amounts.

The long and short of it is there’s no one-size-fits-all answer when it comes to ransomware. Once again, the best defense against this threat is to avoid infection in the first place. If your security software doesn’t protect against the ransomware authors mentioned above, you may want to consider investing in additional protection.