CFI Podcast

All About Ransomware

Joel de la Garza, Das Rush, and Tom Hofmann

Posted February 24, 2021

In just the last couple years, ransomware has grown into a multibillion dollar industry. It has evolved from taking systems and servers hostage to stealing data, and it has proven capable of shutting down global organizations. In recent months, ransomware groups directly shut down Kia Motors North American IT systems; indirectly may have contributed to the death of a patient due to hospital ransomware; and allegedly stole sensitive files from a law firm whose clients include former President Trump.

In this explainer episode, Tom Hofmann, the SVP of Intelligence at Flashpoint Intel (which monitors ransomware criminal syndicates and assists organizations with prevention and response) and CFI security operating partner cover: how ransomware works, from the anatomy of a hack to how the groups operate; the role of nation-states, insurers, and regulators; and what to do if your stuff is taken hostage.

For more on cybersecurity, check out our coverage of organized cybercrime and hacks and our 16 step guide to protecting your data.

Transcript

What is ransomware?

Joel: Ransomware is kind of the pinnacle of the crimeware/hacking-for-profit type activities that we see. It is basically software that’s used to take your computers or your data hostage and hold them for ransom until you pay the hostage-taker money to release them. It isn’t sophisticated espionage led by a nation-state, this is very much about how do you, at scale, get enough victims and have enough of an infrastructure to successfully monetize the hacking that you’re doing. It is literally the fastest growing area of cybersecurity. Like, ransomware is just proliferating at such an insane rate.

Das: Why are we hearing so much about ransomware right now? What’s led to its rise?

Joel: There’s a couple of factors that have come into play. The first is all businesses are essentially tech, data, computer businesses. And so when you start to be able to take those kinds of information assets hostage, it gives you the leverage to demand money from them in order to release them.

Tom: I think definitely in the last five years the monies associated with this are a lot higher. A couple years ago, the higher-end ransoms would be $200,000; occasionally, you’d see it up to half a million dollars. Today, the starting point is probably $200,000, and we’ve seen up to $40 million and $50 million ourselves. And we’ve heard from others that they’ve seen a couple that went up to the $100 million point.

As they keep getting bigger and bigger paydays, the next ransom is getting bigger and bigger. So this is one where the economics of this all, it’s attracting more and more of these groups.

Joel: And the amount of money that’s being paid to ransom takers, the amount of money being paid to secure all this infrastructure — there’s no silver bullet. Because it isn’t an actual technical threat that we can build a product for.

In reality, it’s a business process, and you could actually conduct a ransomware attack without using any software: You could guess the password to someone’s server; you could log into that server; and then, decrypt the hard drive with a passphrase that only you know. And you did this with no software; you just connected through terminal services. You didn’t need any malware or zero-days or any of that.

And so ransomware is less of a product and more of just a business model.

A couple years ago, the higher-end ransoms would be $200,000... Today, the starting point is probably $200,000, and we've seen up to $40 million and $50 million.

Das: In the landscape of different types of cyberattacks, where does ransomware fit in? You’ve got things like malware. You’ve got phishing…,

Joel: A lot of these guys started spamming in the late ’90s, like their business was building these massive infrastructures to send out really annoying emails. And so as spam got cracked down on, they just repurposed that infrastructure and so it became less untargeted spamming and became more focused on phishing. And then as phishing stopped working, they pivoted towards malware. And so they used the infrastructure to deliver bots. And then they built botnets.

And I think at a high level that just describes the evolving process that we’ve seen with these global, criminal organizations — which is that you build an infrastructure to accomplish mission x so you could steal their banking credentials. Once that avenue shuts down, you still have an infrastructure, you still have a team that you’ve built, and so you want to find ways to further extract value.

And now they’re using a lot of the same infrastructure to either grab your account and go after you personally — or grab your local machine and encrypt all your data and then try to sell it back to you.

Ransomware is sort of one of the new heads of the many-headed hydra of this organization.

Tom: We monitor a lot of the eastern European criminal communities, and what’s interesting there is, there are some of these modules where, depending upon who the victim is, the botnet can automatically determine which module to drop, whether it’s an information stealer, or it just lurks and goes and monitors and will check back in at a future date, and others identify if it’s a large company and ripe for a ransomware variant.

