Threat actors are targeting SMEs with ransomware attacks more than ever before. We are seeing a broad range of organisations - universities, small IT companies, law and marketing firms - hit by the malware. There appears to be a distinct shift from “spray and pray” ransomware operations to a more strategic approach: attackers are gaining access to systems through unpatched and zero-day vulnerabilities alongside traditional methods, and then encrypting databases they know are vital to business operations.
Unfortunately, organisations are still making the same mistakes. Although it is easy to blame the victim who falls for the common entry attacks like phishing, we are still seeing a lack of basic security preparedness: existing vulnerabilities are not being addressed, backups are not being routinely carried out, and online backups are getting encrypted due to poor implementation practices; further, multifactor authentication (MFA) is not being enabled until after the attack and, in some cases, not even then.
There are some excellent projects that try to combat successful ransomware attacks – such as No More Ransom! – but the vast majority of campaigns that we are seeing involve new variants where there are no available cracks or off-the-shelf encryption products to deal with them. In most cases, if your organisation falls victim to this sort of attack, the only option is to pay up.
Ransom payouts to recover data can be steep. In 2017, for example, South Korean web provider Nayana was infected with ransomware that hit 153 of their Linux servers; the attackers demanded 550 BTC to release the files. Ultimately, the company was able to negotiate the price down, but not before parting with nearly $1 million. To this day, that is the largest known ransomware payment, though current intelligence would suggest that such huge sums being handed over might not be so rare, and are perhaps kept out of the mainstream to avoid due scrutiny.
Although we are not seeing anything like attacks of this magnitude when dealing with SMEs, it is not uncommon to come across ransom demands of between 20-30BTC, with some going up to 100BTC, depending on the value of the data.
While is still possible to carry out negotiations and reduce the payment, threat actors know who they are dealing with. They attach identifiers to systems for the purposes of decryption, but they also understand the importance of the data to business operations and what it means to victims to recover it.
They are also beginning to understand that insurance companies are covering ransom payments: if you fall victim to this crime, it will not be easy for you to pretend you don’t have the money demanded during a negotiation. The attackers have a ready list of insurance companies that can assist in any region worldwide.
Most ransomware threat actors work as part of a larger group. They are well organised and structured internally – just like any other business. During negotiations, you will often be met with “I’ll have to ask my boss” in order to get confirmation of concessions. They will even offer tech support if you find yourself struggling to decrypt your systems.
It is also not all about ransomware. We have seen cases where data has been stolen and copied to proxies for proof. This puts the victim in a very difficult position, especially if they are running a business with clients who have provided personally identifiable information. Here, you are at the mercy of the attackers, and there is not usually much room for negotiation. If you don’t pay, they go public or start contacting exposed clients, certainly putting your business in jeopardy from both a reputational perspective and in terms of GDPR compliance.
In nearly every case we have observed, the vast majority of attackers have been true to their word: they will hand over the decryptor or otherwise destroy the data they have stolen if their ransom demand is met. Again, ransomware campaigns are a business, and if word gets out that a particular actor is not holding up their end of the bargain, then their operation will not be sustainable.
It does not take that much of an effort to get an operation up and running with a plethora of ransomware-as-a-service products being offered across a number of different Darknet marketplaces. See this example:
Ethically and legally, where do we stand with ransom payments? The US government has recently come forward to say that those organisations paying out ransoms to recover their data may be in danger of violating sanctions if money is going to certain countries, such as Iran and North Korea. These are two nations we know engage in cybercriminal activity and are more than likely behind at least some ransomware operations.
It is worth noting that these sanctions may also affect non-US businesses and individuals, and this presents further problems for a company considering circumventing the ban by employing a non-US third-party to conduct ransom payment negotiations. Both could well be left open to hefty fines.
In November 2018, for example, two Iranian hackers, Ali Khorashadizadeh and Mohammad Ghorbaniyan, were accused of facilitating digital currency (Bitcoin) payments on behalf of Iranian cybercriminals allegedly involved in SamSam ransomware attacks. The US Department of Treasury wrote: “As a result of today’s action, persons that engage in transactions with Khorashadizadeh and Ghorbaniyan could be subject to secondary sanctions. Regardless of whether a transaction is denominated in a digital currency or traditional fiat currency, OFAC compliance obligations are the same.”
But beyond this, organisations that decide to pay ransom demands may be unwittingly funding cybercriminal operations that use their profits to build up their own capability and may even have ties to terrorist groups.
Prevention is key! It is of critical importance to maintain backups, have vulnerability management in place, ensure adequate access control, and implement MFA across all your systems, including email accounts. In addition, you should run awareness exercises within your organisation so that your employees can recognise a phishing campaign and hopefully prevent you from being faced with the hugely damaging consequences of a ransomware attack.