By Lysa Myers
July 17, 2021

With new ransomware attacks making daily headlines, it’s hard to imagine any part of this type of malware being considered an “emerging threat”. But as it becomes more mundane, ransomware is also becoming more painful. Recovering from an attack is now not just a matter of restoring from backup, or of paying criminals and hoping that their decryption tool works properly. It’s now about mitigating a toolkit of terror that threat actors have at their disposal.

Attacks get wider, deeper, and dirtier
As victims have gotten wise to the ways of getting around previous iterations of ransomware, attackers have evolved their own tactics. Few threat actors are staying put on a single machine. Now they’re moving laterally through entire networks, and they’re escalating administrative privileges to get where the truly sensitive files are. Perhaps even more worrying is that attackers are using multi-layered extortion schemes to motivate victims to pay.

Until recently, criminals would simply encrypt files and demand money in exchange for a decryptor which was supposed to fix the damage they had caused. This was not always effective, and files might still be permanently lost if there was no unaffected backup. And victims had more nightmare to come, as they could be attacked again once criminals discovered that they were an easy target. And yet, it seems that diminishing returns have motivated threat actors to use more devious methods of persuasion.

Most ransomware families now exfiltrate data to some extent, at least as an “alternate revenue stream” for malware operators. Many are now tying this stolen asset to their payment demands as well. Criminals are threatening to publish victims’ sensitive data if they don’t pay up. This is not an empty threat either. And yet, threat actors seem to need even more to motivate reluctant targets.

The latest tactic that malware operators are using involves threatening to contact interested third parties to tell them that a victim has been breached. This could include contacting customers, partners, or the media. In some cases, this is just about the threat of airing a person’s or a company’s dirty laundry in a public forum. In others, this includes sending emails prodding customers or partners to pressure an affected company to pay, to protect the privacy of their data in that company’s care.

What this means for defenders
There was a time when it was assumed that the best method for mitigating damage caused by ransomware was making sure you had good backups to restore from. If you had sub-standard security measures but good backups, you might have avoided complete catastrophe, you were never truly protected from harm. These new tactics have highlighted that fact.

Too many companies still lack effective security measures and hope to get away with having lackluster protections. Criminals are searching the internet both with automated scans and with targeted attacks to find lucrative targets. As these daily ransomware headlines show, we’re long past the point of just hoping that our assets are uninteresting to criminals.

This isn’t to say that getting to a sufficient level of protection is easy. There are a lot of hurdles for security groups to cross to get to that level. Many companies have trouble getting sufficient budget, attracting enough talent, and getting people to avoid unsafe behaviors.

Security groups need to learn a lesson from the successes and failures of ransomware operators. We have already watched their technological progress to inform our own defenses. But there’s more than that to keep an eye on.

We’ve seen how their tactics of scaring and threatening people lead to diminishing returns. Fear, uncertainty, and doubt can only get us so far. Budget-holders, employees, and customers have legitimate concerns; we need to hear them out if we expect to get what we need to protect people.

Customers and employees are the eyes and ears of an organization, and they experience first-hand what happens in our organizations. The more we can work together with them rather than shaming and frustrating them, the more effectively we can use that knowledge against threat actors. And the more we can speak directly to the concerns of budget-holders, the more likely we are to get crucial resources we need to fight against these emerging threats.

Lysa Myers began her cybersecurity career in a malware research lab in the weeks before the Melissa virus outbreak in 1999. As the industry has evolved, she’s moved from threat research to security education. As a Principal Threat Researcher for BlackBerry Research & Intelligence Team, Myers uses her unique perspective to help make malware research more accessible.