They’ll look at your latest filings. They’ll see how much money you have in your bank accounts. We’ve seen one where they knew what the insurance policy was and what they were insured up to. So part of the negotiation was, “Hey, we know you’re insured up to $20 million. Just get your insurance company to pay this.”

As a lot of companies have really advanced anti-fraud detection techniques, it’s really made it harder to monetize a lot of these infections. That being said, when we look at all those same infections, they figured out where they can bypass a lot of these fraud protections, which is you take an actually relatively simple technology — which is encryption — and they lock up your systems.

The anatomy of a hack

Das: Walk me through the anatomy of a typical attack today. What happens when somebody takes something hostage?

Tom: So, how they gain that initial foothold is actually very basic. They scan the internet for these vulnerabilities — these open, exposed ports. A lot of the infections we see are from remote desktop protocol — so RDP, where these RDP connections will be brute forced by a bot until they gain access. We’ve seen the use of phishing emails — they will deliver some piece of malware, and what they’re exploiting, it’s typically vulnerabilities from 2018, 2019. So, all things that have existing patches.

Once they gain that initial foothold into someone’s network, they are increasingly using tools like Cobalt Strike. (This is a legitimate pen testing application.) There are cracked versions of that that are available within some of these criminal communities. So, Cobalt Strike is quite often used to really move laterally across networks, to deploy additional beacons, to deploy additional payloads. A lot of organizations you’re most worried about getting those patches deployed on anything that’s externally exposed, and anything internal you kinda push to the backburner because how would anyone ever be able to exploit that? Well, it’s those internal systems that the patches have not been deployed that enable takeover of a lot of key accounts.

They’re trying to get to the domain controllers, and once they have access they’ll try to remove backups. They’ll disable any endpoint security solutions you might have. And once they have your network at that point, it’s typically ready to be encrypted. From initial infection to full network encryption could be as soon as five or six hours.

Ransomware is less of a product and more of just a business model.

Das: Is it just computers that are being taken hostage? Is it the data? Is it a mix of both? Does it vary by attack — like, what is actually being taken hostage?

Joel: Yeah, so there’s definitely been kind of an evolution in the way that ransomware has taken things hostage. And in the old days, you know two years ago, it would focus on taking hostage sort of hardware assets, and this could be routers, it could be Wi-Fi access points, it could be laptops or servers — and basically getting in there, changing the password to something you don’t know, and then trying to sell the password back to you so that you can get back into your equipment.

With attacks like that, people generally have backups. It’s easy to recover. You just reinstall the operating system. And people would just recover instead of paying the money.

As it’s evolved, they started to actually target encrypting hard drives. And as defenses kind of got better and people started to understand how that attack worked and finding ways to either recover and reboot, they actually started going after data.

Das: So, how does that work? They get in, and a hacker is encrypting your data. What exactly is happening on the technical level?

Joel: Yeah so, so for the purposes of simplification, there are ultimately two sorts of encryption. One of them is symmetric key encryption and the other one is an asymmetric key encryption.

So, in the one instance, there is one key, and you use this one key to encrypt everything. So I generate, let’s say, a number. The number is 32 and I encrypt all of your data with the number 32. And then, at some point in the future, I sell you this number to decrypt your data.

Now, the issue with that kind of a system is that I’m sending this key to you to encrypt it as well as to decrypt it. So if you can intercept this key, you can then just undo what the ransomware author has done.

So what they’ve tended to do now is asymmetric, or public-key encryption, where they’ll send you a public key, to encrypt your data. And there’s no way — even if you intercept that public key — that you could decrypt that data; you actually have to get a private key that gives you the ability to decrypt it. And the attackers hold on to those private keys, and they sell them to you for hundreds of thousands to millions of dollars.

Das: So with that asymmetrical key, why can’t you crack the code and just decrypt it back?

Joel: They’re using industrial-grade encryption which means that it would take, you know, all of the computers on the Earth’s 35,000 years to decrypt it if you don’t have the key. It’s just the game of making recovery of the data more expensive than just paying the ransom.

