Here’s everything you need to know about ransomware
By Brian Fung and Clare Sebastian, CNN Business
The most critical moment of a ransomware trading usually happens long before the victim and the hackers discuss a price.
By the time the two sides start talking, hackers have already gained significant control over a company’s network, most likely securing access to sensitive account data, business contracts, and other key business details. an organization. The more they fly, the more leverage they have.
According to cybersecurity experts, the only way for the victim to regain ground is to arm themselves with information about what the hackers actually stole and learn about the attackers’ past negotiating tactics.
That’s where professional ransomware negotiators Tony Cook and Drew Schmitt come in. Together, working for cybersecurity firm GuidePoint Security, the two negotiated dozens of ransomware payments on behalf of organizations held hostage by cybercriminals. Based on this experience, they have developed sophisticated profiles of many of the cybercriminal groups they have dealt with to help them gain the advantage at the negotiating table.
Some threat actors, such as the Ryuk ransomware gang, known for issue astronomical payment requests, struck so often at one point that Cook said he began to suspect he was dealing with the same person on multiple occasions.
âIf you know how they generally work, that tilts the scales a little more in your favor,â Schmitt said. “There’s a fair amount of strategy going on before you get to the negotiating table.”
The FBI and cybersecurity experts strongly advise against paying ransomware attackers, primarily because it encourages further attacks. âThey know you’ve already made the decision to pay,â said Lior Div, founder and CEO of cybersecurity firm Cyber ââReason, “and now it’s, like, making another decision to pay is easy.
But a string of high-profile attacks this year has led to some mind-blowing payouts. When The colonial pipeline has been hit, causing an early shutdown of operations that caused nationwide fuel shortages, he agreed to pay the DarkSide cybercriminal gang $ 4.4 million in cryptocurrency. Meat supplier JBS Foods paid $ 11 million to solve a ransomware attack by the REvil group. And the same ransomware gang requested $ 70 million to unlock all the devices he said were affected in an attack on Kaseya, an IT service provider that indirectly supports countless small businesses such as local restaurants, accounting firms, and dental practices.
In 2020, according to blockchain analytics firm Chainalysis, ransom payments, typically made in cryptocurrency, totaled the equivalent of $ 416 million, more than four times the 2019 level. And the company has confirmed more than $ 200 million in payments so far this year.
The virtual negotiating table
A ransomware negotiation rarely results in a complete demise of a ransom note. But a successful encounter can be the difference between paying hundreds of thousands of dollars and paying millions, Cook and Schmitt said.
âSometimes you can only get down to $ 10,000,â Cook said. “It really depends on what the actor sees he has and the negotiating tactics to get things done.”
As soon as a victim decides to pay a ransom and contacts their attacker, it sets off a clock that often leads to the publication of an organization’s pirated documents if the two parties do not quickly come to an agreement, they said.
The negotiations are going fast. Many ransomware groups communicate with their victims using online chat and instant messaging tools. The tools are designed to be easy to use because, after all, criminals also run a business. They are encouraged to make the process of trading and paying as quick and easy as possible, in order to maximize profits.
Since many cybercriminal groups operate from foreign countries, discussion forum negotiations make heavy use of Google Translate, Schmitt said. Terse, one word or phrase messages from hackers in broken English are the norm. Despite the language barrier, many negotiation meetings end in 10 to 15 exchanges.
This is why it is so essential for hacked companies to promptly investigate their own systems before finalizing the ransom payment. Victims need to be able to credibly state, “No matter what you think you have, it’s not worth that much money,” Cook said. And victims cannot say that unless they have a good understanding of what they have lost control over.
This argument can still backfire if hackers know they’ve obtained really sensitive data – like trade secrets or financial data – that a company can’t afford to make public. In some cases, ransomware attackers have realized that companies refuse to pay because they can simply restore data from backups, according to Div of Cyber ââReason. So before they encrypt the data, attackers look for sensitive information – “your customer list, your intellectual property, your nasty emails, anything that might embarrass you,” he said – and then threaten to take it. publish if the victim refuses to pay.
If that’s not enough, Div said attackers can contact a company’s customers to increase the pressure on them to pay.
The double-edged sword of cyber insurance policies
As ransomware attacks have increased, so has the demand for cybersecurity insurance.
Cyber ââsecurity insurance is now a multi-billion dollar industry, according to Morgan Wright, senior security advisor at cybersecurity firm SentinelOne. Cyber ââinsurance is increasingly sophisticated, providing businesses with a one-stop-shop for responding to hacking. Insurance companies contract with massive teams of lawyers, technical and forensic experts and, yes, negotiators to help victims manage and recover from a ransomware attack.
âThe minute you file a complaint – just like a consumer, if you file a complaint with Geico – it’s out of your hands at this point,â Wright said.
The frequency of ransomware requests has increased 150% since 2018, according to AIG, one of the country’s largest insurance companies and a leading cyber insurance provider. And ransom demands made up one in five cybersecurity insurance claims last year, according to an AIG backgrounder.
What a business can pay for cyber insurance depends in part on the number of times an organization has been affected in the past, as well as other actuarial data, Wright said.
âIf I have poor cybersecurity hygiene, my rates will be much, much higher than a company that has good policies,â he said.
But cyber insurance can also be a double-edged sword, according to Karen Sprenger, COO and chief ransomware negotiator at LMG Security. âWe’re starting to see where attackers are browsing the data and looking for cyber insurance policies to see what the deductible is and understand how much coverage they have. Sprenger said he saw cases where attackers then used this information to demand higher ransoms.
The best remedy, of course, is not to be in the situation from the start. Preventing ransomware attacks is relatively straightforward, according to cybersecurity experts. Make sure your software is up to date, require your employees to use multi-factor authentication, use firewalls, and monitor your network to intercept unauthorized internet traffic, and establish cybersecurity incident protocols.
But too many organizations still lack the skills to implement even these basic precautions, said Ed Amoroso, CEO of cybersecurity firm TAG Cyber.
âThis skills shortage is pervasive,â he said. âIt’s in all sectors. There aren’t enough people who know how to do this.
And that is why negotiators like Cook and Schmitt continue to cry out for help. Between the two of them, they’ve now treated 75 cases – and it’s not over yet.
â¢ & Â© 2021 Cable News Network, Inc., a WarnerMedia Company. All rights reserved.