Andy Zollo, EMEA regional vice-president at Imperva, discusses the rising threat of ransomware-free extortion attacks on businesses
According to the 2022 UK Cyber Security Breaches Survey, one of the biggest perceived threats to UK organisations is ransomware. Over half (56 per cent) of all respondents said their organisation has a rule not to pay ransom demands, yet the rapid growth of such attacks and their media prominence shows just how lucrative ransomware can be for cyber criminals.
However, carrying out a ransomware attack can be a time-consuming business. It’s not just about gaining access to a system — attackers need to distribute the malware, while making sure that the files they target don’t compromise system stability and alert their victims too soon. Moreover, for such an attack to be successful, they also have to identify and delete and backup or shadow copies of the data. So, although such attacks can be very profitable, the process requires a considerable amount of effort. As a result, hackers are looking at ways to streamline the process and we’re beginning to see the results in a new wave of extortion attacks — ransom without ransomware.
This is going to Kara-hurt
A recent warning from the FBI detailed the activities of a cyber criminal group called Karakurt, which has demanded up to $13m in ransom from victims. In this respect, Karakurt operates in the same way that many ransomware groups do — except that victims haven’t reported any encryption of compromised machines or files. Instead, Karakurt steals data and threatens to auction it off or release it online unless their demands are met.
Ransom attacks based on data theft rather than encryption are sometimes referred to as multi-faceted extortion, and are set to become commonplace. Not only is the method easier to carry out but, once the criminals have extracted their price, there is no need to go back and forth about encryption keys to unlock the data that’s been taken hostage. The less time and effort is required per victim, the more victims a hacker collective can go after, the higher their overall profits become.
This mirrors other trends in the ransom space, such as Ransom Denial-of-Service (RDoS) attacks, which have also been surging in the last two years. RDoS attacks can often be incredibly short — barely a few minutes — but serve to demonstrate to companies that the attacker is capable of bringing down their network, and will do so for longer periods unless a pre-emptive ransom is paid. Both RDoS and data theft ransom attacks iterate on previous versions to allow hackers to more easily extort money for less resources.
Different problems, same solution
The good news is that the best way for companies to combat ‘low effort’ ransom attacks is also the way to address a host of other potential threats — getting to grips with their data. Whether it’s multi-faceted extortion, insider threats, or hackers targeting credit card details, the single most important factor in whether an attack is successful is whether the company has the visibility to spot the problem.
For instance, in order to extract any sort of worthwhile ransom from a business, cyber criminals need to have exfiltrated enough sensitive information to make non-payment too painful an option. Depending on the size of the business, this can take weeks or even months. However, if the target organisation has full visibility over all its data assets and can see that sensitive information, such as customers’ Personally Identifiable Information (PII) or closely guarded IP, is being moved or copied, they can investigate and stop any attackers before enough information is taken to warrant a ransom.
Building a cyber security strategy around the principle of protecting data — rather than trying to combat threats individually — it’s easy to see how the same tools and approaches simultaneously defend against ransom attacks, while also preventing a disgruntled employee turning into a major insider threat.
Discover, classify, protect
Unfortunately, it’s a lot easier to talk about ‘data visibility’ than to achieve it. There are numerous factors that need to be addressed to gain full visibility, but the two most important are discovery and classification. Today, businesses store vast amounts of data, spread across multiple repositories, including but not limited to:
- Databases deployed on-premises or in the cloud;
- Big data platforms;
- Collaboration systems;
- Cloud storage services;
- Files such as spreadsheets, PDFs, or emails.
Trying to track every asset across all these locations manually is virtually impossible, especially when assets are frequently used or moved. It’s like trying to count the number of sand grains on a beach while waves constantly rearrange them. So the process has to be automated. Businesses need to be aware of every data asset on their network — whether structured or unstructured — otherwise it’s a perfect target for exfiltration and ransom.
After carrying out comprehensive data discovery, the next stage is classification. Again, manually classifying data isn’t feasible for anyone but the smallest of businesses so there needs to be an automatic process, categorising information into High, Medium, and Low sensitivity bandings.
There is no single hard and fast rule for how to classify data. But High sensitivity would include things like financial information, or credentials for IT systems; Medium might be supplier contracts, or internal correspondence that doesn’t involve confidential data; and Low would be publicly available information like press releases or marketing material.
Once all of the data is discovered and classified, it’s far easier to develop robust processes to monitor and protect important information, keeping it out of the hands of would-be extortionists.
Cyber security is a constant battle because new threats are always developing. Ransomware has been the biggest single security topic of the last few years, but already we’re seeing criminals expand their operations and find new ways to extract profit from victims.
It’s impossible to know precisely how these ransom threats will evolve, but at its core, ransom involves attacks on companies’ data. Every cyber security strategy therefore needs to start from a basis of how do we protect the data, because if the data is secure and managed, there’s no ransom to be had.
Ensuring security of data systems in the wake of rogue AI — Thorsten Stremlau, co-chair of TCG’s Marketing Work Group, discusses how security of data systems for AI can be kept strong.
Information Age guide to data + privacy — Data and privacy regulation is becoming increasingly complicated, with the EU set to fine companies up to €20m for misusing people’s information. Here are strategies and tools to ensure you stay compliant.