US liquor giant hit by ransomware what the rest of us can do to help – Naked Security

Third, they encrypt as many files on the network as possible, using a scrambling algorithm for which they alone have the key. The crooks typically copy the malware program across the network first, so that when they kick off the encryption process, it runs in parallel on all your devices, thus bringing maximum disruption in minimum time.How these stages evolved

As you probably know, the first two stages above are fairly recent developments in ransomware criminality.

When ransomware crooks started out back in 2013 when the infamous CryptoLocker gang were the kings of the ransomware scene it was all about stage 3: scrambling files and then using the decryption key as a blackmail tool: Send us $300 or your files are gone forever.

The crooks generally didnt target networks back then; instead, they went after millions of victims in parallel, with each infected computer ransomed independently.

The criminals targeted everyone from home users who probably didnt have backups of any sort and might be willing to spend $300 to get their wedding photos or the videos of their children back to big companies where 100 users might fall for the latest ransomware spam campaign and the business would need to spend 100 $300 to get the unique decryption key for each now-useless computer.

Stage 1 arrived on the ransomware scene when criminals realised that by going after entire networks one-at-a-time, they could cut their losses early in the case of a network that they didnt have much success with, and focus on networks where they could cause disruption that was both sudden and total.

Instead of pursuing thousands of individual computer users for hundreds of dollars each, the crooks could blackmail a single company at a time for tens of thousands of dollars a time.

Indeed, the early adopters of the all-at-once ransomware approach often took the cynical approach of offering two prices: a per-PC decryption fee, and an all you can eat buffet price for a master key that would unscramble as many computers as you wanted almost as if the crooks were doing you a favour.

The crooks behind the SamSam malware four Iranians have been identified and formally charged by the US, but are unlikely ever to stand trial even offered a staged payment service whereby you could pay half the ransom to receive half of the decryption keys (chosen randomly by the criminals).

If you were lucky, you might just end up with enough computers running again to save your business for just 50% of the usual price

but if not, you could pay the rest of the ransom, presumably now with considerable confidence that the crooks would deliver the decryption tools as promised.

You could even take a chance on paying the per-PC fee for your most critical computers typically $8000 a time to tide you over, and top up later, once you were confident in the criminals, to the master-key price, which was typically set by the SamSam crooks just below $50,000.

Whether they chose $50,000 at a guess, or because they found it represented a common accounting department limit in the US below which it was much easier for the IT manager to get the payment approved, we never found out.

As you can imagine, the exposure of the alleged perpetrators by US law enforcement pretty much drove the SamSam crooks out of business, albeit not before they had extorted millions of dollars from victims around the world, but ultimately didnt make much of a dent in ransomware attacks in general.

Sadly, the SamSam gangs fee of $50,000 a network turns out to be small by current standards.

A recent ransomware attack that took US GPS and fitness tracker giant Garmin offline for several days was apparently resolved when the company coughed up a multi-million dollar payment, supposedly negotiated downwards from $10,000,000.

That incident attracted controversy because the ransomware involved was alleged to have been the work of a Russian cybercrime outfit known as Evil Corp, and transactions with that group are prohibited by US sanctions imposed in December 2019.

And US travel company CWT is said to have coughed up $4,500,000 recently again, down from an opening demand of an alleged $10 million for unscrambling what the crooks claimed were 30,000 ransomed computers.

If true, $10,000,000 for 30,000 devices comes out at $333 each, a fascinating full-circle back to the $300 price point of the 2013 CryptoLocker ransomware, which was itself an intriguing echo of the first ever ransomware attack, way back in 1989, where the criminal behind the malware demanded $378. (With no prepaid credit cards, online gift cards or cryptocurrencies to use as a vehicle for pseudoanonymous payments, this early attempt at ransomware, known as the AIDS Information Trojan, was a financial failure. Indeed, it wasnt until the early 2010s that cyberextortion based on locking up computers or files worked out at all for the cyberunderworld.)

But the biggest tactical change in ransomware is stage 2 above.

By perpetrating data breaches up front, before unleashing the file scrambling component in Brown-Formans case, the breach allegedly includes 1 terabyte; in CWTs attack, the criminals claimed that 2 terabytes were thieved up front the crooks now have a double-barrelled weapon of criminal demand.

Youre no longer being extorted to pay for the crooks to do something, namely to send you a set of decryption keys, but also being blackmailed into bribing the crooks not to do something, namely not to go public with your data.

