Why we should be more open about ransomware attacks

The UK’s National Cyber Security Centre (NCSC) has published an article that reflects on why it’s so concerning when cyberattacks go unreported, saying:

…we are increasingly concerned about what happens behind the scenes of the attacks we don’t hear about, particularly the ransomware ones.

One of the main reasons is that with visibility, it is easier to get a good picture of what is going on, what methods the criminals are using, and maybe even who they are. Another argument is that paying the ransom and keeping quiet about the fact that you have been attacked has a few negative consequences:

  • Paying the ransom funds the criminal ecosystem.
  • Not doing a thorough, third-party investigation could leave the access method used by the criminals wide open for the next attack.
  • If the news of the cyberattack gets into the public domain later it can be much more damaging than communicating about it straight away.
  • Good backups often restore encrypted systems faster and more effectively than paying a ransom for a decryptor provided by the criminals. Decryptors can be slow, and they have been known to fail (even though the criminals will tell you they work seamlessly).

Depending on the country an organization is based in, whether they handle data under GDPR regulations, whether they are a government contractor, what sector they are active in, or whatever other reasons, some organizations have a legal obligation to notify one or more authorities about a cyberattack.

This has led to some misconceptions in the past. For example, for some time researchers were under the impression that SamSam ransomware, one of the earliest “big game” ransomware gangs, specifically targeted healthcare providers. Later it turned out that most of its victims were in the private sector, but because a lot of the healthcare victims were obliged by law to report the attacks and none of the private sector victims were, the reported incidents painted a skewed picture of what was actually happening.

There are some obvious reasons why organizations would want to keep attacks under wraps. One of them is the fear of the fines involved in a data breach. Some ransomware gangs actually use these fines as an argument to persuade victims to pay a ransom. The NCSC provided an example of a ransomware message that stated:

The ransom demand is £50 million. If you pay, you’ll avoid a regulator fine of £600 million which is 0.5% of your annual profit.

The NCSC goes on to say that a data leak isn’t the only reason for a fine, and you won’t always be fined if data is leaked. From what we have seen, trying to cover a data leak up and then getting exposed later on, will drive the penalty to the max.

The stats in our monthly ransomware reports are based on known ransomware attacks, published by ransomware gangs on their Dark Web sites and Telegram channels. This means we only have visibility on successful attacks where the victim refused to pay. Estimates by experts like Allan Liska are that this is just the tip of the iceberg. We might be seeing only 10% of what is really going on. While there are no reasons to believe that this could change the proportions, in some cases it might.

  • If there are still ransomware gangs without a leak site, we would lack visibility. (At the moment we do not believe any of the major players operate without a leak site or a Telegram channel to leak stolen data.)
  • Ransomware gangs may not publicise attacks that fail to steal valuable data—news of failures would likely put off affiliates and have a negative impact on their income.

Basically, the NCSC is asking victims to do the right thing and allow us to learn from successful attacks, which can help others to avoid falling victim to the same methods. We do understand that some organizations feel they have no other choice but to pay. But even then, investigate the incident and share your findings so others may learn.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
  • Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.