Everyone is familiar with the machinations of the criminal moneymaking scheme that is ransomware. We have much less visibility into and understanding of what happens “after” the attack, however, which has become cyberthieves’ main business.
Today, the attackers don't just infiltrate machines. They analyze all the documents they copied from you—your stolen documents. Ransomware is not only the encryption of information, it access that allows everything. The attackers have become masters of your machine and they are going to blackmail you.
There exists a clear marketing mindset to the malevolence that they have set up:
- The first attack is the hostage taking of machines and files by encryption. They ask you to pay for the decryption of the documents taken hostage.
- The second attack is the threat from the hackers to disclose your information in order to alert the authorities. With the possibility of serious fines from regulations such as GDPR for the nondisclosure of attacks, this second attack has proved to be more and more common.
- The third attack is the auctioning of the data stolen from the companies that have not paid for the first two blackmail attempts.
The Auctioning of Stolen Data
Understand that everything is for sale: logins, passwords, identifiers, and basically all the data they can collect. The attackers make samples—a little bit like at your favorite perfumer's—and they contact all potentially interested parties. A deposit will then allow you to participate in this eBay-style online auction.
Partnerships now exist between ransomware operators to take advantage of this stolen data when ransoms are not paid. Operators can download and leverage this wider pool of data to help improve their own operations.
Rentals and Royalties through RRAS
It’s not only the operators of the ransomware themselves who can launch an attack. After a few months into the ransomware’s life, the business model may now switch to ransomware-as-a-service (RaaS). Recruitment is simple. You pay a rate ranging from $10 to several hundreds or thousands of dollars. Even if you know absolutely nothing about it, there are tools that will unfortunately allow you to harm everyone. You can infiltrate, copy, encrypt, send the message, and negotiate.
Royalties can also be collected by the RaaS operator, ranging from 30% to 70% of the amount raised from the ransomware. In the case of a large New York law firm, for instance, ransomware attackers asked for $40 million—30% of that kind of payout can be a real motivator for the original operator to share their tools! Some RaaS operators even create promotional videos to sell you their little “toys.” This and the many add-on options that you can rent give you a view into the marketing mindset of these operators.
MSPs’ Important Role
It’s clear we are dealing with increasingly organized networks. What’s more, ransomware technology is becoming accessible to everyone, including employees who might want to take revenge on an organization. All of this effectively makes small and medium-size businesses extremely easy targets because they’re not prepared.
Managed service providers have a really important role to play in protecting their SMB clients. They also have a heavy responsibility because they hold the keys to their customers' information systems.
Key preventative and proactive measures are needed to provide additional layers of defense against ransomware. Two-factor authentication coupled with contextual access controls and logon monitoring will help detect suspicious behavior and put a stop to it before a data breach occurs.
No one today can honestly guarantee 100% security. That said, you have to be organized beforehand and ready for the day that this kind of disaster happens.
FRANÇOIS AMIGORENA is the founder and CEO of IS Decisions, and an expert commentator on cybersecurity issues. IS Decisions software makes it easy to protect against unauthorized access to networks and the sensitive files within. Its customers include the FBI, the U.S. Air Force, the United Nations, and Barclays.