When it comes to ransomware attacks, the general consensus of opinion is one of fear and confusion surrounding the appropriate steps to take once your systems have been disconnected and you receive a ransom demand.
Winston Krone from cyber security firm Kivu Consulting provides some clarity on the subject and eliminates popular ransomware misconceptions one by one:
MYTH 1: ‘HACKERS WON’T PROVIDE THE DECRYPTION TOOLS AND YOU’LL BE RIPPED OFF’
The majority of ransomware actors want to make money and receive good publicity within the hacker community on the Dark Web. When a hacker doesn’t decrypt a system post-payment, it destroys their reputation within the community and lowers the chances of future ransoms being paid, so it is in their best interest to deliver on their promise.
In some cases, the decryption software doesn’t work properly and expert advice is needed.
Victims tend to panic and blame the attacker, but in practice it is rare for an attacker to deliberately fail to provide a fully functional decryption key.
Often the hacker is inexperienced and turns to Ransomware as a Service (RaaS) tools to learn how to plan a ransomware attack, but when things go wrong, they don’t know how to decrypt the data properly.
While the likelihood of an attacker not providing decryption keys is low, it’s important to consider how that risk fluctuates depending on whether the victim wants to negotiate instead of paying the stated sum.
For example, when a victim is attacked by an aggressive variant and the victim attempts to substantially discount the initial ransom amount, attackers are more likely to “stiff” the victim and simply end all negotiations.
It’s worth remembering that attackers frequently carry out specific reconnaissance on the target’s size and financial value, and they generate their perception of a “reasonable” ransom demand based on those metrics.
Often, an attacker has multiple victims and will respond first (or only) to the victims who provide the least resistance.
Also, while paying the stated demand (or a slightly reduced counteroffer) usually results in successful acquisition of the decryption tool; we’ve also seen attackers initially accepting the terms of a surprisingly low counteroffer, only to turn around and demand the remaining funds following payment.
MYTH 2: ‘ALL SERVERS ARE COMPATIBLE WITH DECRYPTION SOFTWARE’
New strains of ransomware are constantly being developed and tweaked to get around antivirus software. This rapid evolution has sped up the encryption process, but made the decryption process a lot slower (sometimes taking weeks), which frustrates companies. We’ve seen this first hand with the Ryuk and BitPaymer ransomware variants.
Rushing to get new variants on the market, criminal malware developers are only testing their code on the most common, modern computer systems. This makes victims with older servers and out-of-date operating systems particularly vulnerable to attack and subsequent destruction.
For example, Microsoft announced in July 2015 that it will no longer be supporting Windows 2003 and consumers were warned that older servers would not be adequately patched or protected anymore. When unpatched older systems get encrypted, they are typically destroyed and all the data they hold gets deleted.
This problem is exacerbated by unskilled attackers who launch a ransomware attack without the knowledge to shut down databases or log out of virtual machines pre-launch. Failure to do this guarantees system crashes and irreparable corruption, regardless of whether decryption keys are provided.
This destruction is not something hackers want to happen, as it affects them being paid and means that the affected companies endure irreversible loss of their data.
Companies still operating on older systems are not regularly tested and will therefore find it harder to get comprehensive coverage for the inevitable loss of their files during an attack.
They should seek specialist advice to assess their options for cyber protection. Ensuring that servers are up-to-date and compatible with the latest strains of malware will make the decryption process a lot easier and less risky for data protection.
MYTH 3: ‘THERE ARE OTHER WAYS TO CRACK THE ENCRYPTION’
There are lots of paid online adverts for special remedies to CrySis and Dharma ransomware, which involve paying outside agencies to decrypt a system without having to pay a ransom to the hacker. However, most of these tools simply don’t work and slow the process down, costing more in the long run.
There is a lot of false information on the internet, which can prove detrimental. There are also unscrupulous vendors who will accept payment from a victim to decrypt a system, and then buy the decryption keys from the attacker. The victim then misleadingly believes that, having recovered its data without paying a ransom, it doesn’t need to notify authorities about the event or take regulatory compliance actions.
For the most part, ransomware variants, for which legitimate free solutions exist, are now no longer in circulation.
Ransomware actors typically avoid using variants that are widely known to be “decryptable”. However, there are a few exceptions in the form of earlier versions of GandCrab. GandCrab remains one of the most effective and prevalent ransomware variants (especially the new versions), even though there are legitimate, free decryption tools for versions 1, 4 and some flavours of 5.
MYTH 4: ‘RANSOM PAYMENT IS THE MOST CRUCIAL STEP’
Actually, the most difficult and integral part of the process is the decryption stage. Depending on the ransomware variant and the maturity of the victim’s operating systems, the time required to decrypt can be substantial.
If the environment is large, victims may not discover all encrypted machines until days or weeks later, which may warrant additional engagement with the bad actor and follow-up ransom payments.
Victims usually assume that receiving the decryption key is an immediate solution and don’t prepare for the business interruption costs incurred while decryption is taking place.
MYTH 5: ‘CYBER CRIMINALS ONLY TARGET COMPANIES THAT HOLD A LOT OF PERSONAL DATA’
This assumption leads some companies to underestimate their level of risk and stops them from adequately preparing for an attack. The reality is that victims are chosen for their level of system vulnerability, not because of the amount or type of data they hold.
Consistent regulation, bigger security budgets and an enlightened C-suite who have thought more about the risks their companies face are the biggest differentiating factors between a prepared company and a vulnerable one.
Although some attacks may be motivated by the size of the ransom companies can afford to pay, most victims are chosen because of their system vulnerabilities regardless of their size and budget.
No company, regardless of sector or size, is immune to a ransomware invasion if they continue to overlook their responsibility for robust cyber security. Having a clear cyber-attack strategy will put a company one step ahead of hackers and allow time for informed decision making amidst the chaos of a system lock out.
Ultimately, a company’s attitude towards their level of risk and their likeliness to engage with an incident response plan makes all the difference
Download Cyber Decoder Newsletter
For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on firstname.lastname@example.org