And that’s, that’s ultimately — it’s kind of weird to say, but — that’s how the market finds its price, if you destroy all of these laptops and it’s going to cost you $70,000 to replace them and they’re asking for a $500,000 ransom, you’d probably just pay the $70,000 to replace the hardware, right? That’s kind of price discovery in an illicit market.

The business of ransomware

Das: The thing that’s maybe most striking to me in this conversation is that these ransomware — you know, literally Evil Corp, Evil Corporation — is functioning much the same way as legitimate businesses. So, what are their different departments, different functions, different specializations that are really critical to how they operate?

Tom: A lot of the botnets that are operating, they are really some of the more commodity malware, the dropper malware. But a lot of these criminal syndicates, they really are bringing in additional expertise, technical understanding, how to run these botnets, how to deploy new modules so they can better prioritize where they want to target these ransomware deployments.

And I think Evil Corp is a good example, what really brought them into prominence was they were running the global botnet, Drydex. How they developed that botnet really brought in expertise from how do you do the reconnaissance for who your victim list is gonna be? As it was spamming, you had to have someone operating the spambot and how that was gonna bypass all of the email filtering software. Then you needed the actual module you were gonna deploy. So you had different parts of the organization that were really focused on that payload. And once you got the payload onto someone’s system, well, you needed to maintain the command-and-control infrastructure where this was gonna call back to, and how the malware would insert itself in the middle of your session with your bank. Once you have enough information, then you had to figure out how you were gonna use that. Well, you had a different part of your group that was the information reselling network.

So, it really is every part of that cyber kill chain that needs groups, Some of those were part of the larger syndicate. Other ones were just brought in as needed where it was a specific exploit.

Das: Is there, like, an in-house operation? Or is this kind of different functions of an assembly line and each one is kind of its own organization? It’s kinda that age-old tech question of, you know, how much of this is vertically integrated, and how much of this is different slices of the infrastructure stack?

Tom: There’s a lot of online communities where a lot of these individuals come together. There are specific forums in how you develop exploits. There’s other forums that you can go and learn the latest in cryptocurrency and the different broad schemes that are associated with that.

So, we’ve seen that there are a lot of opportunities for individuals who want to get involved in this type of activity. You really start at the lower end, and you develop some relationships, and over time, you start doing more advanced operations. And as you start getting money you can go to these same forums and you can solicit for additional support. And over time we’ve seen — especially in the Eastern European space — there are individuals who have been there for decades: They moderate content on these forums, in these communities. And we’ve seen that with that trust and that reputation online, when you want to do some operation you will get the best of the best to come together.

Sodinokibi, they put out the call for papers. They had, I think, 40 to 50 technical papers submitted. They chose the top three who got cash rewards for the first, second, and third prize. And then they were invited in to join the syndicate, which could earn you up to $60,000 a month.

If you’re running your own kind of ransomware scheme, you can rent out the ransomware service. You can rent out the infrastructure. You can rent out negotiating services. You can rent out all pieces of that, and you get to keep 80% of your illicit proceeds. And then you give 20% back to the larger collective, and they use that to reinvest in the technologies that allow them to go continue to innovate and deploy these malicious campaigns.

And it’s just… What’s the opposite of a virtuous cycle? That’s where we are right now.

Das: You started answering the next question I had which is, who is at the top? And who are these kind of ransomware “founders”? Do we know who they are? Are they mysterious figures, or are they kind of out in the open?

Tom: There’s a couple out in the open. The one, Maksim Yakubets, there are photos of his Lamborghinis and his wild party lifestyle. What’s also interesting with that is, I believe, his father is a local mayor, and his father-in-law is potentially FSB (in Russia, the FBI equivalent).

When the U.S. government or someone else is able to identify the actual identities of some of these criminal actors, they typically are very closely connected to those in power, which I don’t think we’ve had a smoking gun yet — but there is one degree of separation which really leads to a lot of questions about what role does the state have in this.

Joel: I think for me one of the most shocking things I sat through was the Secret Service briefing on cybercriminal gangs and how one of the leaders of one of these large organizations is actually a member of the parliament of a national government and is a bit of a folk hero in his home country!

When the U.S. government is able to identify some of these criminal actors, they typically are very closely connected to those in power.

