We Predicted the Death of Ransomware in 2017. Oh, Time Machines.
We first wrote about Ransomware attacks in Tech Essentials in 2017 – back when a Bitcoin was valued at $1800 (oh, the good old days). The crux of the article was that many victims were paying their ransom to the cyber perpetrators, but they did not have an easy way to track and reconcile who paid, and many who did pay the ransom never got the decryption key to unlock their files. Imagine this happening in the analog world with kidnapping cases!
Without a level of trust between the ransom victim and the perpetrator, the whole system breaks down. Or, in other words, a dishonest system must rely on honest thieves. Fortunately, (or unfortunately) in recent times, ransomware proponents chose to target bigger entities and built professional teams to negotiate each ransom and its terms. Following the money, an industry of ransom victim negotiators popped up to negotiate on behalf of the victims to ensure the decryption keys were delivered after ransoms were paid. These keys were sometimes delivered with a “service level agreement” – a virtual handshake agreement that the ransomware hackers, after receiving the payment, would deliver the decryption keys (or delete before publication of the sensitive content stolen) and would not re-attack the same party for 90-days (‘benevolently’ giving the ransom payer 90-days to plug any cybersecurity gaps). After that 90-day term, the victim was fair game again.
The negotiators on both sides got to know each other (through their online personas and reputation to stick to the ransomware proponent’s service level agreement). Without some level of trust, ransoms would not be paid and this whole lucrative category of cybercrime would deteriorate.
Ransomware has since evolved. Now, the major brains behind the technology and the business model have started offering “ransomware-as-a-service”, which is essentially leasing out ransomware technology and knowhow to localized cybercriminals who each take the time to research their targets and then use this ‘licensed’ technology to do the heavy lifting. Of course, the ransomware brain trust receives a cut of all ransom collections.
What this means is that there are now cybercriminals everywhere with the computing power behind them to support their own nefarious attacks, and what do they do? They are focusing on (a) using phishing, LinkedIn, and other data mining tools to identify companies to target, (b) trying to glean whether they have cyber insurance sufficient to pay out any ransom claims, and (c) scaling the ransom payment so that it is affordable based on financial information that they have gathered about their target.
Ransom requests are ranging from a few tens of thousands of dollars to many millions, and they are getting paid as the cost to rebuild computer networks or having the business shut down for extended periods of time are far greater (perhaps lethal) to the business.
What does this mean to you? Ransomware entrepreneurs are out there looking for targets anywhere and of any size. They are savvy enough to do research first so as to learn about their targets: small and large organizations – even individuals. They may see greater value (after their research) in locking all of the computer files in a company’s core business operations, thus rendering the computer systems unusable. Or perhaps they may steal sensitive and/or embarrassing information and offer to expose it publicly.
All of this often starts with some access to company information — intercepting unencrypted email or luring unsuspecting staff to take some sort of action after receipt of an impostor email from a criminal posing as their boss. The more private you are with company data, the more sensitized your teams are about the inherent risks of email. Thus, all are less likely to fall prey to these schemes.
You hear me say ‘we’re here to help’ a lot, and we absolutely love helping our customers. Unfortunately, we can’t help you with ransom negotiations after the fact, especially if you were the victim of the massive attack on July 4th to thousands of companies in more than a dozen countries.
We can help you automatically sensitize your staff to e-security issues with the new AI-infused RMail and its in-the-moment training, and we can help protect your perimeter in ways that other email security gateway services cannot with RMail Gateway, which is often employed as an added security layer even with other email security systems already in place. It’s that good!
Ransomware attacks seem to be now feeding off themselves and will thus not be decreasing anytime soon. Please stay vigilant and know that we can help you proactively avoid being the next ransomware bullseye.