Learn How Ransomware Attacks Have Changed - And How Response Needs To, Too

This blog was originally published by Mitiga here.

Written by Ariel Parnes, Mitiga.

Ransomware keeps hitting the news these days, filling headlines with stories about organizations struggling with disabled IT systems, inaccessible patient data, unavailable Wi-Fi, and general confusion. Ransomware isn’t new, however. The concept of ransoms is very old, and ransomware itself dates back to 1989. When people think about classic ransomware, sometimes called crypto-ransomware, it’s typical to remember the version of ransomware from the mid-2000s, when attackers started to use more sophisticated encryption to essentially hold an organization’s data for ransom. The availability of cryptocurrency for paying ransom increases the anonymity of ransom payments and is the preferred method of payment for any type of ransomware attack. Today, organizations are facing an evolving threat, modern ransomware, also called double extortion ransomware.

What does classic ransomware involve?

A classic ransomware attack is less advanced than newer versions. While it does involve some level of access to an organization’s data, so cybercriminals can encrypt it and hold it ransom, it doesn’t require that threat actors maintain long term persistent access to the network. The attacker only needs enough time to deploy the encryption payload and begin running it. Classic ransomware is straightforward and involves an attacker taking a few basic steps:

1. Get access to data
2. Encrypt it
3. Demand payment
4. If paid, provide encryption keys

Once an organization has the encryption key, it can usually restore the data. Classic ransomware attacks are usually not very complex. Once a malicious actor gains access to data and presents a ransom request, the key determination that the leadership team needs to make is simple: is the cost of recovery greater than the cost of the ransom? If not, it’s time to proceed with recovery plans. Most organizations have backups available to help in case of a data loss, whether that’s due to hardware or software failure, corrupted data, or a malicious attack. If it’s easy for an organization to restore their data and it will cause minimal business disruption, most will choose that option. Some organizations may not need the data and can easily start without it. This is another reason to forgo paying in the case of classic ransomware.

If recovery isn’t a simple matter, many organizations choose to pay the ransom. An organization may choose this if there are no backups, if it would take too long to restore the data, or if the attacker was able to encrypt the backups as well. Once the ransom has been paid, attackers provide the encryption keys, and all the data is almost always restored. Cyber criminals have a “code of conduct” and their “credibility” is part of their business model, otherwise organizations will not pay the ransom and the criminals won’t have a profitable business. In this case, the organization can return to business as usual fairly quickly.

What needs to be done in a classic ransomware scenario?

The first thing any organization can do to help reduce the potential impact of a classic ransomware attack is to prepare, primarily by having reliable backups (ones that are secured and separated — and difficult for an attacker to access) that cannot be encrypted and can be accessed by the organization during a crisis. When responding to a classic ransomware attack, an organization needs to take several steps, based on the incident response framework by the National Institute of Standards and Technology (NIST).

The NIST incident response lifecycle breaks incident response down into four main phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Event Activity.

• Identify: map what data was encrypted and what data was not encrypted.
• Contain: stop the spread of encryption, if possible.
• Eradicate: remove any malware from the system, using appropriate tools.
• Recover: either by restoring from backup or by paying the ransom.
  Rarely, it’s possible to decrypt data without the attacker’s help, but only if attacker made a mistake in the encryption process, there was a weakness in the encryption, or the attacker left the encryption key somewhere.
• Review Lessons Learned: based on any investigation following the ransomware incident, organizations review security controls to ensure the same attack can’t happen again, put backups in place, and perform security exercises to prepare for the exploited flaw.

One could argue that investigation is sometimes not considered a “must” in the case of classic ransomware attack. Organizations typically focus on restoring systems and improving security. Investigating exactly what the attacker did and how they got access to the data might not be seen as a priority. Investigation is difficult to conduct and costly in terms of both time and money, so most organizations focus on recovery and improving security controls. Is it possible to improve security without knowing what the attacker did? Some organizations believe it is, while others do not. In the case of a very simple attack, simply searching for doors and closing them, without considering other avenues of attack or improving incident readiness may be sufficient.

What does a modern ransomware attack involve?

