Ransomware has evolved as the potential victims have taken steps to protect themselves.
Ransomware – One
First there was malware to encrypt your information, then a payment demand for the decryption key. In the days when businesses thought that a backup was a luxury, this was a real money maker for the threat actors. Now (most) organisations have a ransomware resilient backup – just like the one we offer – at the least yours should match up to our solution to give you the best protection.
Ransomware – Two
Because the threat actors had breached your defences to install ransomware onto your system, the next step was to also steal your unencrypted information, before encrypting your copy. Now the gangs could demand two ransoms, one for the encryption key and another not to sell your information onto other hackers or release your information into the public domain.
However some organisations became resistant to this second type of extortion – if the stolen data related to customers or employees, it was thought that maybe it was better to just pay any statutory fines and weather the PR storm over released data. The customers and employees may have been offered a year’s subscription to an identity protection service – the organisation could probably get a discount from the service they chose for bringing so many new clients to the service! This was going to be cheaper than paying the ransom.
“Anyway government agencies tell us not pay the ransoms – so it is not the fault of the board we did not pay.”
NCSC and the ICO say – Don’t pay the malware ransom | Smart Thinking Solutions
They forgot it was their fault there was a breach in the first place!
(My job can make me very cynical sometimes – sorry about that.)
But ransomware evolves…
Ransomware – Three
With organisations finding reasons to not respond to double threat ransomware, the threat actors had to think of something new. That something new was the triple threat aimed directly at those victims whose data was now held by the hackers.
The triple threat is to release a sample of the data in the clear on the internet rather than on the Dark Web, including data about the people directly involved in the data theft. A sample of the victims are then emailed directly – the hackers have their emails of course, they stole them – with a link to their exposed information. (Abrams. 2023)
This motivates the victims to put pressure on the organisation that let the data be stolen in the first place, so that they pay the ransom and stop the leak of personal data.
Meanwhile search engines are indexing this personal information that is in the clear on the web, compounding the issues for the victims.
The pressure on the board to pay the ransom increases if the leaked data relates to employees. There lie issues with duty of care, HR tribunals, court cases and compensation. Now is it cheaper to pay the ransom?
Your takeaway…
Do you have a ransomware plan?
I have a ransomware mini-series here:
Ransomware – A Primer | Smart Thinking Solutions
Make sure you understand the threat and have responded to it. If you do not know where to start, then that is where we come in.
Clive Catton MSc (Cyber Security) – by-line and other articles
References
Abrams, L. (2023). Clop now leaks data stolen in moveit attacks on clearweb sites. BleepingComputer. https://www.bleepingcomputer.com/news/security/clop-now-leaks-data-stolen-in-moveit-attacks-on-clearweb-sites/
Further Reading
Ransomware Resilient Back-up | Smart Thinking Solutions
NCSC and the ICO say – Don’t pay the malware ransom | Smart Thinking Solutions
Photo by Sora Shimazaki