Cyber Insurance & Ransomware

Winston Krone
Cybersecurity, Ransomware February 5, 2021

Why access to an experienced response team has never been more important

When an organization responds to a successful ransomware attack without outside assistance, it’s dueling with an adversary that’s already outwitted it technically, and is probably many times more experienced extracting the maximum ransom amounts from its victims.

Now there’s another reason why an affected organization should make use of the panel of preferred cyber extortion response vendors offered under most insurance policies. The ransomware itself might not be reversible.

Historically, the ransomware infections we investigate have predictable characteristics – they encrypt data rapidly, the decryption process is usually less efficient, but the normal attacker has a vested interest in making sure they can reverse the damage (or most of it) if the victim is willing to pay a ransom. After all, no cybercriminal wants a bad online review.

However, in the last few months, we have observed a sharp increase in “bad” ransomware strains – i.e. where the malware the carries out the encryption has poor functionality fatally corrupts substantial portions of the victim’s data, fails to decrypt properly after payment of a ransom, or is favored by volatile, unskilled attackers who are unable to troubleshoot decryption issues. If you can’t recognize these strains when attacked, a victim organization risks wasting response time and potentially the ransom amount in a futile effort to recover its data by negotiating and paying the attackers’ demands. This is particularly relevant as victim organizations frequently have valid backups for some of their system, but are tempted to pay a ransom to recover specific critical databases and applications. Ironically, it’s exactly these complex files that are most likely to be affected by corruption caused by ransomware.

Kivu has recently issued warnings about the following ransomware variants

Rapid:
We’ve found that the decryption keys provided by attackers upon payment of some or all of a ransom can decrypt common, simple file types. However, the initial encryption process permanently corrupts SQL databases, email folders, and virtual drives. These will remain partially or completely corrupted even after the attackers’ decryption tools are run. At a minimum, even if you pay a ransom (typically 1 Bitcoin), you’re looking at extensive restoration of the corrupted files which can take weeks.

Triple M:
In recent cases, all files were permanently deleted and overwritten by the ransomware’s encryption process, Payment of a ransom (frequently 1 – 2 Bitcoin) is pointless and the time wasted can exacerbate the business interruption losses.

Sigma:
While the files decrypt fine, there’s an unusually large lag time of up to 2 days between payment of the ransom and receipt of the decryption tool from the attackers. This may be a poorly designed interface (on the hacker’s side) whereby they don’t get immediate notification of the payment or it’s not an automated process. By contrast, the commonly used SamSam ransomware provides the decryption tool within an hour of payment of the ransom. Knowledge of this potential delay is crucial in mitigating business interruption and, potentially, the decision whether to pay a ransom at all.

Thanatos:
The ransomware is not designed to store encryption keys. This means the attacker cannot identify or provide the victim with the correct decryption tool even if the victim pays the ransom. While the ransom demanded is typically less than a Bitcoin, the victim wastes time in responding and prolongs the business interruption.

Mamba:
This ransomware which uses full-disk encryption to completely lock down computers appears to cause permanent damage to Windows 2003 servers during the decryption process provided by the attacker upon payment of the ransom (the DiskCryptor key). Yet another reason to migrate from Windows Server 2003, which stopped being supported by Microsoft in July 2015

BitPaymer:
Like Rapid, there are significant corruption issues caused by the ransomware to complex files. However, even if a ransom is paid, the decryption process is crushingly slow against Windows 2003 Servers, requiring round-the-clock supervision for days to restore systems. Again, upgrade or die!

What are the takeaways?

  1. Prevention is better than cure. That means patching, migrating from no longer supported operating systems, and having valid backups and archives, particularly of critical systems.
  2. Any organization can be targeted. We’ve observed the above infections in professional services, real estate, healthcare, and technology sectors, ranging from SMEs and startups to established international companies. And attacks range from traditional email phishing to compromises of remote access protocols and patch vulnerabilities (against which employee training is useless).
  3. If you are hit, and valid backups aren’t available, understand that there are literally hundreds of ransomware variants, each with a different effect and corruption impact depending on the systems affected.
  4. An experienced cyber extortion responder is crucial to advise an organization whether it should pay a ransom, and for warning of unexpected business interruption issues.