In a recent SolCyber podcast, I asked co-host David Emerson a rhetorical question about just how far ransomware victims should be inclined to trust their attackers when it comes to paying over blackmail money:
DUCK. Sometimes, when you pay for the positive outcome, namely a decryptor or a decryption key, it might not work properly or even at all, [and] sometimes when you pay hush money, the silence that you pay for is not guaranteed.
What do you make of that?
As deadpan as you like, David replied with:
DAVID. I’m shocked that criminals are not reliable.
In the podcast, both of us ended up laughing out loud, given that I’d walked myself straight into such a blunt and obvious reply, but in real life, the problem of ransomware payments is no laughing matter.
As soon as you countenance the idea of paying at all, whether you’re paying extortion money to get your business running again, or blackmail to suppress the truth that you just suffered a breach, or both, you’re into the murky world of criminal “negotiation,” typically with an unknown set of anonymous attackers with an unclear set of motives.
Most ransomware criminals are in it for the money, but some of them may be state sponsored as well, or at least state tolerated, provided that some unknown set of “rules” are followed.
For example, evidence suggests that countries such as North Korea actively support ransomware attacks not only because they are a rich source of stolen corporate data, but also because they provide a pseudo-anonymous source of state revenue despite the financial isolation of sanctions.
Yet more confoundingly, many if not most active ransomware gangs these days operate what is effectively a franchise system, or an “affiliate network” of cybercriminals.
A few core criminals code any necessary malware (such as data scrambling and unscrambling tools based on hard-to-crack cryptography), handle negotiations and cryptocurrency payments, and even operate online “helplines” to ensure that victims who have decided to pay up don’t get hung up on technical issues such as how to buy and transfer Bitcoins.
These core criminals generally don’t get actively involved in attacking, plundering, and encrypting entire networks.
Early ransomware gangs did follow the “do it yourself” model, such as the infamous CryptoLocker crew, which went after victims one at a time, using broad-brush phishing attacks based on ever-changing malware samples, and blackmailing individuals for roughly $300 each.
But that model soon morphed into the affiliate system seen today, where would-be network attackers sign up online and can earn up to 70% of the blackmail payments coughed up by their victims, based on a ransomware playbook written by the core criminals.
The affiliates in this system are therefore motivated not to aim for $300 each from thousands of disparate victims, but instead to focus on breaching and derailing entire organizations in concentrated attacks, and to aim for much more dramatic payoffs, such $300,000 a time or even more.
For all that the core crooks may end up handing their affiliates 70% of the total blackmail money from each victim, they nevertheless take 30% from every attack, stay one step further away from anyone trying to trace the actual attackers in each incident, and have much stronger blackmail leverage in each attack if an entire organization is disrupted at the same time.
As we also know, and unlike early ransomware criminals, today’s affiliates typically steal an organization’s trophy data, notably including vital personal data belonging to employees and customers, as well as scrambling as much of its operational data as possible.
This give the attackers the two-pronged blackmail leverage we mentioned above: pay for the positive outcome of “unlocking” your corporate data to get your business running again, and also pay for the negative outcome of not having your stolen data sold on to other crooks, trumpeted to the media, sent to the regulators, leaked to class action lawyers, or worse.
And some notorious ransomware gangs have tens, hundreds or even thousands of active affiliates at the same same, so even at a 30% or lower “affiliate fee,” their total takings may ultimately be orders of magnitude higher than the amounts made back in 2013 by $300-a-time crime gangs such as CryptoLocker.
Clearly, paying up is always going to be a huge gamble, and is, in any case, just the beginning of your post-attack costs.
If you don’t have a viable backup, for example, you may feel compelled to pay up just to have some hope of recovering your mission-critical files and databases.
But the decryption program you get back from the criminals, if it works at all, won’t run itself, so you’re still stuck with the task of testing, deploying and using it.
You still need to find how the attackers got in, ensure you’ve really kicked them out, check that they haven’t left any holes open so that they (or someone else) can come back later, and more.
In many parts of the world, you may need to contact the regulators anyway, due to data breach regulations, or, in Australia, to comply with new rules that require any cyberblackmail payoff to be reported, whether files were stolen and scrambled or not.
And, given that many if not most ransomware attacks cause large-scale disruption that’s obvious to the world at large, you’ll probably end up facing probes from the media and disquiet from customers anyway.
Perhaps you’re still not convinced, as David Emerson puts it, that:
[Payment should be] your final option, and a final option behind numerous other options, not just the second thing you do when you’ve failed to have hygiene at the most basic standard.
If so, take note of news from last week that the US Department of Justice (DOJ) is currently investigating a former employee of a Chicago-based company that specializes, in its own words, in “cybersecurity consulting [and] secure cryptocurrency payment solutions.”
We say former employee because that person was apparently fired when allegations surfaced that they had been taking kickbacks from ransomware attackers, seemingly amounting to their own cut of the final ransom negotiated.
If you think that sounds dangerously like a prosecution (or defense) witness in a criminal trial taking money from the defense (or the prosecution) in return for disregarding their oath to tell the truth, and telling concocted stories instead, you’d be quite right.
This isn’t the first time that ransomware “recovery experts” have hit the news for the wrong reasons.
In 2019, ProPublica openly alleged that a data recovery company that claimed to use the “latest technology” to get back data for victims of ransomware attacks, which strongly implied that they would crack open the decryption unilaterally without negotiating with the criminals, were simply paying up on the quiet, allegedly shielding the payments through many intermediate levels of Bitcoin “mixing.”
In other words, ransomware victims that naively thought they were doing the right thing, and paying local IT experts to get them back on their feet independently instead of paying off far-flung criminals and thus funding further criminality, were ultimately paying blackmail money to their assailants anyway.
In that story, the payments went to a prolific ransomware gang based in Iran, subsequently outed by the FBI and sanctioned by the US authorities, thus making payments – or at least direct payments from the US – unlawful.
Why wait for an attack before you start taking security seriously?
Learn more about our mobile security solution that goes beyond traditional MDM (mobile device management) software, and offers active on-device protection that’s more like the EDR (endpoint detection and response) tools you are used to on laptops, desktops and servers:
Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!
Featured image of buried Bitcoin by Kanchanara via Unsplash.
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.