Ransomware, we’ve all heard about it but most of us don’t really understand what it is and how it works. In the beginning, ransomware was a malicious software that attempted to block access to your data, usually by encrypting it, and then asking for a ransom to help you return access to your data. If you pay the ransom they promise a decryption key that will return the usability of your data to you. Many companies that did pay discovered that the decryption process did not have any quality control behind it, or never intended to work in the first place, and the process failed to recover data functionality.
Many businesses refused to pay for recovery and simply resorted to backups to restore their data. That meant the intruders had to take it to the next level. They started living within your network learning how your systems worked, and where your backups were. The attacks became strategic, often taking weeks or months to execute. Experts estimate that the average compromise was resident over 200 days before execution. Imagine when a bad guy knows your environment as well as you do the extent of damage that can be done, and how the methods of recovery can be limited.
All that effort to compromise systems lead to backup solutions evolving, being more tamper resistant and resilient to compromise. The systems were more able to be isolated, have separate credentials and multifactor authentication. Companies who focused on protecting their data had options to be better prepared against these attacks.
Then came the next evolution, data exfiltration. Now the focus wasn’t on simply encrypting the data but also copying the information offsite. Once they obtained copies of pertinent data they could then demand a ransom or threaten to release the data publicly, revealing company confidential information, trade secrets and customer information. Where this gets even worse is when you refuse to pay they turn around and extort your customers or patients.
Even if you do pay it is likely you aren’t out of the woods. As an FBI I was working with on one ransomware case said, “Crooks are crooks and you can never trust a crook.” This is clearly evident when looking at examples where the crooks took the money and still used the data.
Today, ransomware has become a distributed network, Ransomware-As-A-Service if you will. First there are experts that know how to compromise the network. These are the guys that craft the links you aren’t supposed to click in emails and write the software that gives them remote access. Once they are in they grab some data to prove they have access, then post the exploited business information on the dark web. Once established in the environment, they sell the access to others. There are two primary groups that purchase corporate access, those that encrypt and those that exfiltrate.
Now you have two autonomous parties that both have a financial investment in your compromise. You’ll receive ransom demands from both and neither of them have any interest in your negotiations with the other. As you see above, paying the ransom has its own risks and may not have a return.
Ransomware is a significant risk to today’s corporate world. It’s highly profitable, with most ransoms being multi-millions in bitcoin equivalent and it has become easy to deploy. This threat will get worse long before it gets better.
Olsen Consulting is ready to answer your questions and help you be more resilient against ransomware and other security threats. Let us know how we can help today!
