Ransomware is Pure Extortion
Ransomware attacks are basically organized theft. While these attacks will cause you great angst and grief as you rush to find a way, any way, to get your data back, they are created to turn your focus away from areas that require your full attention. Asking for the ransom payment is the last step in well over a couple of months of reconnaissance and theft in your network, and they can use what they have stolen to get you to pay that ransom faster.
Your data is up for sale the moment they get into your environment.
Here are six typical objectives during a ransomware attack, and some of them may not be as obvious as you expect. Ransom payment is not the only way for them to make money from infecting and exploiting your systems. Criminals are leveraging ransomware as a Service so that these multiple attacks happen in parallel.
- Usernames and Passwords: These can be more valuable than your data if they provide cybercriminals the ability to compromise email accounts and leverage your “trusted” domain to launch phishing attacks on your clients, suppliers, partners, etc., that they find in the next step. This alone is why ransomware is so pervasive and why you need to start from scratch on ALL of your accounts and systems BEFORE you even attempt to restore anything. Here at VARS, when we do Dark Web Scans, we see this is the data that gets posted for sale before any ransom demands are made and sometimes before any data is encrypted.
- Escalation of Privileges and Data Recon:With the usernames and passwords, they can now move about your systems unnoticed and unhampered as authenticated users. They quietly look for your sales numbers, your account lists, what data you cannot do business without, legal documents, images, etc. Of particular interest to them is your backup process and frequency.
- Sell your Sensitive Data: But why would they try to sell this before asking you for a ransom payment? Well, your data’s value is at its highest while you are not aware that it is for sale on the Dark Web. Law Firms, Finance, Healthcare, Law Enforcement, Government, ask yourselves what organized criminals could do with your most sensitive data, especially if you were unaware that they have it? This includes your client lists. Please note that here, you have suffered a breach and must act accordingly.
- Compromise Backups: a few examples:
- Backups are unreadable or are entirely corrupted. This forces you to return to a point where the data is no longer relevant financially, or too much current data has been lost to continue operating normally.
- Clandestine installation of Remote Access Trojans or RATs, hidden within data they know you will back up every time. This allows them to come back and hit you again after you restore your data.
- If a RAT is installed, they can sell access to the RATs to another criminal gang, so they can hit you once you think you have restored completely. Sometimes even if you pay the ransom.
- Launch the Encryption:This is what organizations fear the most. Endpoints that are locked up and unusable, servers that are not responding, and databases that are unreadable. Your business comes to a complete stop. At this point, the criminals have already sold some, if not all, of your data and are now getting ready to squeeze the last juice out of the lemon.
- Ask for the Ransom:Once the ransom demand is sent, they will leverage those stolen lists to contact your clients to put pressure on you to pay quickly so that their data is not released as well. They know the more time you are provided to react, the less likely they are to get the payment or amount they asked for.
The key to avoiding all of this is Ransomware Prevention, built with multiple layers of proven protection. The best-proven protection is 24x7x365 monitoring of your files, networks, systems, emails, and user activity for any suspicious behaviour, to be able to automatically mitigate, isolate and remediate threats in real-time. With this sort of protection, criminals will move on to another easier target as it will be much harder for them to get into your systems without getting caught.