The role of nation-states

Das: What determines the role or the incentives of a nation state?

Tom: The nations who have really strict controls on access to the internet, we see over in China with real-name verification — it actually makes it quite hard to be anonymous on the internet, making it hard for criminal groups to operate within cyberspace. And on the flip side of this, you see in Eastern Europe, in particular Russia, where there is not really an effort to deanonymize the users — it’s almost an implicit understanding that if you don’t attack former Soviet block countries that you’ll be left alone. So it has allowed these groups really to feel emboldened to conduct some of these attacks where they don’t really feel that the long arm of the law is ever gonna reach out to them.

Joel: And I think that’s a really important point that underlines why this is such a difficult problem: There are a lot of countries where you don’t have the same divisions between criminal, police, and military. And so you’ll have someone who works for, let’s say, a government agency during the day and then freelances for some organized criminal syndicate at night.

I think one of the big differences is that we generally have treaties with a lot of countries that we will respect their system of justice and policing and execute on valid warrants. They typically call these, “MLATS” (mutual law enforcement assistance treaties) and we have these with a lot of our allies — so that in the event that you’ve had some super-criminal working out of the U.K., we could coordinate with law enforcement there, have that criminal arrested, and brought to jail.

With adversarial countries, there’s no such agreement, there’s no such treaty. It’s actually very difficult to work with law enforcement in these countries and bring them to justice. And it’s also really difficult when the activities of the folks who are committing these crimes in these countries align to their national interest, which is to antagonize Western governments.

And so as long as there isn’t a framework for enforcement or a framework for criminal justice, then, you’re just basically creating these incubators where you have these really innovative, dynamic organizations at the cutting edge of committing crimes.

The role of cyberinsurance

Das: So, you’ve talked about kinda the incentives of different nation states. What role do cyber insurance, regulators, have to play in incentivizing — or disincentivizing — these attacks?

Joel: You see in movies, there’s always the statement that the U.S. doesn’t negotiate with terrorists. And the reason why is that it creates a really dangerous incentive structure for the bad guys to continue escalating their very negative behavior.

And so, cyber insurance is something that’s been around since probably the mid ’90s… and for 20-something years it was the best business you could be in because you’d collect these premiums and never pay out. There were all these clauses in cyber policies that wouldn’t let you pay out because every intrusion was different. They would cut out nation states; they would cut out cybercrime; they would cut out all sorts of things.

Well, lo and behold, they started writing policies that they had to pay out on, and these were the ransomware policies. I’m pretty sure initially the calculus for these insurance companies was that they’re making so much money that it was just cheaper to pay the ransoms, and it was cheaper than fighting them in court and cheaper than trying to pay for recovery.

And the criminal actors figured this out — and they’ve built a very sophisticated business as a way to extract these payments from these insurance companies. And now you’re looking at probably the first year where a lot of the leading cyber insurers are gonna lose significant revenue. They’re gonna have to increase premiums. As a basis, I think next year you’ll see premiums going up 40 or 50% across the board. And if you’re a company that’s paid out a ransom, you’re probably gonna see your premiums triple, or go up by a factor of 5x.

Tom: I would also add on to that we’re seeing that as companies are renewing their policies, they’re ensuring that there is coverage for these types of events. So the actual number of insured companies is (I would have to double check, but I think the last I saw was) maybe 30% of companies have a cyber insurance policy. And over the next 10 years that’s expected to go 60 to 70%.

Joel: I think, you know, cyber insurance, the insurers have found a way to build sorta the perfect storm. The lack of criminal prosecution in these countries is one thing — but the combination of zero consequences, zero cost, combined with outsized financial returns, earning millions and millions of dollars — you’re essentially incentivizing kinda the best and brightest with outsized financial payments, very little risk of any kind of criminal prosecution. And so you’ve built this system where you’re just gonna continue to have these problems, this escalation.

The combination of zero consequences, zero cost, combined with outsized financial returns, earning millions and millions of dollars -- you’re essentially incentivizing the best and brightest.

OFAC & regulation

Das: I want to transition into talking a little bit about the regulators because it seems like that’s really related here. So what’s been the impact of regulators and of regulation?

