In a recent article on the SolCyber blog, we covered an interesting development in the anti-ransomware scene.
This change wasn’t yet another cybersecurity product you were expected to buy, install, and learn to use, but a regulatory change introduced in Australia.
The Australian government stopped short of banning ransomware blackmail payoffs outright, a dramatic approach that some people claim would neutralize ransomware-based cybercrime entirely, but that others remain skeptical of.
As we suggested in the TALES FROM THE SOC podcast:
PAUL DUCKLIN. [D]o you think that banning ransomware payments would actually help by forcing people to take better precautions so they don’t get hit in the first place? Or will it just drive the whole thing underground?
DAVID EMERSON. I’m actually conflicted on that. I believe that we should probably not ban ransomware payments. I believe we should require their disclosure.
PAUL DUCKLIN. I think I’m with you on that. I think that’s a good way to do it. After all, it’s easy to say, “How dare you pay” when you’re not the person whose business is looking down the barrel of the gun from the wrong end.
If the media player above doesn’t work, try clicking here to listen in a new tab.
The Australian regulators seem to agree with us, because their new rules don’t block payments altogether, but they do require any company with an annual turnover of AU$3m or more (about US$2m) to disclose within 72 hours any deal done with cybercriminal blackmailers.
Even if no money (or cryptocurrency) changed hands; even if the “payment” was outsourced to negotiators in a different country; even if no files were scrambled…
…any situation in which companies agree to provide any sort of benefit to anyone trying to squeeze money out of them on the back of a cyberattack must report what happened.
As we wrote in our report:
[S]tolen data can never be considered safe from disclosure.
After all, if your data was stolen by criminals for very purpose of blackmailing you into paying hush money, what possible reason could you have to trust those same extortionists to be “honest” for ever after?
What reason indeed?
A new report from cybersecurity researchers at Trellix provides a vital reminder of just how unreliable ransomware groups can be.
The report digs into the infamous LockBit ransomware gang, which consists of a core “operations team” (if you will pardon such an upbeat name for a bunch of manipulative cyber-extortionists) plus a raft of largely anonymous “affiliates” (the term chosen by the ransomware gangs themselves to wrap their activities in mainstream business terminology).
The core operators deal with creating any necessary malware, and with collecting the cryptocoin payments; their numerous affiliates deal with the network attacks and carry out the data breaches and file scrambling activities that generate extortion leverage for the group.
Victims are typically blackmailed in two ways:
Paying for a positive outcome is risky enough, even if the ransomware programmers seem to know what they’re doing and are reported to have provided working decryption tools to previous victims.
Even well-known software producers such as Microsoft, with hundreds of millions of customers and an extensive program of beta-testing updates before they are released to everyone, regularly ship patches that cause problems for some users and require frantic work to produce patches-for-the-patches.
Unsurprisingly, ransomware criminals aren’t always willing or able to live up to their promises either.
In 2021, for example, US oil pipeline company Colonial Pipeline suffered such serious disruption after a ransomware attack that senior management eventually caved in to the blackmailers.
They paid more than US$4m for the decryption tools that the attackers insisted would “reverse” the attack, only to find that although the decryption software worked, it was so slow as to be useless for network-wide recovery.
And paying for the crooks not to do something, now and forever, is an even bigger gamble.
After all, it’s not just enough to “trust” the criminals at the heart of the ransomware gang concerned, because you also need to “trust” all the individuals from the affiliate group who carried out the network breach not to have kept their own copies of the data they stole.
You also have to assume that no one involved in the criminal operation suffered a breach or a lapse of in operational security at any point in the attack or its aftermath.
For example, if they stashed the stolen data in a cloud upload service, did they choose a strong password, and how many people did they share the password with?
If they used an exploitable network security hole to exfiltrate the data, did the data travel across the internet insecurely, where other criminals could have intercepted it?
If they bought in access credentials such as passwords or authentication tokens from other cybercriminals (known in the trade as initial access brokers), did they sell those credentials on to other attackers to use as well?
As you have probably guessed already, Trellix’s investigation revealed an unsurprising mix of intransigence and incompetence from the LockBit ransomware “operation”:
Remember that cybersecurity prevention is always better than cure, not least because stolen data can never be considered safe from disclosure.
Find out more about how SolCyber can take care of cybersecurity for you, so you don’t fall into the clutches of cybercriminals in the first place.
Why wait for an attack to start taking security seriously?
Learn more about our mobile security solution that goes beyond traditional MDM (mobile device management) software, and offers active on-device protection that’s more like the EDR (endpoint detection and response) tools you are used to on laptops, desktops and servers:
Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!
Featured image of warning plates by Pop & Zebra via Unsplash.
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.
