Surviving ransomware is possible with a combination of preparation and intentionality. Often, there is a misguided characterization of ransomware attacks that implies defenders either completely thwart an attack or that attackers establish complete control of their targets’ IT infrastructure. But the past couple of years have illustrated that defenders’ success in dealing with ransomware attacks fall along a broad spectrum of potential outcomes, some obviously better than others.
It’s also easy to imagine that all groups who are in the ransomware business have the same skills, aim for the same goals, and operate under the same business models. But as is the case in any industry vertical, ransomware groups come with a wide range of skills and a variety of goals and business models.
And while it’s in vogue to refer to REvil and DarkSide as “franchise models” which supply Ransomware-as-a-Service, it is important to remember that the franchisees are effectively freelance cybercriminals. The franchiser provides back-office operations for these freelancers while exerting little influence on how they otherwise operate.
Given the above, let’s consider each of the factors that may affect an attack’s outcome.
Attacker Skill and Persistence
The skills of the attackers and the skills of the defenders – plus some elements of luck – generally determine the possible extent to which an attack could progress:
- Low skills: Some attackers may be skilled at attacking organizations with lagging security practices but will often meet their match in organizations that have robust defenses
- Wrong skills: Attackers with skills and tooling useful in attacking traditional data centers will have trouble breaking into targets who have moved everything to the cloud
- Bad luck: Organizations who are generally locked down but may have a temporary exposure which an attacker happens to stumble across
- Good luck: Organizations who have left a persistent opening (e.g., open RDP access to the outside in an AWS enclave) may have a run of good luck as no attacker encounters it
Attacker Goal
Attack groups may also specialize in leak-centered vs. operation-centered goals.
Leak-centered goals involve exfiltrating and threatening to leak confidential data belonging to the targeted organization. The most valuable data in this regard is often data related to the target’s customers and employees as the potential for reputational and legal liability acts as a strong incentive for ransom payment.
Alternately, public disclosure or sale of intellectual property or trade secrets can also warrant the payment of ransom. The playbook for such attacks generally involves sending the victim a sample of the data to show what the attacker has. From there, it can escalate to publicizing a data sample and contacting the victim’s customers to apply pressure to the victim to pay the ransom.
An example of an attack with a leak-centered goal was the REvil-associated attack on Quanta, which exfiltrated specs of future Apple product designs. The attackers first demanded a $50m ransom from Quanta but soon decided that Apple had deeper pockets and tried to extort $50m in return for not publicly leaking the data or selling it to an Apple competitor.
Operation-centered goals involve attempts to cripple the ability of the victim organization to continue to operate. These attacks sometimes focus on traditional IT systems and at other times target systems which act as OT (Operational Technology), but which are often assembled from legacy IT (e.g. Windows NT) technology.
The exfiltration of confidential data and public leak or sale of the data is usually not present in this scheme. The DarkSide-associated attack on Colonial Pipeline (who paid $4.5m in ransom) and the REvil-associated attack on JBS Foods (who paid $11m in ransom) squarely targeted this goal: the ransoms were paid to try to ensure quick recovery in the ability of the companies to resume normal operations.
Degrees of Success
Several factors (including luck) constrain the possible outcomes of a ransomware attack. Possible outcomes include:
- The attackers make insufficient progress on a targeted organization and give up. This may be due to the perceived degree of difficulty in successfully carrying out the attack or because some other targets that the attackers are simultaneously pursuing look more promising. Think of this as opportunity cost. Either way, no ransom is demanded.
- The attackers succeed to a point and believe themselves to have some leverage in demanding a ransom, but the ransom is ultimately not paid. The outcome in these cases is often some operational impact or reputational harm, but ultimately survival and (hopefully) a sense of renewed commitment to cyber security.
- The attackers succeed to a point and the ransom request is modest enough that the victim may choose to pay the ransom as it is less costly than the recovery effort would be. This may also be influenced by the victim having a cyber insurance policy which provides ransomware coverage.
- The attackers get access to the crown jewels and effectively can prevent the victim organization from operating their business. In this case, the victim organization may pay the ransom (Colonial Pipeline, JBS Foods) and restore services relatively quickly. Or they refuse to pay it (see the RobbinHood attack of the city of Baltimore or the Samsam attack on the city of Atlanta) and basically end up rebuilding their IT infrastructure from the ground up.
Takeaways
You should tabletop various scenarios covering attackers pursuing both leak-centered and operations-centered goals and consider your reactions to partial and complete success by the attackers:
- Know the extent of your cyber insurance policy and what limitations it has.
- If it comes to a ransom request, will your cyber insurance provider provide someone to handle ransom negotiations?
- Do you have an incident response firm on retainer?
- How robust is your disaster recovery plan?
Many of these types of questions will surface from tabletop exercises which will help you be more prepared should the fateful day arrive.