“Attention! Your files are encrypted and currently unavailable.” It is estimated by Cybersecurity Ventures that an organization will read a variation of these words in a ransom note every 11 seconds by the end of 2021. With ransomware still on the rise, and new approaches being adopted by numerous threat groups, it is only a matter of time before an organization is given the difficult decision whether or not to give into the ransom payment demands. Given this continuously evolving ethical dilemma of rewarding criminals for their behaviors, what if a ransomware variant decided to demand a subscription? Let’s discuss!
Think back for a second to all of those classic mafia or generic crime lord “shake-down” movie scenes. You have a bad fella with a non-suspicious bag going from small business to small business taking their “cut” of the profits from that week. In their words they may be offering “protection” or a form of “insurance” as a service to these small businesses (either from other dangerous groups or their own), but we all know the blackmail that is really happening. In exchange for compliance with the malicious group — and a large cut of the profits — the small business does not have to worry about trouble. This manipulation tactic is consistently as cruel as it is effective. But what would it look like if this approach was attempted by ransomware threat groups and would it ever work?
It is no ground-breaking realization that ransomware incidents have increased significantly in many perspectives over the past few years. Attacks are seemingly becoming more complex, occurring more frequently, affecting more systems, and demanding higher ransoms. According to Coveware and other sources, one of the more significant attack methodology transformations has involved complimenting file encryption with the exfiltration of data. Company ethics, viable backups, and U.S. Federal recommendations may make an organization more inclined to resist ransom payments. But would they risk having their data exposed to the public?
The primary reason ransomware campaigns are a favored attack method is because they are successful. Many studies show that some victims actually do choose to pay attackers in exchange for the decryption of their files. But if everyone were to suddenly stop caring about their encrypted data and stopped paying the ransoms, there would be no point in the threat actor’s efforts. This would likely lead to ransomware’s reign largely declining. That is, unless decrypting your files isn’t the only motivation to pay the ransom.
If these same organizations are suddenly threatened with bad publicity, fines, and potential notification obligations as a result of sensitive information being leaked, the threat actor’s have a little better leverage. Even if viable backup solutions can replace the encrypted data component of an attack, an organization may still end up paying the ransom in order to alleviate the thought of data leaks.
Thank you for your payment….again
This brings us to our main point of discussion; suppose the threat actor’s decide to hold data at ransom, and demand payment on an annual or monthly basis? At first this question may seem entirely ludicrous, but the hypothetical actually does have some tethers to relevance. Druva, a cloud data protection and information management company, reported that of 832 IT professionals surveyed between May and June of 2017, 50% of the organizations hit by ransomware had fallen victim multiple times. The thought of a single ransomware attack can be crippling to an organization within itself. The thought of getting through the incident just to have another one knocking at your door is devastating. Repeat ransomware hits can happen for a number of reasons, but can mainly be filtered down to two components: (1) a present security gap and (2) proof the organization will pay the ransom. As an example, if an employee commits fraud at their company to make a little extra money, doesn’t get caught, and nothing is preventing them from doing it again…odds are they will do it again.
Now, in the instance of ransomware, a criminal’s opportunity for recurrent attacks relies on them being able to repeatedly get back on an organization’s network (or hide very well the first time). But this can be ambitiously prevented with system hardening. Closing open remote access to a system, installing an Endpoint Detection and Response (EDR) tool, replacing systems, and improving overall training and security posture could prevent the threat actor from ever getting on the network to encrypt data a second time. But this is where the recent data exfiltration component comes into play. If a threat actor already has the data in their hands from the first attack, then there is really no need to get back on the organization’s systems. The sensitivity of the data will likely not change over time, so it’s significance as leverage will likely not sway.
Regardless of any potential legal obligation, if an organization is willing to pay once to prevent reputational damage from data being exposed to the public, would they be willing to pay again? Or a third time? What about once a year? This can quickly become a perpetual blackmail scenario similar to the mafia movies we spoke about a little bit ago. The decision at this point truly is up to the victim and their evaluation of the ethical dilemma. In a world where a voluminous amount of highly utilized software packages are falling to subscription basis, could cybersecurity threat actors ever consider mimicking a similar technique? Is there anything preventing this? Tweet me or leave a reply and let me know your thoughts…