Joel: I think the big impact that we’ve seen in the last couple months was that the U.S. Treasury Department issued some advice that paying some of these ransoms to people that were on the OFAC list could get you into some serious trouble.

Das: Could you clarify real quick what OFAC is?

Joel: Yeah, so the U.S. government maintains this list of terrorists, and dictators that commit genocide; literally just the worst of the worst. And so if you do business with those folks, if you conduct any kind of financial activity or transactions with them, you’re subject to criminal penalties under U.S. law.

And so the U.S. Treasury issued a directive earlier this year that paying ransom out to anyone that’s on an OFAC list could potentially subject you to criminal liability. And then they turned around and added Evil Corp, or one of the big Russian crime syndicates, to the list.

So, at this point you’ve kinda set up people in the U.S. who made plans to essentially pay out these attackers, that they’re gonna get themselves into a situation where they’ve been breached by an organization that’s on the OFAC list. They’re gonna pay them a ransom, but they can’t because then their executive management will face criminal liability.

Das: Tom, how are you seeing that play out with the different executives and companies that you’re working with?

Tom: Yeah, this actually dominates a lot of our conversations — especially when we’re dealing with victims — and, once a company gets to the point where they’re contemplating a payment, it’s a lot of questions around: How do we know if someone is on the OFAC list? How do we know that even if they aren’t on the OFAC list now that I won’t be held liable if they get added in six months?

And the answer to all of this is: you don’t know.

You check the OFAC list through the Treasury, the E.U., the U.N. There’s a lot of different lists that you can check, and the reality is every week there’s a new group. Some groups, they will call themselves a new name next week. So now the attribution of who’s really behind it, you don’t know. As Joel said, there’s really only one group who made it onto the OFAC list, and that’s the Drydex and the Evil Corp. So now people are afraid about paying into that group — but it’s still unclear, because you don’t actually know who is on the other end of that payment.

We always encourage victims to talk to law enforcement; I’ll say the FBI has been fantastic hopping on phone calls with different victims, walking them through what others have experienced, what they’ve seen, what they do know. So while they will never give a green light to go make these payments, we have seen that talking with law enforcement helps the victims really better understand the legal environment in which they’re operating.

Preventing attacks

Das: So I want to make sure we get into some of the prevention and response. You know, you talked a little bit about how ransomware is finding its way into organizations, and that sometimes it’s really basic stuff — it’s a phishing email, it’s an unpatched system — given the vulnerabilities that they’re exploiting, what are the things that organizations can do to prevent attacks?

Joel: These guys are using low-effort, low technical sophistication operations at scale to then try to monetize and and find a way to make money.

From an attack and penetration perspective, a lot of these organizations are really just sort of using bottom-feeding tactics; they’re going for things that are easy to fix. And the reason for that is quite simple, and it’s economic: If they had a sophisticated attack, a zero-day exploit or some really clever way to gain access to information, they wouldn’t use it for ransomware. They would actually probably sell it for millions of dollars to some sophisticated actor who would then weaponize it against a high-value target.

That’s really where just doing basic hygiene, I hate to shamelessly self-promote, but we wrote a really great blog piece on this about 16 things you can do to protect yourself — I think if you just follow the first five on that list, you probably keep yourself out of trouble with ransomware. It is really just as simple as using 2FA, patching your systems, and just doing good IT hygiene. It’s not rocket science. It’s not cool. It’s not sexy. It’s like brushing your teeth, you know?

Tom: And to add onto that, password managers. You have to make it easy for employees to do the right things. If it’s expecting an individual to remember 20 different passwords to 20 different sites, it’s just unrealistic. And I know from our perspective we see stolen credentials coming through the different malware C2s that we monitor every day. We see the different databases being sold every day. We see the different combo lists that are uploaded to various sharing sites every day. Just in the past month we’ve seen 100 million new credentials. This is where thinking that a password is gonna keep you safe, that’s not realistic.

Once that encryption is there, if you don't have good backups, it's really a discussion of how valuable is that data?

Attack response

Das: I want to move over to response. Someone has been hacked. How do they assess what their options are? And what are the steps in deciding whether or not to pay?

