Consider, “Who’s Behind The Keyboard?”
Attribution matters when you may unknowingly be funding terrorism or a foreign intelligence apparatus. In matters of digital extortion, it’s almost never clear who the beneficiary of a transaction is. While digital extortion has been exploding in growth for years – everything from the volume of attacks to the magnitude of the payments, the risk associated with paying cybercriminals is often not discussed, and most people do not want to know. However, ignorance is not an excuse when the stakes are high, the risks could have been avoided, and the consequences could be devastating.
Ransomware makes sense… makes money
Trust the math. When encryption is done right, it works.
Math is hard and encryption works. In almost every circumstance, you’ll have an easier time chewing off your fingers than breaking properly implemented encryption, which is why many victims of ransomware find themselves in the predicament – “Should I pay or should I go?”
In Q3 of 2022, 82% of ransomware victims who paid acknowledged that they did not have sufficient backups to recover. While the objectives of settling with the threat actor varied from case to case, it doesn’t change the fact that recovery was the primary factor in almost all intrusions involving ransomware. Data-theft aside, ransomware is an attack on availability, and when encryption is weaponized it provides the means to do just that. Whoever is holding the key maintains the leverage. “Oh you want that, do ya? Well, it’ll cost ya!”
Double Extortion… sometimes makes money
In late 2019, Maze ransomware operators introduced a new concept, which netted them millions of dollars in ransom payments. Not only did they encrypt, but the exfiltrated data from victim networks and used the trove of stolen data as another point of leverage – an attack on confidentiality. By threatening to shame victims, sell, or weaponize victim data, these operators have tipped the odds of being paid in their favor. It also serves as a form of redundancy for the effort they’ve invested into an intrusion. In the event that their target can recover from the ransomware, they cannot recover stolen data once it’s out of their control.
Since the inception of double extortion, the business model has exploded in popularity. However, in 2022, there has been a sharp increase in the number of cases that leave ransomware out of the equation – focussed solely on data theft and leveraging disclosure to extort victims. Along with the rise in these attacks, the sentiment towards paying has shifted dramatically. Although not desirable, victims of these attacks are electing not to pay as there is no clear impact on business operations and customers are becoming desensitized to having their data compromised.
Ransomware doesn’t encrypt networks. People with ransomware encrypt networks.
Attribution based on tooling alone is almost pointless. There are instances where an adversary will utilize proprietary capabilities, which indicate strong attribution, but to attribute an artifact such as a ransomware executable back to a RaaS is weak – That’s like saying every stabbing in America must have been committed by a knife manufacturer. Get the irony?
Human Operated Ransomware… HUMAN.
“LockBit is malware. You are not negotiating against and paying malware.”
RaaS (Ransomware-as-a-Service) is an affiliate business model that operates similar to a franchise. The affiliated members of the RaaS are leveraging the capabilities of that RaaS offering, which are available to all affiliated members. The business arrangement benefits the majority of the extortion payment to the affiliate and a smaller portion of the payment to the RaaS. The problem here is that the affiliate, which generally consists of a team of individuals, may be a designated entity even though the RaaS is not. In June of this year, renowned cybersecurity firm, Mandiant, attributed UNC2165 to the LockBit RaaS. UNC2165 is Evil Corp. Now, LockBit has aroung 100 active affiliates, Evil Corp being one of many. Keep in mind, that an affiliate is just the account holder of the RaaS partnership and that there is generally a small team attributed to each affiliated partner.
Consider the above, the problem statement. Now consider being the encrypted by LockBit ransomware. Should I pay? Or Should I know?
Attribution is Taboo
If you wind the clocks back several years, one could make a solid argument for, “it doesn’t matter who did it,” but digital extortion is up close and personal and it is relevant TODAY. Cybercriminals aren’t asking for MoneyPak gift cards anymore. They’re asking for thousands, and in some cases, millions of dollars, in irrecoverable cryptocurrency. Cryptocurrency, which is then laundered and occasionally traverses infrastructure that is the property of a sanctioned entity such as an exchange.
ATTRIBUTION IS TABOO and it is far from perfect, but knowledge is power. Making informed decisions rather than emotional decisions is how organizations survive the impact of these attacks. Of course, we’d rather you invest that money in your security program as the impact is positive rather than paying a bunch of crooks, but every situation is different.
Know Your Keymaster
Should you find yourself making a payment (which many organizations do), you now expose yourself to risk. Actually, anyone involved in that transaction is exposed to risk! The United States and governments around the world use economic sanctions as a measure to achieve specific goals, which are usually related to preventing bad people from doing really bad things – terrorism, human rights violations, nuclear weapons development, etc. Even cybercriminals have been designated on various sanctions lists; Most notably, Evil Corp for their affiliation with Russia’s FSB (Federal Security Service), and Lazarus which is backed by the North Korean government. Both groups and some of their members have been added to the SDN (Specially Designated Nationals) list by the US Treasury’s Office of Foreign Asset Control (OFAC).
Herein lies the problem – How do you know that the person behind the keyboard is designated?
Lay it all out…
Consider your settlement objectives. In our opinion, restoring operations is really the only objective that should drive a decision to pay someone undeserving of your money, but that decision is not ours to make. You really need to understand the facts of what the threat actor is offering when you are preparing to make a payment.
- The deletion of stolen data – Deletion logs from a local filesystem doesn’t account for all of the infrastructure your stolen data has resided on. It also doesn’t account for local copies that a threat actor could be stashing for a rainy day.
- Not selling stolen data – There is no way to verify this.
- Never attacking you again – The most honest threat actors will tell you, that they won’t attack you again, but they cannot guarantee that another affiliate won’t.
- Getting it wrong – paying the wrong person, could have consequences for everyone involved. Carriers, counsel, victims, payment services, etc.