This week I met with Deep Instinct, one of the most advanced deep learning security firms out of Israel. As you’d expect, ever since the Colonial Pipeline breach, their business has gone vertical, and news of more attacks this week will likely continue that growth. A recent $100 million investment leaves them well positioned to capitalize on that interest.
But when we got to talking about the new threats, I got a lot more concerned. Some of the trends on ransomware in particular have me much more concerned than I was before the call.
Let’s talk about some of these new problems.
The Problem with Paying Ransoms
Ransomware corporations have been on the upswing for some time, but there is a new practice, and that is to hit the same company, from different directions, multiple times. One such corporation, the DarkSide ransomware as a service group, was responsible for the Colonial Pipeline breach. According to Deep Instinct, these corporations are now hitting the same company multiple times and sharing information with other entities who, in turn, also attack the same company.
Once you are identified as a company that pays ransoms, expect multiple attacks from different vectors and accelerating charges. Deep Instinct said they see these escalations typically start relatively inexpensively, say at around $15K to see if you’ll pay. Each subsequent attack goes up to $45K, then $280K, then into seven figures.
Once you are seen as a company that will pay, there is a decent chance that more than one ransomware group could target you at once, making it nearly impossible to recover even if you pay on or all of the ransoms.
The groups have also come up with a way to extend their revenue past the initial event. They will make a payment to restore your data and then request additional payments to prevent them from publishing what they stole or reporting the attack. Since failure to report many of these breaches is a crime and most companies are not reporting them, this gives the attacking company significant leverage in terms of extended blackmail.
Given that these funds may be used for illegal purposes, the company may find itself in a never ending blackmail loop with multiple firms, any one of which could cause criminal charges to be filed against your company for failure to disclose, or lead to a devastating data leak.
Nation-State Players: Iran
While we have Nation-State players in this space, Deep Instinct is particularly concerned about Iran. The reason for this concern is that Iran’s ransomware attacks aren’t like regular ransomware attacks in that they don’t encrypt the data; they destroy it and then ask for a ransom. But there is no data to restore, so you will not recover regardless of whether you pay or not.
This approach is on top of the stories of additional hidden payloads being installed on compromised networks. In some of the most recent attacks, the malware first destroys the backup systems and only then goes after the operational data the firm needs in real-time.
Imagine paying a very high ransom only to find that the data you expected to get back is gone, and now you have to explain why you paid the ransom, why you didn’t report the ransom in a timely manner, and why you approved a ransom payment that didn’t result in a remedy.
Cybersecurity and Legal Protection
The trends here are concerning both from the standpoint of escalating costs and blackmail and the idea of destroying data so that your ransom payment just further embarrasses you and your company. Iran seems to be trying to get U.S. businesses to fund their attacks on U.S. companies. That could lead to those companies being held accountable for the subsequent damage these firms effectively funded, done to other corporations, government, and critical infrastructure.
AI-based solutions that aggressively look for bad behavior, like Deep Instinct, BlackBerry Cylance and others, may be the only tools capable of stopping these attacks immediately. However, a solid enforced policy on not paying ransoms coupled with advanced AI-based security tools and adherence to reporting requirements could, collectively, help immunize you from these troubling trends. Though the only real fix remains an international effort to bring the perpetrators to justice.
Here’s more on protecting your organization from ransomware: