Ransomware Ransoms Aren’t Worth The Bitcoin They’re Made Of
Updated: Mar 28, 2022
Late February 2022, cyber security firm Venafi released a report on the current state of ransomware campaigns, and it’s not looking good. Apart from the fact that there are tons of these ransomware operators popping up everywhere like it’s spring in the alps, their tactics are getting more and more sophisticated, and they’re becoming less and less trustworthy.
Firstly, 85% of attacks are now using double and triple extortion. This is being done regardless of whether or not you pay the ransom. Double and triple extortion is when you are extorted multiple times for the same data. This is usually done with ransoms for decrypting the data, not leaking the data to the dark web (or broader internet as a whole), and for DDoS attacks (now that they know exactly where your services are). If the attackers know you pay, why not get you to pay as much as is possible? And if you don’t want to pay for decryption, maybe you’ll pay when your services are no longer accessible?
Of organisations that were hit with ransomware, 38% of attackers threatened to extort the customers of the organisation hit with their stolen data, meaning that if you wouldn’t pay, your
customers would. Additionally, 32% of attackers threatened to inform customers that the attack had happened. Attackers have moved from simply posting ransoms on data to posting ransoms on the reputation of the business itself.
Worse still, 18% of organisations who did pay the ransom (nearly 1 in 5) still had their data dumped on the dark web anyway, and 35% of victims of ransomware attacks paid the ransom only to find that they couldn’t get their data back anyway. So what has happened to the reputation of these ransomware operators? Isn’t the whole point that they are a business too?
Unfortunately, the sheer weight of interest in ransomware has had an unintended effect on the way ransom gangs operate. They can’t stay in one place for too long, or they’ll get snatched by law enforcement as the REvil guys did. Instead, most ransomware operations are short-lived campaigns, where the focus is on getting as much money as possible in as little time as possible. That means the interest is not on providing a service so much as getting your money, which means reasonability and reliability is out, and coercion and manipulation are in. They will (and currently do) use every trick and opportunity to make you pay, and will seek to make as much money as possible from you and your data regardless of what you may or may not believe they have promised. It’s not worth paying the ransom, and it never was.
That said, how do you avoid all of this? Well, ransomware attacks are rarely fully automated systems, you want your staff to be cautious of emails, cautious of software and links, and ready to report to the cyber team if something seems suspect. Once the attackers are on your systems though, they’ll use legitimate accounts to move through your network and find what you don’t want them to have access to. You need an active security approach, powered by deception and decoy tactics, and a good threat hunting team. Firebug assists with seeking unusual behaviour in systems like what you’d see when attackers are going looking for juicy data and can help put the spotlight on things that other systems won’t.