2020 and 2021 have seen some pretty epic ransoms being paid by companies that at one point in time you would have assumed would never pay. Ransomware groups have undertaken a rebranding of sorts. their ransomware business model is pretty well tuned and their communications with their victim has changed from the “gun pointed at their head” tactic to a more “we are your business partner and are here to help” theme.
The US Congress released a memorandum on ransomware groups which makes for interesting reading. I will summarise most of the findings in this article too.
Three of the most “noteworthy” ransomware attacks in 2021 were CNA (a US insurer), Colonial Pipeline and JBS (a food manufacturer). These were the three attacks that the US congress memo focuses in on too primarily because of the impact, the scale of the ransoms paid and the different groups that were cited as the attackers.
All three companies were hit with ransomware. In all 3 cases it was small security lapses that led to the breaches. All 3 paid the ransom. All 3 got “discounts” on the ransom they paid. All 3 got what was promised to them after paying (with one small exception, JBS never saw the proof the data was deleted but the other promises were carried through).
The table below compares the attacks for you.
|Company||When||Ransom paid||Alleged attacker group||Way in||Impact|
|CNA||March 21||$40 m||“Phoenix”||Convinced an employee to accept a fake web browser update||Everything encrypted and a LOT of data exfiltrated|
|Colonial Pipeline||May 21||$4.4m||“DarkSide”||Single stolen password linked to an old user profile||Entire pipeline had to be shut down for 5 days before it could be gradually reopened|
|JBS Foods||June 21||$11m||“REvil”||Attackers gained access to an old admin account with a weak password that should have been deactivated but wasn’t||Plants had to be shut down and production halted|
What is far more interesting than these “Cold Facts” is the way that the attackers, both in these cases and more broadly, have attempted to “re-branded” in such a way that they can effectively apply more pressure to pay the ransom.
The ransomware business model, like any business model, is primarily financially driven – seeking that not so elusive return on investment becomes the primary, if not only, priority for these groups.
The three most popular tactics for ensuring the pressure to pay is firmly and increasingly applied to the victim are:
- Increasing the ransom demands over time. Not a particularly new tactic in itself, but on that is highly effective. Firstly, it conjures up a “fear of loss” in its victims much like missing out on a great discount in a store. Secondly, it allows them to increase the cost and then be seen as “generous” when they discount it again. A well-established sales tactic. Finally, this tactic can catch organisations out, especially if they are going to pay the ransom themselves as opposed to through an agent. They may not have a digital asset wallet set up and that can take over a week.
- Threatening to release any data they have appropriated. Another old but reliable tactic. Threatening to make the damage worse can feel incredibly persuasive especially in the heat of a crisis. Attackers have combined this tactic with another which is contacting the clients of the victim, informing them that this data has been appropriated and then reassuring them that so long as the victim pays no data will be published. This Hunger Games- esque tactic gets the clients applying the pressure to pay too.
- Communicating in a reassuring manner and offering additional benefits to paying. This is one of the newer tactics we have seen. Attackers have turned to using “helpful” language and offering multiple benefits to paying including security report and recovery vendor lists.
It is this third “helpful” tactic that I want to look at in more detail.
JBS Foods Vs REvil
The attackers messaged JBS initially asking for $22.5m ransom. They informed them that if they didn’t pay it would double. They also warned JBS that they had also exfiltrated their data and that “…if you don’t reply within 3 days it will be posted on our news site”. However, in the spirit of co-operation (yeah right) they also added “we can unblock your data and keep everything secret”. They also offered a discount for fast payment.
They cast themselves as business people they told JBS “Don’t panic! We are in business not in war”. They also offered additional “benefits” to paying including a “security report”.
JBS ended up agreeing on a payment of $11m. They claimed that the cost of recovery along with the exfiltrated data was so huge this was the right decision.
Colonial Pipeline Vs DarkSide
In the case of Colonial Pipeline, the attackers worked hard to portray themselves more as business partners or consultants than criminals.
In their conversations with Colonial Pipeline the attackers actually recommended data recovery companies they could use after they had paid the ransom. The attackers also claimed they “helped more than 100 companies”. The use of the world “help” and “support” appears a lot in the 2021 messages from attackers.
That said, they initially demanded a ransom of $4.8 million but informed Colonial Pipeline that the price would basically double to $9.6 million after a set amount of time. They ended up paying $4.4m.
CNA Vs Phoenix
The attackers initially told CNA that the ransom would be “999 Bitcoins” which at that time was around $55m. The attackers were a bit more pushy in this case. Without warning they increased the demand to 1099 BTC and accused CNA of “wasting time”. They were also a little more aggressive in their initial communications talking about the amount and quality of the data they had appropriated and they threatened “it will hit hard if leaked”.
They softened somewhat eventually and adopted more of a helpful persona reassuring CNA that so long as they paid they would ensure that no mention of the incident would be made. They also promised not to publish any of the data nor talk to the press. They eventually paid the equivalent of $40m.
Why the move to portray themselves as a friend not foe?
The drive to get a ransom paid means that a few different factors have arisen in the ransomware ecosystem.
Firstly, the days where we say “they are criminals and unlikely to be true to their word” seem to be long gone, especially for the major groups partaking in the ransomware business model. Each group now has a “reliable” reputation to maintain that is vital for their economic survival. If groups are paid (by companies or insurers) and then fail to make good on their promises to release keys/ delete data / keep quiet then there will be a black mark against that group’s name and the chance of them being paid next time actually goes down. This creates a sort of parasitic relationship that means that for them to make money they need to deliver on what is promised. For example, the attackers told CNA that “it’s in our interest to do as agreed” and it really is! That’s of course not to say that issuing the key will always work, there are other factors that impact the ability to recover data, but it does mean that because of the “due diligence” conducted prior to deciding to pay it is an important factor.
Secondly, ransomware as an industry, if you can call it that, has become professionalised. That is not giving them undue credit but it is a fact that these groups are extremely adept at all the key ingredients of organised crime especially the washing and off ramping of currency. Organised crime is the professionalisation of crime for the most part. In this new ransomware business model, the development of a more business-like persona aides them in all manner of tasks required for the effective execution of their “main service offering”. It is therefore imperative we treat them, assess them and deal with them with this point firmly in mind. To do otherwise would be greatly underestimating them.
Why is this analysis important?
My knee jerk reaction is to tell clients “Don’t pay the ransom. You are funding criminality”. That has become something of an idealist notion though. Analysing previous cases and noting the ransom demands, timeframes and payments allows us to best prepare for a ransomware attack ourselves. Preparation is key here and saves crucial time regardless of whether you pay or not.
Jake Moore, Cyber Security Specialist at ESET comments “The only way to break the cycle [of ransomware] is to avoid paying the ransoms but this involves the strongest preventative measures possible. Such mitigation techniques are best found when businesses simulate ransomware attacks and test their restoring methods” He adds “Every minute offline can cost eye watering amounts of money”. Pointing at the need for prior planning and preparation however good you feel your defences may be.
Some key things to consider in your plans:
- Discuss with your crisis management team (CMT) and board members if, when and in what circumstances you would consider paying a ransom
- Have a playbook for how you would acquire cryptocurrency quickly if needed
- Have communications statements pre-drafted to cover how you would inform stakeholders of both the ransom demand and your decision regarding payment
- Run a cyber crisis exercise to allow your CMT to practice their roles in a ransomware scenario.
A crisis is not the time for trying to piece together a response you could have had planned, tested and ready to deploy.