Chris Swagler | July 20th, 2022

With planning and awareness, it’s feasible to survive ransomware. Ransomware attacks are frequently mischaracterized, leading people to believe that either defenders entirely prevent the attacks or that threat operators seize total control of their targets’ IT infrastructure. However, the last several years have shown that there’s a wide range of potential outcomes for defenders when dealing with ransomware attacks, with some better than others. Additionally, it’s simple to think that all groups in the ransomware business have the same skills, goals, and business models.

The reality is ransomware groups have a wide spectrum of abilities and various goals and business models, like any other industry vertical. It’s vital to keep in mind that even though REvil and DarkSide are sometimes referred to as “franchise models” that offer ransomware-as-a-service, the franchisees are independent cyber criminals. While having little influence on how they operate, franchises provide back-office operations for freelancers. Let’s look at each of the factors that can affect an attack’s outcome.

Threat Operator Skill and Persistence

The potential extent of an attack is typically determined by the threat operator’s skills and the defenders, along with some luck factors:

Threat Operators’ Goal

Groups can also focus on leak-centered as opposed to operation-centered goals.

Leak-centered goals can include exfiltrating and threatening to leak the targeted organization’s confidential data. The most valuable data is often related to customers and employees because the threat of legal and reputational damage can serve as a strong incentive for ransom payment. Ransom payments may be justified by the public disclosure or selling of intellectual property or company secrets. Sending victims samples of the data to demonstrate the threat operators’ capabilities is generally the playbook for any attack. It can progress to making a data sample widely known and contacting victims’ clients to put pressure on them to pay the ransom.

Operation-centered goals can include measures to make it difficult for victims’ companies to continue operating. The attacks occasionally target traditional IT systems and other times they target OT systems, which are frequently built from legacy technology. Exfiltrating confidential data and publicly leaking or selling data doesn’t occur in this scheme. The DarkSide attack on the Colonial Pipeline (paid $4.5 million ransom) and REvil attack on JBS Foods (paid $11 million in ransom) targeted this goal: the ransoms were paid in an attempt to assure speedy recovery and the companies’ ability to resume normal operations.

The Degrees of Success

Results from ransomware attacks are constrained by numerous factors. The following are possible outcomes:

With threat operators pursuing both leak-centered and operations-centered goals and their partial or complete success of a ransomware attack, Managed Service Providers need to remain ahead of the latest threat landscape and regularly keep network data backups off-site. At SpearTip, our Tabletop Exercises are custom designed to strengthen collaboration among business leaders and promote a common understanding of how leadership teams respond to incidents. The exercises are based on the most current tactics, techniques, and procedures deployed by threat actors and perceived gaps in companies’ current IR plans. We identify key findings, rooms for improvement, and key takeaways related to current policies and procedures to strengthen companies’ ongoing security postures. Our external penetration tests assess companies’ external security controls by simulating attacks from the public internet and identifying vulnerabilities that allow SpearTip to gain access to companies’ internal environment.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.