Today we have all unfortunately heard about this type of criminal moneymaking scheme. We know – more or less – how to catch it, what happens during the ransomware attack, but we have much less visibility on the ‘after’.
It is only by understanding what happens ‘after’, do we quickly realize that the danger is far from negligible. It allows us to perfectly understand why we need to be checking, controlling and analyzing the slightest access to our machines, our servers and our employees.
The Main Business is After the Attack
The first thing you should know that during the attack, while they encrypted your files, while they attacked your machine, the perpetrator continues their work because in more and more cases, the main business for them is especially after the attack.
Today the attackers don’t just infiltrate machines. They analyze all the documents they copied from you – your stolen documents. Ransomware is not only the encryption of information, it is the access to then allow everything. They have become masters of your machine and they are going to blackmail you.
There exists a clear marketing mindset to the malevolence that they have set up:
- The first attack is the hostage taking of machines and files by encryption. They ask you pay for the decryption of the documents taken hostage.
- The second attack is the threat from the hackers to disclose your information in order to alert the authorities. With the possibility of serious fines from regulations such as GDPR for the non-disclosure of attacks, this second attack has proved to be more and more common.
- The third attack is the auctioning of the data stolen from the companies that have not paid for the first two blackmail attempts.
The Auctioning of Stolen Data
Understand that everything is for sale: login and passwords, identifiers, all the data they can collect. They make samples a little bit like at your favorite perfumer’s, and they contact all potentially interested parties. A deposit will then allow you to participate in this eBay style online auction.
Partnerships now exist between ransomware operators to take advantage of this stolen data when ransoms are not paid. Operators can now download and leverage this wider pool of data to help improve their own operations.
Certain files distributed are however trapped. Cybersecurity companies who think they are doing cyber intelligence, who have downloaded files, trap for the second time the company they were supposed to help.
Rentals and Royalties through RaaS
It’s not only the operators of the ransomware themselves who can launch an attack. After a few months into the ransomware’s life, the business model may now switch to Ransomware-as-a-Service (RaaS). Recruitment is simple. You pay a rate ranging from 10 dollars to several hundred or thousands of dollars. You can know absolutely nothing about it but you have a couple of tools that will unfortunately allow you to harm everyone. You can infiltrate, copy, encrypt, send the message and negotiate.
Royalties can also be collected. The share from any successful attack for the one that rents to you, ranges from 70% to as low as 30%. This means that the one who infiltrates your computer or server will receive 70% if the amount that could be raised. When we see some who go so far as asking for 40 million dollars – which is the case of a large New York law firm – 30% of 40 million dollars can be very interesting for the original operator and a real motivation to share their tools! There is also a promotional video that the hackers created to sell you their little ‘toys’. This and the many add-on options that you can rent gives you a view into the marketing mindset of these operators.
MSPs have an important role to play to help protect against ransomware
We see from this we are dealing with increasingly organized networks. What’s more it’s a technology that is becoming accessible to everyone, including employees who might want to take revenge on an organization. All of this effectively makes small and medium-sized businesses (SMB) extremely easy targets because they’re not prepared.
Managed Service Providers (MSPs) have a really important role to play in protecting their SMB clients. They have a heavy responsibility because they hold the keys to their customers’ information systems.
No one today can honestly guarantee 100% security. You have to be organized beforehand and ready for the day that this kind of disaster happens. What do we have to do? What should we especially not do? Comprehensive disaster recovery and business continuity solutions help.
Key preventative and proactive measures are also needed to provide additional layers of defense against ransomware.
- Vulnerability Protection – Known vulnerabilities are a prime target. Ensuring operating systems and applications are patched is critical. Sure, this may seem rudimentary, but the reality is even in environments where it’s believed to be completely patched, vulnerabilities still exist, giving attackers entrance to your network.
- Threat Protection – Should an attacker get in, you need to have a way to stop them before they can do anything truly malicious. AV, endpoint protection, and application whitelisting are just a few types of security solutions that can neutralize a threat the moment it rears its ugly head.
- Environment Protection – Attacks can’t succeed without first logging onto the system containing the data of value. Having some kind of two-factor authentication coupled with contextual access controls and logon monitoring will help stop the misuse of credentials– well before an actual breach occurs.
- Data Protection – You need to assume the bad guys can get past the first three layers. If they do, you need a way to keep tabs on the data you deem worthy of stealing. This means using file-level or application-based auditing of access to identify and notify IT of improper access the moment it starts.