Cyber-extortion involves attackers demanding payments rather than just stealing money via the cyber realm. This requires them to have some leverage which could be sensitive data or disruption of services. The most common types of cyber-extortion attacks are therefore ransomware and Distributed Denial of Services (DDoS) as well as taking payment for not disclosing data obtained through hacking.
We have had our share of ransomware and DDoS extortion schemes here in the region, though the disclosure of these is less frequent. That said, there are some notable companies which have engaged in paying attackers for not disclosing data– the one that is most discussed in the news is Uber, which paid $100,000 under their bug bounty program to a group which managed to exfiltrate driver data. As part of the payment, an agreement was made not to disclose any data from the leak. While DDoS has got it fair share of attention, currently it is hard to counter the argument that ransomware is one of the biggest threats to organizations and it is only set to grow in scale through 2018. I shall therefore focus on how organizations can address this challenge.
Pay Away Your Problems?
What organizations need to understand is that the type of encryption that modern ransomware now uses makes it very difficult, if not impossible, to recover data without the encryption key. It is actually this key you pay for when you pay the ransom. You should also know that there is no guarantee that once you’ve made the payment- usually a Bitcoin transaction- the attackers will actually provide you the encryption key as often they may not even have it! In fact, less than only 51% of the organizations paying the ransom actually get their data back.
Let’s Just Back Up
Organizations have been far more successful in recovering data from a backup, so I advise clients that protection begins with good data management practices. I think a basic precaution against ransomware and a good practice in general is to maintain a backup of sensitive data. This backup could be within the data centre, disaster recovery site or even to a cloud platform if you cannot provide the correct infrastructure yourself. There are plenty of solutions that manage and even automate this, and a good backup and recovery solution should be a part of the IT strategy of any large business.
Are You Correctly Managing your Data?
Then there is the categorization and management of data which helps ensure sensitive information does not get into the wrong hands. Even without ransomware, data that is exfiltrated from the organization can be used for cyber-extortion. At Help AG, our Cyber Security Consulting division assists organizations in establishing frameworks that govern information throughout its creation, storage, use, sharing, archival and destruction, and thus ensures protection of the confidentiality, integrity and availability of those data assets through their lifecycle. Again, encryption keys come into place, but this time it is around how you manage them, rather than how you get them from the attackers. Hand on heart, I believe that too many organizations do not have a proper strategy regarding how they encrypt data at rest or in motion and how they obtain the correct lifecycle around encryption key management.
Arm your Employees
Employee awareness and vigilance is also key to combating cyber extortion. Your workforce needs to be mindful of the kinds of emails and attachments they open, and downloads from questionable sources. With ransomware having successfully added mobile devices to the list of targets, users should also be mindful of the apps they download and take precautions such as avoiding third party app stores.
I still believe that the old saying, “it all starts with an e-mail” – as a lot of malware still starts there. So please try to ensure that your technical controls are efficient and that your users are alert and educated.
Solving the Problem with ‘IT’
Of course, cyber security is still an IT function and a large responsibility lies with the IT team. Ransomware is being propagated in new and often highly innovative ways. Both Petya and WannaCry leveraged exploits which were already fixable, but patches were not applied, which caused the malware to spread. So, in addition to best practices such as regularly issuing and applying patches, and limiting user privileges, IT teams need to track and implement the technical advisories put out by vendors once vulnerabilities and new attacks have been discovered. Following our bi-weekly threat advisories is a great way to keep up to date with information on the latest cyber security threats in the Middle East.
Finally, when all else fails, services such as Managed Security Services (MSS) which deliver 24x7x365 security monitoring, enable organizations to identify attacks in their earliest stages and prevent them from spreading. It is important to understand that your applications, networks and firewalls are talking to you in the form of logs and events, but if you are not listening or looking, the business impact may be significant. If since looking for these events is not your core business, maybe you should allow someone who specializes in the same to do it for you.
Nicolai Solling, CTO at Help AG