Tom: When someone finds themselves a victim of ransomware, what we always say is: ask for help first. Do not try to do this on your own.

We’ve seen too many times where a proactive IT specialist thinks they’ll handle it quickly. That has come back to just exacerbate the problem and make it even worse. And the first thing that happens is they say, “We have backups. We’ll be back up and running in 24 hours.” And then several hours later, they come back and say, “Oh. Actually, our backups aren’t… they haven’t actually been backed up in a long time.” Then at that point it’s, “Wait. What do we do?” It’s like, well, we’re gonna try to recover. And we’ve seen that this typically just erodes confidence as it goes further and further.

Once that encryption is there, I hate to say it, if you don’t have good backups and you don’t have those offline, the chances of recovery are pretty slim. Once you’re at that point, it’s really a discussion of how valuable is that data?

Some companies we’ve worked with, the data really wasn’t all that valuable. They’re like, “we’ll just rebuild the systems.” Other companies, one was engaged with some DNA research, and they needed to get the data back, but they were very interested in how the decryption process would work — because they needed to have absolute confidence that, bit for bit, the decryption process was not gonna corrupt any of their data. And, unfortunately, we couldn’t give them any assurances because how that encryption process proceeds depends kind of what state that database was in at the time when it was encrypted.

And nowadays there’s a lot of information being stolen as well. So the ransomware variants, they’re threatening to post stolen information, which includes customer details; it sometimes includes medical information. So this is also a complicating factor — where some companies, they might be able to recover from offline backups, but really what they’re worried about is protecting their customers, protecting health information that they don’t want to have exposed. For every situation, it really depends on what the victim is trying to achieve.

Das: Once you have somebody and they’ve kind of decided on their response, and you’re getting them in touch with the other side and starting a negotiation, what does that negotiation look like? How does that normally proceed?

Tom: We’ve seen it typically proceeds down two paths. Sometimes you’ll be given an email that you’re to reach out to. It’s typically a proton mail email. And you’ll ask what the ransom demand is. And they’ll give you, typically in Bitcoin, what they expect to be paid. From there, we will go back and forth and really try to get it down as much as possible. But depending upon how much the victim has revealed, and how fast they want to move through the process, will really dictate how that plays out.

The other thing that we’re seeing more often is, a victim in the ransom note is given a site that they will go access — typically on the Tor network, the dark web — and you’ll typically have to put in an alphanumeric code that will allow you to get to the specific site that they have set up. So, you’ll see on the portal they’ll have your ransom demand, how much you need to pay, when you need to pay it by. And typically, that will start a timer, and once it hits zero they tell you that the ransom will double.

So, this really is just a complicating factor, especially when victims are trying to figure out: Can they pay? Do they have an insurance policy; if so, who do they need to notify? If you’re gonna be spending millions of dollars, typically you need to go up to get board member approval to do that… So, the criminal groups do that for a reason. It’s to ratchet up the pressure.

Another reason why we say do not reach out to that criminal syndicate by yourself either, because sometimes just by the simple fact of logging into that page — and that might be the first time they actually know they successfully deployed it and you couldn’t back up.

Das: You know, I’m thinking kind of the analog equivalent of these attacks — where somebody has somebody hostage, and that moment of payment and return is such a high suspense, high stakes moment — how does that work with a ransomware attack? Like, how do you know, “Hey, I just sent you money. I’m actually gonna get back what you said?” Especially because we’ve pretty much established there’s not a lot of scruples on the other side.

Tom: Yeah. It’s… throughout the entire negotiating process, these groups, especially the more established ones, they will point back to the press headlines and say, “Hey! We’re a legitimate business. It’s in our best interest to actually deliver the keys and make it work, or else no one in the future will ever pay us.”

For some of the groups that we were talking about, sometimes it’s automated — where once you log into the portal where they’re managing your specific victim case; once the cryptocurrency, once it’s submitted into the specific wallet that they’ve designated, it just automatically releases the decryption keys within the portal.

Then we have others where you’re going through email. And typically they’ll get back to you in about four hours. And sometimes they’ll ask you for the specific alphanumeric codes for the different encryption variants that are on your network. And they will give you specific decryption keys that will work for each one of those.

