Ransomware Continues to Lead Cyber Attacks

Ransomware attacks have continued to soar every year since 2015. The privacy/security company BlackFog reports that they are highest in the United States and United Kingdom.

Experts predict that a company will be hit with ransomware every 11 seconds and the cost of these attacks will be $20 billion by the end of 2021. Why has ransomware been so successful? Two reasons: (1) companies have not developed and tested backup/recovery plans that enable them to fully restore systems encrypted by ransomware, and (2) they have not encrypted their data at rest.

If an organization hit by ransomware has encrypted its data at rest and has full backup/restoration capabilities, it can just restore its systems, and the cyber criminals have to go elsewhere. The reality, however, is that many companies rolled the dice and chose not to fund the development of backup/recovery plans and the deployment of encryption, which can be difficult and expensive.

This gamble has created a gold mine for criminals. Ransomware became more sophisticated, and cyber criminals became more ruthless. First, they figured out how to exploit the “hot-hot” environment, where a business continually replicates data from a live production site to another location, enabling it to switch from one site to another, if necessary, for business continuity purposes. Some companies rely on the availability of the replicated site and do not also create offsite backups of their data.

This is a dangerous strategy, however, because ransomware can often traverse the entire environment, encrypting both the production system and replicated data. Unlike earlier versions of ransomware that simply encrypted data, newer forms of ransomware will enter a system and look for backup data first. It may corrupt or delete some of it, then it will seek out business data and may corrupt portions of it before it begins encrypting all of the company’s data and backup data.

Second, the cyber criminals figured they could increase their leverage over an organization if they exfiltrated the data before encrypting it. This would enable them to demand a ransom to decrypt the data, and they could threaten to post it online if the ransom wasn’t paid—or sell it to the highest bidder. Coveware reported that 70% of ransomware attacks involve a threat to post exfiltrated data.

The Perfect Storm

An organization cannot restore its systems unless it has certainty of the integrity of its backup data (knows that it has not been modified). If the organization runs each backup through a hash algorithm immediately after the backup is created, the algorithm produces a hash value. The hash value can be reproduced if the backup is run back through the algorithm. If even one character or period is changed in the data, the hash value will be different, and the company will know the backup has been compromised.

When all of the data in a system is not backed up with hash values and recovery plans are not tested, IT teams are uncertain about their ability to fully restore systems. This is when ransom payments begin to look like an attractive option. It can be the difference between staying in business or going out of business.

The combination of these factors has led to a perfect storm. Companies that did not invest in backup/recovery paid ransom demands to cyber criminals (1) to decrypt their data and (2) to avoid the consequences of having their data posted online. This only fed the problem. Cyber criminals upped ransom demands into the millions, alarming law enforcement and national security officials, who worried that ransoms were being paid to adversaries, terrorists or criminals working against U.S. interests.

In January 2020, BBC reported that a foreign exchange company, Travelex, was hit with a ransomware attack that encrypted all of the company’s systems, deleted its backup files, and exfiltrated more than 5 GB of data. BlackFog recently noted, “The company paid a ransom of $2.3 million, but reports from PwC say they took a £23 million hit as a result of the attack, [and] Travelex has since gone into administration as a result of the cyberattack and the impact of Covid-19.”

As companies began to balk on paying ransom payments, cyber criminals began posting exfiltrated data online, embarrassing and jeopardizing the victim companies. They also set up websites for companies to check to see if any of their providers had been hit by ransomware and were refusing to cooperate with the criminals and pay the demanded amount. TSYS, the third-largest payment processor for banks, was hit with ransomware and had 10 GB of its data posted online. A North Carolina county’s system suffered a ransomware attack, and personal and medical data was posted after the county refused to pay. The city of Knoxville suffered the same fate, while other cities reportedly paid about $300,000 to avoid having their data posted.

U.S. Government Steps In

In October 2020, the U.S. Treasury Department’s Office of Foreign Asset Controls (OFAC) made it even harder for companies hit with ransomware. It issued an Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, warning companies that they could be subject to civil, administrative or criminal penalties for paying ransoms to “sanctioned persons or to comprehensively sanctioned jurisdictions.”

The advisory relies on prohibitions under the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA), which prohibit U.S. persons from engaging in transactions with individuals or entities on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked individuals or entities, and its “bad country list” (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria).

The advisory extends beyond the immediate victim company. It warns: “Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.” This means that companies with cyber coverage for ransomware may suddenly find their insurance companies unwilling to pay ransomware demands.

Here is the problem: when conducting a cyber forensic investigation, it is very difficult to determine with any degree of certainty who the attacker is or what country it is from. For example, IP addresses can be spoofed, attacks can be run through third-party systems and networks, the attackers can switch between domain names, etc. The advisory notes that “OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.” Law firm Jones Day has noted that OFAC civil penalties could be “the greater of $305,292 per violation or twice the value of the transaction that forms the basis of the violation.”

As law enforcement and government officials urge companies not to pay cyber criminals, this push-pull has created a new skill set: negotiators who try to cut a bargain on the ransom demand. Gemini Advisory claims it generally negotiates a 25-35% reduction in the ransom amount. The amount saved, however, may end up being paid to OFAC as a penalty.

The bottom line: companies need to invest in their backup/recovery capabilities and encrypt data at rest (encrypted data posted online isn’t worth much). Agents and brokers also need to meet with their clients, raise these issues, and advise them on how their cyber insurance carriers are handling ransom demands.