Binary Check Ad Blocker Security News

We spend a lot of time reporting on ransomware because we are seeing more incidents than ever before, and our readers comment that keeping them up to date on ransomware tactics is helpful. The ransomware gangs, strains and vectors are constantly changing, so it is very challenging for companies to keep up with their latest tactics.

The Coveware Quarterly Report is one resource that is very helpful in understanding the newest methods and successes of ransomware attackers, and Coveware’s Third Quarter Report was recently released.

The Report confirms what we are seeing in the field, and confirms how the landscape is changing. The big news is that the Maze group has allegedly dispersed, with some members joining others. Maze wreaked havoc last year, when it started exfiltrating data from victims before it dropped the ransomware and then threatened to publish the data if the company didn’t pay.

The Report is a must read, but here are some highlights (depressing as they are):

  • There is no guarantee that if you pay the ransom to delete data that they will actually delete it or that they will not come after you again. (They are criminals, after all). In Q3, exfiltration of data before the introduction of ransomware doubled, and half of all ransomware attacks included exfiltration of data. These are not promising statistics.
  • Although Maze is allegedly out of business, others have copied its tactics forexfiltrating data, including AKO, Ranzy, Netwalker, Mespinoza, Conti, Sekhmet, and Egregor. Egregor is believed to have inherited Maze. Sodinokibi has re-extorted victims after they have paid the ransom.
  • Some gangs provide fake proof that they have your data to get you to pay.
  • There is no guarantee that the exfiltrated data will not be sold to other groups.
  • Ransom demands are increasing.
  • The biggest ransomware threats in Q3 were Sodinokibi, Maze, Netwalker, Phobos, and DoppelPaymer.
  • Wasted, Nephilim and Avvadon made it into the top 10 list of market share of ransomware variants.
  • More than 50 percent of all attacks are successful through attacks on Remote Desktop Protocols (RDP). Coveware sees this method of attack as the most cost-effective way to compromise organizations and stresses the importance of properly securing RDP connections.
  • Almost 30 percent of attacks see the ransomware distributed via phishing emails, which have steadily increased since late 2019.
  • The average ransom payment in Q3 was $233,817, up 31 percent from Q2 2020.
  • The median ransom payment in Q3 was $110,532 up 2 percent from Q2 2020.
  • Ransomware is a disproportionate problem for small and medium-sized businesses—those with a median of 168 employees—which is up 68 percent from Q2 2020.
  • Most victims of ransomware have less than $50 million dollars in annual revenue.
  • Professional service firms, especially small ones such as law firms and accounting firms, are especially vulnerable.
  • The average number of downtime days of victimized businesses is 19 days.

These statistics are ones to pay close attention to and use when determining risk management priorities. It is clear from the Report that addressing RDP and employee education as top priorities makes sense. According to the Report, one possible reason for the increase in the use of RDP is “that the influx of remote and work-from-home setups using RDP and other remote technologies allowed threat actors to leverage attack vectors that previously didn’t exist.”

As coronavirus cases increase again throughout the U.S., remote working appears to be the norm, so ransomware attackers are using, and will continue to use, the shift from the office to the home to attack victims.

Binary Check Ad Blocker Security News

On October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory “to highlight the sanctions risks associated with ransomware payments related to malicious cyber-enabled activities.”

The advisory acknowledges that the incidents of ransomware attacks on U.S. companies have risen during the COVID-19 pandemic. Although the advisory does not mention that companies have been paying ransoms when they are victimized, it has been publicly reported that companies have paid ransoms, particularly when data has been exfiltrated and the cybercriminals are threatening to post the data online unless a ransom is paid for confirmation of destruction, as is the scheme used by Maze.

The advisory warns that paying ransoms “not only encourage future ransomware payment demands, but also may risk violating OFAC regulations.” The advisory “describes these sanctions risks and provides information for contacting relevant U.S. government agencies, including OFAC, if there is a reason to believe the cyber actor demanding ransomware payment may be sanctioned or otherwise have a sanctions nexus.”

If you want to read a well-written history of ransomware, read the advisory, as it lays out nicely the evolution of ransomware and its effect on businesses.

According to OFAC:

“[F]acilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims. For example, ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Ransomware payments may also embolden cyber actors to engage in future attacks. In addition, paying a ransom to cyber actors does not guarantee that the victim will regain access to its stolen data.”

OFAC further states that “[C]ompanies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.” These sanctions include civil penalties based on strict liability.

In light of the advisory, OFAC:

encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations. This also applies to companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments (including depository institutions and money services businesses (emphasis ours). In particular, the sanctions compliance programs of these companies should account for the risk that a ransomware payment may involve an SDN or blocked person, or a comprehensively embargoed jurisdiction. Companies involved in facilitating ransomware payments on behalf of victims should also consider whether they have regulatory obligations under Financial Crimes Enforcement Network (FinCEN) regulations.”

The OFAC advisory is a stark warning for responding to ransomware attacks and incident response. It lays out important considerations in determining how it may impact your incident response plan, questions to ask your cyber liability insurer about coverage around ransom payments, and the risks associated with a ransomware payment in your enterprise-wide risk management program.