Going down the ransomware rabbithole

Looking for insights in modern literature to address the
challenges facing CISOs might seem farfetched, but there is some logic to this.
Lewis Carroll’s Alice’s Adventures in Wonderland and Through the Looking Glass
illustrates the challenges posed by ransomware. While this might seem
contradictory on the surface, the options and twisted logic Alice faced are
eerily similar to those posed by this pernicious malware.

Yet fight ransomware CISOs must do, so be prepared to
abandon logic and enter the looking glass that is modern-day cybersecurity.

The good news is that there are ways to tilt those
ransomware calculations in the company’s favor so you are less likely to have
to pay the ransom. Fighting ransomware in 2019 forces CISOs to embrace quite a
few contradictions that are most vexing. Here are some to consider:

• In a logical world, it is only the ransom-demander who is
the criminal with the enterprise target merely a victim. But in the contrarian
world of ransomware, there is an excellent chance that a company — or a company
employee — paying a ransom might be violating federal law by sending money if
the attacker is associated with terrorists or is in a country that doesn’t play
nice with the U.S. Ultimately, you could be prosecuted for it. If you do not pay,
you can lose your data. If you do pay, you might go to jail. Tough choice.

• There is potentially more legal trouble for the ransomware
victim: Compliance and breach disclosure issues could be expensive and damage
the company image. There could be related costs, such as states that require
purchasing identity theft insurance for all impacted consumers. But were the
consumers impacted? This raises a question that is difficult to answer: How far
can a CISO trust the representations of the attacker? The company’s decision
here can have expensive repercussions.

By all indications, an attack merely seemed to encrypt
sensitive data. But given that the bad guys needed to first access it to
encrypt it, might they have copied the data first so they could double-dip and
sell the data on the black market even if the company pays the ransom? If the
attacker has not yet done so, does that exfiltration still trigger
compliance-related costs and efforts? Are companies required to assume that the
attackers did more than they claimed? Will regulators make that assumption?
Questions like these can send even the most grizzled CISO down the proverbial
rabbit hole looking for answers.

• As is the case when anyone is dealing with a kidnapper who
demands a ransom, it seems foolish to trust such a thief. What would stop them
from taking your ransom and then opting to renege and not release your data?
And yet, ransomware experts say that ransomware in 2019 is a highly
professional business and that these ransomware businesses, which will often
have customer service and free tech support, can be trusted to do what they
say. If they do not, their highly lucrative business model would quickly
implode. Is there a CISO or CEO willing to take that chance?

• The official policy of just about every Fortune 1000
company is to never pay a ransom. And yet, just about all of those same
companies routinely will pay that ransom when the ROI calculation of fighting
versus paying makes it clear that paying is better. That said, the calculation
sometimes tells companies to not pay, depending on the situation and the nature
of the attack. Was the City of Atlanta correct in saying no to a $51,000 ransom
(the exchange rate for six bitcoin at the time of the attack) when experts say
the costs to restore the data might well reach an estimated $17 million?

• If the situation is dire enough, CISOs always retain the
option of surrendering and simply paying the ransom. And yet, many companies
then discover that the nature of buying cryptocurrency — the ransom of choice
these days — is next-toimpossible to do in volume given the limits the system
imposes on cryptocurrency brokers, especially if the company does not have
existing relationships with multiple cryptocurrency brokers. Buying a lot of
cryptocurrency to hold in reserve for a future ransomware attack also does not
work, both because of the potential loss of value due to the dramatic shifts in
cryptocurrency exchange rates and because there is no way to know which
cryptocurrency will be demanded.

• The limits as to how much bitcoin a single broker can sell
changes from broker to broker, as do the precise procedures. Regardless, it is
critical to start establishing those relationships before an attack hits so
that your team can get as much of the paperwork wrapped before you need the
virtual currency, experts agree. A second option is to get ransomware insurance
and let the insurance company do all of that paperwork and logistics.

• Senior executives often assert that when the time comes to
deal with ransomware, they will be the ones to decide, often in concert with
the board. And yet, some ransomware attacks are now designed for mid-level or
entry-level employees to be able to pay on their own — with demands as low as
$100 or a few hundred dollars, in cryptocurrency — so the lowerlevel employee
can, in theory, avoid the embarrassment and potential punishment of admitting
to management that they clicked on the attachment and caused the problem.

Unraveling the contradictions

A typical first line of defense includes aggressive backups,
but attackers plan for that. Attackers often plant malware that goes silent for
weeks or more before sending a ransom demand. This is designed to not merely
infect backups with the malware, but to make it difficult to determine exactly
when the infection began. Also, even if the security team identifies the exact
date of infection, it might mean restoring a backup from a month or longer ago,
losing considerable critical data.

This is all part of the ransomware return on investment
(ROI) strategy. Attackers want the enterprise’s ROI calculation to make it
worthwhile to pay the ransom.

