Cybereason Research Shows Why It's Never a Good Idea to Pay Ransom
Many organizations don't have EDR to prevent ransomware attacks.
![Cybersecurity Roundup, security roundup Cybersecurity Roundup, security roundup](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/bltf66ccc2a37ae45f4/6523eff1813f7d1a5f4ae5f0/Cybersecurity-Roundup.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Channel Futures: For organizations that have been targeted by ransomware, what should they do rather than paying the ransom? Is there a better way for organizations to deal with this and minimize damage? If so, how?
Stephen Tallent: Just a few short years ago, many organizations could simply implement off-site data backup and recovery solutions with the notion that, in the case of a ransomware attack, they could confidently rebuff the attackers’ ransom demand and focus their mitigation efforts on restoring their systems from the backups. This was a solid strategy until ransomware purveyors evolved their methods to include alternative means to pressure organizations into paying up – hence the emergence of the double extortion tactic.
Double extortion begins when a crypto-malware strain first exfiltrates, or steals, sensitive information stored on a victim’s systems before launching the encryption routine. After the ransomware encrypts the target’s data and issues the ransom demand for payment in exchange for the decryption key, the threat actors make the additional threat of publishing or selling the exfiltrated data online should the target refuse to make the ransom payment.
To disrupt cybercriminals’ operations and to ensure ransomware is stopped before it can have any negative impact, every endpoint within an organization needs to be protected by endpoint detection and remediation software as prescribed in President Biden’s executive order published this week.
CF: Does the new data point to challenges/opportunities for MSSPs and other cybersecurity providers? If so, how?
ST: This presents challenges and opportunities alike. Challenges in that it can be difficult for MSSPs to separate product hype and the sheer number of security vendors espousing their virtues around effectiveness, from those that are truly capable of stopping sophisticated ransomware attacks. This can make it difficult for service providers to separate the wheat from the chaff. Also, an enormous opportunity exists for MSSPs/MDRs to provide the proper people, processes and technology to effectively mitigate and respond to ransomware attacks. With a negative unemployment rate in cyber in general, specifically the people with the skills required for effective detection and response, most businesses will turn to MSSPs and MDR providers.
CF: If an organization has been hit by ransomware and paid a ransom, how can they prevent the attacker from returning with another attack?
ST: Ransomware attacks cannot be prevented, but we can prevent the attacks from being successful. There are myriad of steps the attackers take on the network before they drop the actual ransomware payload. This is where EDR/MDR solutions come into play by detecting the threat and eliminating it before any systems are encrypted.
CF: Why are ransoms increasing? What does that say about the attackers and the targeted organizations?
ST: Like any business model, the attackers are going to seek out the highest possible return the market will bear. As companies pay larger ransoms, threat actors will seek higher payments. The fact that CNA Insurance paid a reported $40 million ransom, JBS paid more than $11 million and Colonial Pipeline paid $4.4 million only serves as an incentive to the threat actors to demand higher ransoms. It’s why it doesn’t pay to pay. Organizations need to stop being reactive and stop paying the attackers after the fact. They need to be proactive and instead follow the advice of the Biden administration and invest in preventative EDR/MDR solutions and services.
Avanan analysts have discovered an exploit vector in Google Docs that attackers are using to deliver malicious phishing websites to victims.
The attacker wants the victim to “Click here to download the document.” Once the victim clicks on that link, they will be redirected to the actual malicious phishing website where their credentials will be stolen through another webpage made to look like the Google Login portal.
In a blog, Jeremy Fuchs, marketing content manager at Avanan, said this attack is pretty simple to execute mainly because Google does most of the work for the attackers.
“Hackers are bypassing static link scanners by hosting their attacks in publicly known services,” he said. “We have seen this in the past with small services like MailGun, FlipSnack and Movable Ink, but this is the first time we’re seeing it through a major service like Google Drive/Docs.”
Joseph Carson is chief security scientist and Advisory CISO at ThycoticCentrify.
“One of the biggest mistakes security professionals can make is to assume that other personnel and staff have the same understanding for good cyber hygiene as they do,” he said. “Frankly, the average worker isn’t trained in cyber hygiene and best practices, making them easy prey for cybercriminals looking to access an organization’s networks quickly and easily via a phishing attack or clever social engineering. By ensuring that employees at every level are given sufficient training about how to identify malware-laced emails and other rudimentary attempts at credential theft can be a major step to help reduce the success rate of an attack or at least raise an alert. And by normalizing training within the culture of the workplace, organizations can help maintain vigilance for these practices long term.”