But we tell victims all the time: You’re dealing with criminal actors. There’s a risk, and we’ve seen it, even recently, where you make a payment and the actors, they say, “Nope. Now the ransom is double. Pay me more.” Thankfully that’s the exception rather than the norm.

Joel: I was just gonna say, I don’t know if it was a joke or if it was actually happening, but I’d heard that there was a ransomware crew that was hyping its NPS score (so its net promoter score), saying that it had done such a great job at getting people returned to functioning service that that’s why you should actually trust them. So I think they are concerned about their reputation and do want to make their victims whole again.

Das: We were on kinda the moment of payment and return, and I’d love for you to then talk a little bit more about once the data has been decrypted, how does that disaster post-recovery work? And, you know, what do organizations do to come out of this?

Tom: Once you get the decryption keys — depending upon how large your network is — it’s at least a week, probably closer to four weeks until you really get all your systems back.

You prioritize which systems you want to bring back first. So, all the critical systems come back online. You can typically get those back functional within a few days, and then bring everything else up.

Before even starting the decryption process, though, you need to understand how did that initial infection occur, and figure out exactly where it is, so you eradicate that before you bring the systems back up. Ransomware groups will say that they won’t victimize the same victim twice, because that’s not good for business either — but what we’ve seen is there’s a lot of groups that are going after the same vulnerabilities that are running the same systems. So it might not be the same group, but it might be a separate group that tries to come in the same way.

Ransomware attacks on hospitals

Das: Ransomware’s been in the news a lot lately largely because of the increased attacks on these critical infrastructures, most notably hospitals. You know I think it was like October 2020 where you had the first death attributed to ransomware with a German hospital that was- was attacked. As a result, a patient died because they couldn’t receive treatment. How is that changing the response or calculus?

Tom: That conversation, as it pertains to healthcare, has actually been around for a couple years now. Back in 2016, within one of the Russian illicit communities, they were debating the ethics of using ransomware against hospitals. And it was really split right down the middle where half the participants were saying, “Yeah, that’s a bridge too far; we should only use ransomware to go after companies who have money. But once it goes into impacting or someone’s life is at stake, that’s too far.” Then the other half were saying, “Meh, it’s money. We’re gonna do it.”

I think what we’ve seen over the last couple years, some of these groups will pay lip service into not going after hospitals, or critical infrastructure — but the reality is they’re all doing it.

Joel: Yeah. I mean the thing that’s particularly concerning is that these guys are going after parts of our critical infrastructure at a time when we’re particularly vulnerable. So the targeting of hospitals right now is particularly worrisome; I think that’s a clear national security threat, not just to the financial prosperity of our country, but also this is a genuine risk to the lives and wellbeing of our citizens.

Das: When it’s been lives at stake rather than just wallets, does that change how you advise or work with somebody who’s been a victim of ransomware?

Tom: From the responder standpoint, it makes it more personal. Unfortunately, at the end of the day, it’s a business transaction. The other side, they just want to get paid. And we try to get them there as quickly as possible.

Where does ransomware go from here?

Das: We’ve seen ransomware, and kind of over the course of this conversation, it’s evolved organizationally. There’s obviously been technological advances. Where do you see ransomware going from here? How is this field evolving, and what’s coming next?

Tom: Where it evolves from here, it only gets more dangerous, I think. Everything is digitized. And I think what is scary as we look forward, these groups are also understanding that. Right now it seems like they are very much just posting the information and they don’t really know what’s in there.

What comes next, I think it’s going to be using that information to identify individuals — and I think that’s gonna be one, which is much more personal to all of us. Companies who we do business with, once that information is stolen from them — and once these actors have that — like what can they do to the individual, and the customers, and the employees to really extend this criminal enterprise to your home and your family?

Doing the basic hygiene to protect ourselves from these attacks, that’s good… but as we’ve seen, they’ll come back with something else. And if this revenue stream dries up, it’s not that they’re going to go away, they’re just going to come back in a different form. So I think that’s why the way out is gonna be part of this public-private partnership. It’s how we work with international law enforcement; how these norms around cybersecurity are really codified and need to be embraced.

Das: Well, thank you very, very much.

Joel: Thank you.

Tom: Take care. Thanks.