With planning and awareness, it’s feasible to survive ransomware. Ransomware attacks are frequently mischaracterized, leading people to believe that either defenders entirely prevent the attacks or that threat operators seize total control of their targets’ IT infrastructure. However, the last several years have shown that there’s a wide range of potential outcomes for defenders when dealing with ransomware attacks, with some better than others. Additionally, it’s simple to think that all groups in the ransomware business have the same skills, goals, and business models.
The reality is ransomware groups have a wide spectrum of abilities and various goals and business models, like any other industry vertical. It’s vital to keep in mind that even though REvil and DarkSide are sometimes referred to as “franchise models” that offer ransomware-as-a-service, the franchisees are independent cyber criminals. While having little influence on how they operate, franchises provide back-office operations for freelancers. Let’s look at each of the factors that can affect an attack’s outcome.
Threat Operator Skill and Persistence
The potential extent of an attack is typically determined by the threat operator’s skills and the defenders, along with some luck factors:
- Low Skills – While some threat operators may be proficient at targeting companies with poor security practices, they frequently run into trouble when attacking companies with strong defenses.
- Wrong Skills – Threat operators with the skills and tools to target traditional data centers will have difficulty breaching targets that shifted everything to the cloud.
- Bad Luck – Companies that are locked down but may have a brief exposure, which threat operators can stumble across.
- Good Luck – Companies with persistent openings, such as open RDP access to the outside in an AWS enclave, may experience a streak of good luck in which no threat operators encounter it.
Threat Operators’ Goal
Groups can also focus on leak-centered as opposed to operation-centered goals.
Leak-centered goals can include exfiltrating and threatening to leak the targeted organization’s confidential data. The most valuable data is often related to customers and employees because the threat of legal and reputational damage can serve as a strong incentive for ransom payment. Ransom payments may be justified by the public disclosure or selling of intellectual property or company secrets. Sending victims samples of the data to demonstrate the threat operators’ capabilities is generally the playbook for any attack. It can progress to making a data sample widely known and contacting victims’ clients to put pressure on them to pay the ransom.
Operation-centered goals can include measures to make it difficult for victims’ companies to continue operating. The attacks occasionally target traditional IT systems and other times they target OT systems, which are frequently built from legacy technology. Exfiltrating confidential data and publicly leaking or selling data doesn’t occur in this scheme. The DarkSide attack on the Colonial Pipeline (paid $4.5 million ransom) and REvil attack on JBS Foods (paid $11 million in ransom) targeted this goal: the ransoms were paid in an attempt to assure speedy recovery and the companies’ ability to resume normal operations.
The Degrees of Success
Results from ransomware attacks are constrained by numerous factors. The following are possible outcomes:
- Threat operators give up after making insufficient progress against targeted companies. This can result in the attack’s perceived level of difficulty or because the threat operators are simultaneously pursuing other targets that appear more promising. Consider the opportunity cost. In neither is a ransom demanded.
- Threat operators are successful up until a certain point and think they have some leverage to demand a ransom, however, the ransom is eventually not paid. In these situations, there may be some operational impact or reputational damage, but eventually survival and a renewed dedication to cyber security.
- Victims may decide to pay the ransom because it’s less expensive than the cost of the recovery effort and threat operators are successful to a certain point. Victims having cyber insurance policies that provide ransomware coverage may also have an impact.
- By gaining access to valuable data, threat operators can effectively prevent victim companies from operating their businesses. In this situation, the victim companies may pay the ransom and quickly restore operations. If victims refuse to pay, they may end up rebuilding their IT infrastructure.
With threat operators pursuing both leak-centered and operations-centered goals and their partial or complete success of a ransomware attack, Managed Service Providers need to remain ahead of the latest threat landscape and regularly keep network data backups off-site. At SpearTip, our Tabletop Exercises are custom designed to strengthen collaboration among business leaders and promote a common understanding of how leadership teams respond to incidents. The exercises are based on the most current tactics, techniques, and procedures deployed by threat actors and perceived gaps in companies’ current IR plans. We identify key findings, rooms for improvement, and key takeaways related to current policies and procedures to strengthen companies’ ongoing security postures. Our external penetration tests assess companies’ external security controls by simulating attacks from the public internet and identifying vulnerabilities that allow SpearTip to gain access to companies’ internal environment.
If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.