Sophos researchers have uncovered a malware campaign that doesn’t follow the typical behavioral patterns of infiltrate a system, steal information, conduct banking fraud, and so on.
Instead, the malware blocks infected users from being able to visit a large number of websites dedicated to software piracy. It blocked users from visiting websites that host pirated versions of video games, Microsoft Office and other programs.
The creator has used the names of numerous software brands, games, productivity tools and even cybersecurity solutions to hide the malware.
John Bambenek is threat intelligence advisor at Netenrich.
“This seems to be a fresh trick on an old attack of compromising people attempting to download pirated software and media,” he said. “In this case though, it seems to be an individual or group trying to protect intellectual property, but make no mistake, this is still clearly criminal behavior.”
Sean Nikkel is senior cyber threat intel analyst at Digital Shadows. He said the technique of hosting malware disguised as legitimate software isn’t new.
“In fact, this likely dates back to the earliest peer-to-peer software days at the turn of the century,” he said. “In my experience, it’s likely the result of people simply downloading the first thing in search results to find a solution, such as a patch or freeware, that’s needed to finish a project or to do their work. They may also not be keen on waiting for a solution from management, approval from the company’s risk or compliance organization, or the IT help desk, unfortunately.”
Sophos researchers have uncovered a malware campaign that doesn’t follow the typical behavioral patterns of infiltrate a system, steal information, conduct banking fraud, and so on.
Instead, the malware blocks infected users from being able to visit a large number of websites dedicated to software piracy. It blocked users from visiting websites that host pirated versions of video games, Microsoft Office and other programs.
The creator has used the names of numerous software brands, games, productivity tools and even cybersecurity solutions to hide the malware.
John Bambenek is threat intelligence advisor at Netenrich.
“This seems to be a fresh trick on an old attack of compromising people attempting to download pirated software and media,” he said. “In this case though, it seems to be an individual or group trying to protect intellectual property, but make no mistake, this is still clearly criminal behavior.”
Sean Nikkel is senior cyber threat intel analyst at Digital Shadows. He said the technique of hosting malware disguised as legitimate software isn’t new.
“In fact, this likely dates back to the earliest peer-to-peer software days at the turn of the century,” he said. “In my experience, it’s likely the result of people simply downloading the first thing in search results to find a solution, such as a patch or freeware, that’s needed to finish a project or to do their work. They may also not be keen on waiting for a solution from management, approval from the company’s risk or compliance organization, or the IT help desk, unfortunately.”
New Cybereason research provides compelling reasons for organizations hit with ransomware not to pay the ransom.
A study of 1,300 security professional reveals more than half of organizations have been the victim of a ransomware attack. Furthermore, 80% of those that chose to pay a ransom demand suffered a second ransomware attack. And often it was at the hands of the same threat actor group.
The Cybereason research also divulged that 46% of organizations that opted to pay a ransom demand to regain access to their encrypted systems reported that some or all of the data was corrupted during the recovery process.
More Damage, Higher Payments
Other key findings include:
Sixty-six percent of organizations reported significant loss of revenue following a ransomware attack.
Thirty-five percent of businesses that paid a ransom demand shelled out between $350,000-$1.4 million. Seven percent paid ransoms exceeding $1.4 million.
Fifty-three percent said their brand and reputation were damaged as a result of a successful attack.
Thirty-two percent lost C-Level talent as a direct result of ransomware attacks.
Twenty-nine percent were forced to lay off employees due to financial pressures following a ransomware attack
In addition, a startling 26% of organizations reported that a ransomware attack forced the business to close down operations entirely
To find out more, we spoke with Stephan Tallent, Cybereason’s vice president of MSSPs for North America.
Channel Futures: What’s most surprising about this new data?
Cybereason’s Stephan Tallent
Stephan Tallent: Most surprising is how many companies do not have the prerequisite security solutions in place to prevent ransomware attacks when there are many endpoint detection and response (EDR) solutions products that will help companies stop the threat in its tracks. Cybereason was also surprised that many companies suffered a ransomware attack and still didn’t deploy EDR.
Scroll through our gallery above for more comments from Cybereason and other cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like