This more recent type of cyberattack significantly changed the ransomware scene. Modern ransomware attacks also encrypt data, but in this case, cybercriminals also include a phase where data is stolen from the network, to be used for a second extortion or to gain leverage in getting the ransom paid if the data encryption is not sufficient to motivate payment. Once again, preparation is critical. Backups are still important, because they help with other data loss issues, and accessible backups can make a critical difference between a rapid recovery and a slow, painful return to business. Once a modern ransomware attack begins, the steps change somewhat:

1. Get access to data
2. Exfiltrate data (steal the data and make a copy of it)
3. Encrypt the data
4. Demand ransom payment in cryptocurrency for decryption and to prevent release of sensitive data
5. If paid, provide encryption keys

Once an organization has the encryption key, it’s usually possible to restore the data. These modern ransomware attacks are usually more complex. Once attackers infiltrate a system, they often sit and wait, choosing to make the ransomware attack at a time that’s to their advantage. Cyberattackers may also use system access to make lateral movements, accessing additional resources and data sources. They use the time to find new exfiltration channels. Criminals are using advanced persistent threat techniques to extort organizations, including those in the supply chain and in critical infrastructure.

What needs to be done in a modern ransomware attack?

During this type of attack, leadership teams need to make difficult decisions very quickly. Because of the nature of double extortion attacks, the calculation of the cost of recovery compared to paying the ransom is different. It’s no longer a question of whether the data can be decrypted, but also the consequences if the data is released.

It’s still essential to determine quickly what type of data was breached and how much data has been encrypted, but now incident responders must determine how much data (and which type of data) was exfiltrated and is now in the hands of threat actors. Backups still play a role in a modern ransomware attack, particularly complete backups of essential forensic data that are secured for investigation. Rapid investigation leveraging forensic data is critical to making difficult decisions quickly during a crisis. To make the decision whether to pay in a double extortion attack, there’s a different implementation of the phases outlined by NIST. When responding to a modern ransomware attack, an organization needs to change the focus somewhat for each phase:

• Identify: map encrypted data, but also understand the attack flow, what data the attacker was able to access, what data was exfiltrated, and how. If an attacker encrypts the environment, stole sensitive data, and published some of it as a proof of concept, it’s critical to know whether the attackers have all the data or just some of it. It’s impossible to answer that question without doing a thorough investigation.
• Contain: stop the spread of encryption (if possible), but also notify appropriate parties to contain the impacts of the second extortion: the release of sensitive data.
• Eradicate: remove the existing access and assets of the attacker. It’s not unreasonable to assume the attackers have access to an organization’s internal network when they are negotiating the ransom. Does the criminal know what discussions are taking place internally? It’s essential to close the doors, because the cybercriminal might have a tunnel into systems and can keep stealing data or attacking the target.
• Recover: either from backup or by paying the ransom. Once again, it’s occasionally possible to decrypt without an attacker’s help, but it’s not a ransomware readiness strategy.
• Lessons Learned: based on the investigation following onset of attack, incident responders review security controls, backups, and conduct security exercises to prevent future attack. Storing forensic data storage immensely improves the ability of incident responders to investigate in case of future attack and radically increases incident readiness, response, and recovery. It also improves an organization’s resiliency.

During a modern extortion attack, executives in an organization need to consider notification requirements, what regulation may come into play based on the data lost, how loss of data will reflect on the company reputation (and how to handle the public relations challenges to come), how, and how quickly it can pay the ransom. Leaders must consider the risks when deciding not to pay the ransom, what types of risk they are, and whether restoring from backup could solve the problem.

Comparison of classic and modern ransomware

Ransomware readiness has changed

Modern ransomware requires a different approach in terms of readiness. Advanced persistent threat actors are ready to compromise zero- and one-day vulnerabilities, acting quickly to compromise organizations worldwide through double extortion ransomware attacks. While classic ransomware attacks may not have required in-depth investigation, modern ransomware attacks do require it. Investigation is essential, because it’s no longer just about recovery, it’s about risk management. These types of ransomware attacks have increased rapidly recent years, even as regulations have become more stringent about data breach notification requirements. It’s essential to understand what an attacker was able to do as quickly as possible, so executives can decide how to respond and manage the risks related to the attack, such as notifying the appropriate regulatory authorities, customers, clients, and the public (if necessary) quickly. Making those decisions without sufficient information makes it impossible to maintain the confidence of the board of directors, shareholders, and customers.