Why access to an experienced response team has never been more important
When an organization responds to a successful ransomware attack without outside assistance, it’s
dueling with an adversary that’s already outwitted it technically, and is probably many times more
experienced extracting the maximum ransom amounts from its victims.
Now there’s another reason why an affected organization should make use of the panel of preferred
cyber extortion response vendors offered under most insurance policies. The ransomware itself
might not be reversible.
Historically, the ransomware infections we investigate have predictable characteristics – they
encrypt data rapidly, the decryption process is usually less efficient, but the normal attacker has a
vested interest in making sure they can reverse the damage (or most of it) if the victim is willing to
pay a ransom. After all, no cybercriminal wants a bad online review.
However, in the last few months, we have observed a sharp increase in “bad” ransomware strains –
i.e. where the malware the carries out the encryption has poor functionality, fatally corrupts
substantial portions of the victim’s data, fails to decrypt properly after payment of a ransom, or is
favored by volatile, unskilled attackers who are unable to troubleshoot decryption issues.
If you can’t recognize these strains when attacked, a victim organization risks wasting response
time and potentially the ransom amount in a futile effort to recover its data by negotiating and
paying the attackers’ demands. This is particularly relevant as victim organizations frequently have
valid backups for some of their system, but are tempted to pay a ransom to recover specific critical
databases and applications. Ironically, it’s exactly these complex files which are most likely to be
affected by corruption caused by the ransomware.
Kivu has recently issued warnings about the following ransomware variants
We’ve found that the decryption keys provided by attackers upon payment of some or all of
a ransom can decrypt common, simple file types. However, the initial encryption process
permanently corrupts SQL databases, email folders, and virtual drives. These will remain partially
or completely corrupted even after the attackers’ decryption tools are run. At a minimum, even if
you pay a ransom (typically 1 Bitcoin), you’re looking at extensive restoration of the corrupted files
which can take weeks.
In recent cases, all files were permanently deleted and overwritten by the ransomware’s
encryption process, Payment of a ransom (frequently 1 – 2 Bitcoin) is pointless and the time wasted
can exacerbate the business interruption losses.
While the files decrypt fine, there’s an unusually large lag time of up to 2 days between
payment of the ransom and receipt of the decryption tool from the attackers. This may be a poorly
designed interface (on the hacker’s side) whereby they don’t get immediate notification of the
payment or it’s not an automated process. By contrast, the commonly used SamSam ransomware
provides the decryption tool within an hour of payment of the ransom. Knowledge of this potential delay is crucial in mitigating business interruption and, potentially, the decision whether to pay a
ransom at all.
The ransomware is not designed to store encryption keys. This means the attacker
cannot identify or provide the victim with the correct decryption tool even if the victim pays the
ransom. While the ransom demanded is typically less than a Bitcoin, the victim wastes time in
responding and prolongs the business interruption.
This ransomware which uses full-disk encryption to completely lock down computers,
appears to cause permanent damage to Windows 2003 servers during the decryption process
provided by the attacker upon payment of the ransom (the DiskCryptor key). Yet another reason to
migrate from Windows Server 2003, which stopped being supported by Microsoft in July 2015
Like Rapid, there are significant corruption issues caused by the ransomware to
complex files. However, even if a ransom is paid, the decryption process is crushingly slow against
Windows 2003 Servers, requiring round-the-clock supervision for days to restore systems. Again,
upgrade or die!
What are the takeaways?
- Prevention is better than cure.
That means patching, migrating from no longer supported
operating systems, and having valid backups and archives, particularly of critical systems.
- Any organization can be targeted.
We’ve observed the above infections in professional
services, real estate, healthcare, and technology sectors, ranging from SMEs and startups to
established international companies. And attacks range from traditional email phishing to
compromises of remote access protocols and patch vulnerabilities (against which employee
training is useless).
- If you are hit, and valid backups aren’t available, understand that there are literally
hundreds of ransomware variants, each with a different effect and corruption impact
depending on the systems affected.
- An experienced cyber extortion responder is crucial to advise an organization whether it
should pay a ransom, and for warning of unexpected business interruption issues.