The most obvious way to combat this strategy is to separate
data backups from executables backups. In theory, this would allow protection
of all data, as a database of raw data should not be able to house a malware
executable. But homegrown legacy applications, along with legacy apps made from
companies that are no longer in business or at least no longer selling that application,
make that executable backup essential. This would suggest keeping secure
backups of all legacy code on disks that are entirely off-network, ideally with
multiple copies in multiple air-conditioned and air-gapped vaults.

Bryan Kissinger is the CISO for Banner Health, an $8.5
billion chain of 28 hospitals along with physician groups, long-term care
centers and outpatient surgery centers in six states. Kissinger argues that his
security team has done everything it can think of to thwart a ransomware
attack.

“We’re preparing ourselves as best as we can,” Kissinger
says. “We don’t allow our workforce to have administrative privileges on
end-user devices.”

That restriction on administrative privileges is a key part
of Banner’s defense strategy. Given that the typical ransomware attack involves
attachment malware intended to compromise administrative credentials, “we
attempt to head that part off. Our remedy would be to flush the system and
reload it from a clean backup.”

Given that Banner performs backups on everything in the
network — applications, data and operating system — there is always a risk of
the malware infecting the backup so “we try and go back to a good time.” But by
sharply limiting who has administrative privileges, Kissinger is hoping an attack
would not ever touch any of the backups.

When asked about whether his firm, if indeed caught in a
ransomware web, would ever pay ransom, he says he would recommend such a
payment in only a few circumstances, such as if the system was “hopelessly locked
and if the ransom is lower than our operating costs to repair the damage.”

Kissinger adds that it is hardly practical to have an
ironclad policy against ever paying such a ransom. “I think anyone who says
flat out ‘no’ is not being realistic.”

But if it ever happened, Kissinger says, his top priority
would be identifying how the attacker got in and patching that hole. “We would
try and close the threat vector so they can’t just attack again” after the
ransom is paid, he says.

The question of whether paying encourages more ransomware is
a difficult one to answer, which is why most companies that pay do everything
they can to keep the payments secret.

“Broadly, I would advise ‘don’t pay’ because I do think it
encourages the problem,” says Sean Tierney, director of cyber intelligence for
security consulting firm Infoblox of Santa Clara, Calif. “But (CISOs) have to
be aware of what the business reality is and what the impact of not paying will
be. This does require the decision-makers to decide in advance what their
decision will likely be.”

When an enterprise is trying to craft strategies and
policies to counter today’s ransomware threats, it must look closely at its
abilities to pay a ransom if it chose to do so. Many companies have tried and
quickly discovered that the logistics of paying a large ransom in blockchain
currency can be overwhelming if arrangements have not been put in place months
earlier, says Mark Rasch, a former federal prosecutor who today serves as a
private practice cybersecurity lawyer in Bethesda, Md.

Can I? May I? Should I?

“With ransomware, the first questions a company must address
are ‘Can I? May I? Should I?,’” Rasch says.

The “Can I?” part addresses the tricky nature of
cryptocurrency. “Do I have access to cryptocurrency — in multiple denominations
and multiple types? Anywhere from (a value of) $300 to $3 million?” Rasch asks
rhetorically. “If you have a need to deploy cryptocurrency, who in the
organization will be responsible for making that decision? And how do you get
that information to that person?”

When an attack hits, the extortionist typically gives a very
short window for paying, often 24-48 hours. That means that every minute is
critical. When some employee receives an extortion demand, does that employee
know where to send it? Does that employee’s supervisor know? And what if the
designated recipient is on vacation, traveling or otherwise unavailable? Is
there a backup assigned to handle it and is that backup’s contact information
widely known among employees? If designated contacts and/ or their backups
leave the company, is there an immediate trigger for someone to select a
replacement? Are such plans routinely rehearsed to learn of holes?

“Who makes that decision? Is somebody is going to own that
decision?” Rasch queries. Sometimes staffers have different spending approval
limits, so it becomes a question of determining which person has the authority
to approve the ransom spend.

The “May I?” part refers to the tricky legal environment
surrounding ransomware. There are various regulatory rules — the most prominent
coming from a unit in the U.S. Treasury called the Office of Foreign Asset and
Control (OFAC) — that restricts where money can go (prohibited countries) and
people/organizations where it can go (entities on suspected terrorist or
terrorism organization lists).

This is where the nature of ransomware makes payments
complicated. Communications between the victim company and attacker typically
improves after a ransomware attack, which is at least a microdot of a silver
lining. “You’re never more secure than you are two weeks after having been
attacked. It’s a motivating event, at least temporarily. You’re going to be
doing some locking down,” Rasch says. “The idea that paying ransomware invites
more ransomware is probably not true. But being vulnerable to ransomware
probably does invite more attacks.”

