“Cyber Insurance Insights” is a Blog Series that shares ideas, advice, and experiences from the BlueVoyant Professional Services team. The blogs discuss the lessons learned from assisting clients navigate post-breach insurance claims and pre-breach preparation.
Ransomware is a highly technical deployment of an ancient interpersonal crime: extortion. Since its advent, cybercriminal organizations and security personnel continue to play a game of cat and mouse at the front lines of technology. However, as much as the details may change, the core dynamic of this crime remains the same: criminals steal something of great value and demand payment in exchange for its return.
As organizations improve their ability to respond successfully to ransomware attacks, cybercriminals too will change their methods. For example, organizations are increasingly aware of the importance of implementing offline, routinely updated system backups. Subsequently, when hit with ransomware, they can ignore demands for ransom and simply restore their operations from backups after wiping everything clean. This is undoubtedly an inconvenience, but far superior to paying several hundred thousand dollars in bitcoin to an undeserving overseas criminal organization.
Threat actors have long tried to foster urgency in their ransom demands. The innovation of countdown clocks within ransom notes was notable. If victims didn’t pay within a certain time period – stressfully shown counting down by the minute – the ransom amount would double, then triple, and so on. Now, however, we are seeing an interesting and frightening new development that may represent the cutting edge of ransomware extortion: the leak. There have been no definitively proven cases of this tact so far, but rumors and insinuations suggest there are now ransomware attacks whereby attackers threaten to release sensitive organizational data to the public in order to incentivize swift payment of the ransom.
This strategy may have caused the October intrusion into Johannesburg, South Africa’s municipal system, and more recently, news sources reported that the Maze cybercriminal organization leaked 700 MB of data it stole from Allied Universal in November this year. That group told cybersecurity researchers they stole 5 GB of Allied Universal’s data and they will provision the remainder to Wikileaks if the California-based security firm refuses to pay the 300 bitcoin ransom. Maze are not the only cybercriminals experimenting with this tactic. MegaCortex is a known version of ransomware, however a new variant was recently released that changes passwords on infected machines and threatens to publish the ransomed data if payment isn’t made. According to cybersecurity researchers at Bleeping Computer, this is the threat excerpted from the ransom note:
“We have also downloaded your data to a secure location. In the unfortunate event of us not coming to an agreement we will have no choice but to make this data public. Once the transaction is finalized all of copies of data we have downloaded will be erased.”
The transition to the threat of publication is key because it undermines the tried and true solution for prepared organizations – data restoration from backups. In this scenario, even if you can wipe and rebuild your system, attackers could potentially still publish your customers’ payment card information (PCI), your patients’ private health information (PHI), or whatever other sensitive data you may have in your care. These variants also instruct the victim to contact the ransomer for the price of the decryption keys. In theory, an attacker could appraise the value of the exfiltrated data after successfully coercing the victim to the point of negotiation.
At the time of this writing, there is no proof that the exfiltration of data has been successfully implemented in a ransomware scheme, but it remains a troubling possibility. Also, underreporting of events is still a major problem in the field of cybersecurity because of the reputational damage it can unleash, so therefore we may be unaware of the already-successful use of this tactic.
In this evolving game of extortion, data exfiltration and the threat of its release may be the next offensive move by the ransomware criminal enterprise.