Why Ransomware is Rational and Why That is Good November 15, 2021
Ransomware attacks have made
headlines for years, but understanding the true impact requires significant
resources and access to the confidential, inner workings of their victims. In this work, we present a threat
intelligence analysis informed by the resources and client experiences of a
global cyber security consulting practice.
Ransomware attacks have
evolved. Early forms were autonomous
malware deployed to a victim network or system, typically through email or
downloaded by the unwary. Later, victims
were often targets of opportunity discovered through automated scans across the
Internet seeking vulnerable servers. Now,
they are part of an active intrusion and are only activated after stealing
data. Individual payouts can range in
the tens of millions of dollars but insurance industry estimates place the
average cost of an incident at around $250k for recovery and lost revenue. Tomorrow, ransomware attacks may be something
new or they may go back to becoming another minor annoyance relegated to victims
with low-security maturity.
The key factor in all these
attacks is the denial, theft, or threat of exposure to monetize access to a
victim’s network. Briefly:
· Ransomware attacks deny the victim use of encrypted
systems or data. This has a costly business
impact and may force the victim to pay a ransom that is calibrated to be less
than anticipated losses.
· Extortion attacks add to ransomware by stealing data
and demanding payment to avoid public disclosure of the stolen data. Attackers have grown adept at selecting the
scariest data to maximize their payout, including human resources, finance,
business strategy, merger/acquisition, and sales/pricing data.
· Theft of data for immediate action has become a
recent addition to extortion attacks.
Attackers target data types sought in Dark Web marketplaces for auction. Short-lived data like valid credit cards is a
low priority. Long-term data suitable
for mortgage fraud, identity theft, and other credit theft is much more valuable. The trend of data theft corresponds with many
threat groups breaking their informal ban on healthcare—a rich source of such
long-term data.
At each step in its evolution, the ransomware attack has adapted to countermeasures such as the deployment of endpoint
detection and response (EDR) tools or Business Continuity/Disaster Recovery
(BC/DR) plans with sound data backups. Industry
practices vary in effectiveness. The
leading practice is to anticipate the attacker with cyber threat intelligence,
adapt to the threat, and be ready to respond and recover if needed. Complex, layered defenses, and recovery
capabilities are often deployed by the most valuable targets, such as those in
the financial service industry.
Industries with less regulation and a lower historic need for IT systems
in operations tend to lag.
Ransomware attackers have
innovated and specialized to manage evolving complexity of defenses. Threat groups broke up, differentiated
services, formed cartels, or resurfaced under a new name. This activity and reorganization favored
evolution as key players moved throughout the ransomware ecosystem taking their
toolkits and expertise with them. Once,
threat groups were synonymous with their tool.
The tool was often named by the cyber security company analyzing
victims’ systems or honeypots owned by the security company. In a way, this helped ransomware threat
actors brand their efforts and take a step toward the pseudo-business
organizations we see today. Today,
ransomware groups or specific coders place their brand in the tool or offer the
service under their brand on the Dark Web.
One of the more recent
developments is a franchise model allowing affiliates to select victims and
direct attacks using a Ransomware as a Service (RaaS) model. The threat groups defend their brand in an
effort to build the victim’s confidence that paying money will reverse the
attack. Without some level of
confidence, no one would pay the ransom.
Economic relationships between elements in a stratified threat group bind
threat actors to their established method of attack and slow revolutionary
changes in favor of incremental changes.
The innovation of stratified threat groups has become part of an
understandable and therefore predictable ecosystem.
The key to understanding the
actions of ransomware threat actors is to understand the economic rationality
of their actions.[1] They seek to maximize profits from their
investment of effort to build tools and compromise systems. Similarly, they seek to minimize the risk of
exposure to law enforcement and nation-state retaliation. This is pure economic rationality, which is
good for victims and potential victims seeking to secure their businesses.
There are indications that
governments are starting to provide disincentives to pay a ransom. Payers risk prosecution under existing laws like
those enabling the US Office of Foreign Assets Control (OFAC) sanctioned entity
list. An additional risk is posed by
payments to state-sponsored threat actors under the Foreign Corrupt Practices
Act (FCPA) or through Anti Money Laundering Laws (AML) and regulations Such
policies address ransomware victims through well-understood business risk and
regulatory compliance.
Non-governmental
Organizations like the National Association of Corporate Directs (NACD) have
joined regulators and insurance providers to influence corporate governance
practices to include IT security. Boards
of corporate directors (“the Board”) see the increased need for Information
Technology (IT)-focused members and even IT security-aware members. The Board is being prepared to engage with the business impact of ransomware. To
counter such attacks, the enterprise can choose security investments or rationally
accept risk. Corporate officers can present
a rational story to deliver to the technologically aware Board. They anticipate the most likely threats in
their environment. They prevent risk
with prudent investments. They prepare to
respond if the threat actualizes. They
prepare to recover rapidly if needed.
While not perfect, this compelling story of preparation is the best
defense for corporate leaders in the event of an attack.
Ransomware is not good, but it is economically rational, and that fact is good for those of us seeking to counter it.
[1]
Politically motivated attacks by nation-state actors and their proxies have
been the subject of speculation, but even with such attacks, the proxy group is
often self-supporting or tolerated. A
notable exception is the Notpetya attack on Ukraine in 2017. Numerous global-scope enterprises became
collateral damage.
__________________________________________
Orion Policy Institute (OPI) is an independent, non-profit, tax-exempt think tank focusing on a broad range of issues at the local, national, and global levels. OPI does not take institutional policy positions. Accordingly, all views, positions, and conclusions represented herein should be understood to be solely those of the author(s) and do not necessarily reflect the views of OPI.
___________________
Dr. D. Kall Loper leads
Protiviti’s National Incident Response and Digital Forensics practices. He has 25 years of experience in DFIR and
serves as a Professor of Computer Science at Southern Methodist University.
Mike Lefebvre is the National DFIR Lab Director at Protiviti and is a Computer Science Ph.D. student with a dozen years of cyber field experience. Mike holds four information security-related patents along with his co-authors.
Download this article in a PDF format