Rasch argues that there really is a professionalism among
many of the larger ransomware groups and punishing a paying customer is rarely
seen. “In the incidents where I have dealt with ransomware, we haven’t had the
experience that they immediately get hit again,” Rasch says, adding that not
delivering a paid-for decryption tool is something else that rarely if ever
happens.

“They don’t make money if you can’t unlock it,” Rasch says.
“They want to be known as a trustworthy thief. They want four stars on www.hostages-r-us.com.”

The final consideration, the “Should I,” essentially
addresses the aforementioned discussion on comparing the ROI of paying the
ransom versus not paying it. The CISO calculates what it will cost the company
to try and repair the damage itself—factoring in down-time, status of backups,
how long ago the system was impacted—versus paying the ransom. It may be
galling, but a hard calculation will inform the “Should I?” decision. It also
overlaps with the May I factor when it comes to the legality of paying, plus
addresses a host of business and ethical considerations unique to each company.

Legal beagles

On other legal matters, there are the compliance issues
dealing with states and other rules requiring disclosures, and possibly
consumer insurance purchases, when Social Security numbers or other specified
personally identifiable information (PII) is stolen. Given that even a forensic
examination does not always deliver a complete and definitive picture of what
attackers did (especially given the ever-present possibility that the bad guys
manipulated security logs to hide their true tracks), it is hard to know if
data was stolen (copied and exfiltrated) before it was encrypted.

As with almost everything in compliance, each rule depends
on its definitions and phrasing. “One of the triggers is unauthorized access,”
says Tatiana Melnik, a Tampa-based attorney who specializes in cyber issues.
“At the same time, there is a requirement under HIPAA (Health Insurance
Portability and Accountability Act) that requires integrity of the data remains
in place. If someone has encrypted the data, does integrity of the data remain
in place?”

The answer is to do everything your company can to determine
what happened. “If you can, see what the malicious code was intended to do. If
it was merely designed to find information and encrypt it, arguably, it may not
be a breach,” Melnik says—and then make that argument to regulators and hope
for the best.

Dante Disparte, CEO at the Washington, DC-based security
consulting firm Risk Cooperative and a member of the national report entitled
Black Market Ecosystem: Estimating the cost of ownership. “If either a
nameserver or front-end is blocked or taken offline, a new one is automatically
created in its place, allowing the back-end server hosting the criminal
customers’ content to remain online.”

Deloitte noted that companies are quite open, on the dark
web, at least, about the software suites they sell specifically for ransomware
attacks, including whether fees are flat or involve a percentage of ransom
acquired.

There is an advantage that the larger ransomware companies
are so well known. That means that their tactics are well known. Companies,
such as cyber insurance firms, often can identify the company attacking by
looking at the code used. “Is it a variant of some known code? Has it been used
before?” Rasch says.

Sometimes, attackers reuse their decryption tools and even
decryption keys, which creates the slight possibility that victims can find the
decryption items online from a recent victim of the attack rather than from the
attacker.

Another concern is about the attackerprovided decryption
tool. Not whether it will work necessarily, but how well it will work.

“In the last three months we’ve seen the Ryuk strain of
ransomware become very active. It is the fast growing ransomware strain we
see,” says Joshua Motta, CEO of San Francisco-based Coalition, a cyber
insurance company. “More worrisome is that the ransoms for Ryuk are much larger
than other strains of ransomware, totaling between $200K to $700K.”

He adds that “Unlike previous forms of ransomware, including
SamSam and Dharma, Ryuk is extraordinarily difficult to remove. It is also very
difficult to recover from. Even if you pay the ransom, the decryptor provided
by the threat actor doesn’t work well. It does decrypt files, but it frequently
fails making recovering extraordinarily time consuming for the victim.”

Scott Laliberte, managing director and global leader of
cybersecurity and privacy for consulting firm Protiviti of Menlo Park, Calif.,
argues that ransomware is likely to get a lot worse before it, actually, it
will just continue to get worse.

“My thoughts are that we are going to see escalation in
ransomware over the next few years. I think the payload will start moving
beyond just denying access to data to other types of actions that could
threaten harm. For example, attacking healthcare providers to put patient lives
in danger unless ransom is paid, distribution companies’ logistics systems to
prevent them from making shipments, chemical plants, threatening catastrophic
accidents, etc.,” Laliberte says.

Cybercriminals will “look for ways to monetize their attacks [given that] credit report monitoring and credit card tokenization [is making] identity theft and credit card fraud less profitable. Consequently, I believe [cyberthieves] will be upping the stakes. We need to start preparing now for these types of attacks and expanding our view of risk assessment beyond loss of confidential data.” Laliberte says he expects IoT and mobile will be ransomware’s new focus in the near term.

Comments are closed.