Data Thieves Raise the Stakes for Ransomware Defense in 2020
In analysis / By Stephen Peak / 13 January 2020
Whilst most of us were relaxing over the extended Christmas break, one group was hard at work. Ransomware attackers have caused chaos and disruption across the globe over recent years, but in the past few weeks we’ve seen the emergence of a new spin on the business model that has worked so well for so long. As we enter a new decade, UK businesses must now combat the risk of hackers stealing sensitive corporate data before encrypting it.
It will raise the stakes significantly for IT security teams and demand a keener focus on preventative strategies, rather than relying on “backup and be damned”. With big-name firms like Travelex already under attack, there’s no time to hang around.
An Insurance Policy
Data theft and ransomware are nothing new. In the past, ransomware has been used by threat groups as a smokescreen designed to cover their tracks after a major information heist. Wiper variants like GoldenEye, LockerGaga and Shamoon and MBR-encrypting ransomware help to do this by destroying any forensic evidence that may otherwise help investigators. One notable example was the ONI ransomware used to conceal a sophisticated hacking operation targeting Japanese companies back in 2017.
However, what we’re seeing today is a new tactic, in that data theft is being used almost as an insurance policy for the ransomware authors. Now, cyber criminals often threaten victim organisations that they’ve compromised, claiming to have access to all sorts of sensitive material that they’ll release if a ransom isn’t paid. But little has come of such threats, until now. Over recent months, researchers have uncovered multiple ransomware strains — including Zeppelin, REvil (aka Sodinokibi), Snatch and Maze — that contain data-stealing functionality.
Companies Feel the Pain
In short, the gloves are off. The bad news is that we’re already seeing victim organisations that have had internal data published by ransomware attackers in a bid to force them to pay up. The group behind the Maze variant appears to be the most prolific at present. In November last year, they released 700MB worth of data and files stolen from security staffing firm Allied Universal, which the group claimed was just 10% of the total it lifted from the firm prior to installing ransomware on its network.
The group has since gone on to launch a dedicated website to publicise the “databases and private papers” from companies that “don’t wish to cooperate with us.” One such firm was US cable and wiring giant Southwire, which sought an injunction in the Irish courts to have the IP address blocked. It’s unclear whether such a move will work. Although the site was down at the time of writing, the Maze group could easily find somewhere else online to publish their stolen data.
Most recently, currency exchange giant Travelex was reported to have been hit by the REvil variant, with hackers demanding a $3 million ransom or they’d release 5GB of stolen personally identifiable information (PII).
What Does This Mean?
All of which leaves CISOs with a difficult challenge as they start the new year. They face a growing risk of data-stealing raids that could imperil customer data, sensitive IP and internal documents. This exposes them to possible scrutiny by GDPR regulators and of additional legal, remediation/investigation and other costs associated with breaches. That’s not to mention the impact on corporate reputation.
In the past, even if a company succumbed to a ransomware infection, best practice backup processes could save the day, enabling eventual restoration of data and systems after a certain period of operational disruption. Now there is the added threat of data exposure, such demands can’t be ignored.
The bottom line is that corporate security teams must double down on ransomware prevention. Just as there’s no guarantee a ransom payment will result in the handover of a decryption key, there’s no way of knowing that any stolen data will be deleted after money is handed over. So, what should they do?
Ransomware attackers use a variety of techniques to compromise their victims, although phishing spam, RDP brute forcing and malvertising are common. Many often aim to stay hidden after the initial infection, moving laterally inside networks in order to infect as many machines as possible before the alarm is raised. Fileless and “living off the land” techniques are often used to stay under the radar, while banking trojans like Emotet and TrickBot are also commonly deployed to gain a foothold on networks and spread wormlike inside them by using lists of common account passwords.
CISOs should therefore consider the following as a good place to start their ransomware resilience efforts:
- Automated risk-based patch management to reduce the corporate attack surface
- Security awareness training programmes for staff to help spot and stop phishing and improve password security
- Multi-factor authentication across all privileged accounts to prevent the spread of ransomware
- Network segmentation to lock down any infection
- Effective endpoint and network security tools from a reputable vendor
- Continuous network and user behaviour monitoring
- Consider partnering with a reputable managed service provider (MSP) with a well- regarded cyber security programme, to take the strain off stretched in-house IT teams
Ransomware infections soared by nearly 75% over the previous 12 months, according to a recent Bitdefender report. And organisations of all sizes are in the cross-hairs. With this latest evolution in tactics, cyber criminals have effectively called the bluff of companies refusing to pay up. Now they must consider whether serious data compromise is a risk they’re prepared to take, or if more time and effort must be spent on preventing attacks in the first place.