Townsend Security Data Privacy Blog

Ransomware evolution - “Devastating innovation”

Posted by Patrick Townsend on Feb 22, 2022 4:40:02 PM

The new Sophos Threat Report for 2022 is just out and it is a good read (the link is below). In addition to ransomware the report talks about the increasing role of Artificial Intelligence as a part of both defense and offense, and other topics I think you would find interesting. Sophos is on the front lines of trying to help organizations who have fallen victim to ransomware. This statement in the threat report about new ransomware techniques really struck me:

“Ransomware is only as good as your backups, or so an adage might go if any existed. The truth of this statement became the basis for one of the most devastating “innovations” pioneered by some threat actor groups involved in ransomware schemes in the past several years: the rise of extortion in ransomware attacks.”

Delivering Secure VMware Hosting with Encryption and Key Management We all know that we have to have a really good backup and recovery strategy to deal with a ransomware attack. From the Threat Report:

“Increasingly, large organizations have been getting the message that ransomware attacks were costly but could be thwarted without the need for a ransom payment – if the organization kept good backups of the data the attackers were encrypting and have been acting on it by engaging with large cloud backup firms to keep their systems cloned. After all, if, for instance, you only lost one day’s worth of work, it would be a manageable loss, completely survivable for the targeted organization, if they chose to restore from backups rather than pay the ransom.”

But did you know that the attackers have innovated with a “double extortion” strategy? Backups can help you recover from the loss of your systems due to poisonous encryption. But the attackers are now stealing your sensitive data and threatening to publicly release it if you don’t pay the ransom. That is the second part of the “double extortion”, and is the “devastating innovation.”

“We have to presume that the ransomware groups were also getting the message because they weren’t getting paid. They took advantage of the fact that the average “dwell time” (in which they have access to a targeted organization’s network) can be days to weeks and started using that time to discover an organization’s secrets—and move everything of value to a cloud backup service themselves. Then, when the ransomware attack struck, they’d layer on a second threat: pay up or we release your most sensitive internal documents, customer information, source code, patient records, or, well, anything else, to the world.”

How do we respond to this new, double extortion ransomware threat?

First, we have to do the things we’ve always done:

  • Backup everything to be prepared to restore systems and data.
  • Monitor our environments for anomalous events and behavior.
  • Educate our employees and service providers on good technology and email practices.

Now we need to add one more practice:

  • Encrypt sensitive information to deny it to the attackers.

To defend against the “double extortion” we now have to deny hackers access to our sensitive information through the use of defensive encryption. If the attacker steals our data but can’t read it, we have defeated the new “Devastating Innovation”. I know that it is a bit ironic that we have to use the same tool as the hackers – encryption – to defeat the hackers. But it is a tool that we have readily at hand. All major database, virtualization, and storage solutions make it easy to encrypt data. And that’s what we need to do now. As in, right now!

Here is one critical thing to consider when you start implementing encryption as the next part of your ransomware strategy:

Your encryption is only as strong as your management of encryption keys.

When you encrypt your sensitive data, you have to protect the secret key that unlocks the data. That is actually the hardest part of an encryption strategy. It is important to get this right from the start. This is where Enterprise Key Management systems come into play. They give you the means to protect your encryption keys away from the data they protect.

We are helping our customers deploy encryption to defeat ransomware with our Alliance Key Manager solution. You can encryption databases, VMware infrastructure, Cloud data, Big data, and much more. More information here:

https://townsendsecurity.com/products

If you are a Managed Service Provider (MSP, MSSP) or IT Services Organization (ITSO), you can find out more about how we empower our partners to meet this challenge. More information here:

https://townsendsecurity.com/msp

Stay safe,

Patrick

Resources:

The Definitive Guide to Encryption Key Management Fundamentals:

https://info.townsendsecurity.com/ebook-definitive-guide-to-encryption-key-management-fundamentals

The Sophos 2022 Threat Report:

https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2022-threat-report.pdf Download Alliance Key Manager

Topics: Alliance Key Manager, Encryption, Key Management, Ransomware