Early ransomware had more in common with kidnapping, though with jobs at stake rather than the victims life: the theory was that if you paid up and the crooks released a working decryption tool, you not only got your data back but also quite clearly ended the power that the criminals had over you.

For the crooks to ransom your data again (sadly, this happens), theyd need to break into your network again and essentially start from scratch, assuming that you worked out how they got in before and closed the holes they used last time.

But todays ransomware is turning into old-school, out-and-out blackmail: the crooks promise to delete the data they already stole, and thereby to prevent your ransomware incident turning into a publicly visible data breach, but you have no way of knowing whether they will keep their promise.

Even worse, you have no way of knowing whether the crooks can keep their promise, even if they intend to.

For all you know, the data they took illegally could already have been stolen from them remember that many of the cybercrime busts written about on Naked Security, including ransomware arrests, happened because of cybersecurity blunders made by the perpetrators that allowed their evil secrets to be probed, uncovered and ultimately proved in a court of law.

Or the criminals themselves may have been victims of insider crime, where one of their own decided to go rogue after all, weve also written about crooks getting busted not through operational blunders but through a falling-out among thieves, where one of the gang has ratted out the others or otherwise co-operated with the authorities to save themselves

Technically, or at least from a regulatory point of view, all ransomware attacks are data breaches, even if all they do is scramble your files in place.

After all, if an outsider is able to modify files they werent supposed to access at all, that clearly amounts both to unauthorised access (a crime in most jurisdictions) and to unauthorised modification (a yet more serious crime) and even though this makes you a victim of crime, it also means youve failed in at least some way at protecting information you were supposed to protect.

And ransomware crooks who steal your data before scrambling it are really in the pound seats when it comes to blackmail.

Even if you prevent the final stage of the attack and the file scrambling failed, or if you have reliable and comprehensive offline backups that allow you to repair and reimage all your computers without relying on the crooks for decryption keys, the crooks are going to squeeze you anyway, by threatening to make a bad thing (a provable data breach) much worse: a data breach that can actively be used against you, by other crooks, by unscrupulous competitors, by activists, by regulators, by anyone who is determined to make you look bad for any reason they choose.

The good news, in the case of the Brown-Forman attack, is that current reports suggest two important things:

All we can say to that is, Well done, and thanks for standing firm.

Grubman Shire Meiselas & Sacks, a law firm that represents numerous high-profile celebrities, recently faced a demand similar to Brown Formans, where the ransomware criminals menaced company founder Allen Grubman in broken English with threats to auction off celebrity data in the cyberunderworld:

We have so many value files, and the lucky ones who buy these data will be satisfied for a very long time. Show business is not concerts and love of fans only also it is big money and social manipulation, mud lurking behind the scenes and sexual scandals, drugs and treachery. [] Mr. Grubman, you have a chance to stop that, and you know what to do.

The company famously likened the blackmailers to terrorists and refused to pay up. (The threatened auctions havent yet happened though no one knows whether thats because the crooks felt they couldnt trust their own or because the data stolen simply wasnt up to what the crooks claimed.)

To reward companies that are willing to say, We wont pay, and who help to break the feedback that keeps the ransomware cycle turning, we suggest that you repay them by making sure that if their data does get dumped by crooks

that you simply do not look.

No matter how useful it might seem; no matter what items that you feel are now both in the public domain and in the public interest; no matter how much you might argue that companies like Brown-Forman were themselves remiss in the first place for not protecting data that they ought to have, dont look.

We urge you, Just say no.

Brown-Formans breach is now a matter of public record and we assume it will be carefully investigated by law enforcement and the relevant regulators, so lets leave them to it.

As Sophos Cybersecurity Educator Sally Adam put it:

There is no end justifies the means discussion to be had here because this is nothing like the cases of whistleblowers like Edward Snowden or Chelsea Manning, where no matter what you think of their ultimate actions an insider identified something they perceived to be wrong. This is purely about extortion.

Clearly, prevention is way better than cure.

Its important to have protection in place to stop stage 3 above (after all, not all ransomware attacks do follow this three-step process, and one-off scrambling attacks are still an ever present risk.)

Weve got plenty of advice on how to do just that, including our popular report:

But the earlier you block or spot the crooks, the better for everyone, including yourself.

So we recommend you review the following handy resources too, to keep ransomware crooks out right from the very start:

Go here to see the original:
US liquor giant hit by ransomware what the rest of us can do to help - Naked Security