This blog is part of a 10-part series that dives into the RSAC 2023 Submissions Trends pulled from our record number of Call for Speakers submissions in 2023. In this blog, we focus on constant threats and ransomware.
Ransomware continues to be one of the most dangerous and persistent threats impacting organizations across all industries. March 2023 broke records in the number of ransomware attacks identified with nearly 460 incidents recorded in a single month. Thus, it’s hardly surprising that it was a hot topic of conversation at RSAC 2023.
In Ransomware 101: Get Smart Understanding Real Attacks, Jibran Ilyas, Consulting Leader at Mandiant/Google Cloud, opened his session by highlighting the financial impact of ransomware noting the average ransom demand today ranges between $30 to $40 million. And that is only the cost of the payment to an attacker. Then, there are the operational costs such as downtime to critical business services, and costs that are sometimes more difficult to measure such as the loss of trust from customers and business partners.
Ilyas highlighted the top infiltration tactics and walked through a real-life attack that started with a spear phishing email to a recipient from a trusted business partner. Before doing a demo, Ilyas emphasized the cleverness of the attack and how social engineering is central to success. “There is the technical piece of it which is brilliant. But what I want you to note is how the attackers don’t break the social engineering chain. They are dealing with a human at the other end. Unlike other attacks, there is a lot of human contribution in it.”
Several types of data exfiltration tactics were also covered in the session. One of the most popular, Ilyas noted, was using third party apps to transfer data. “Once they have that deep access into the network, they can use a utility like Megasync to sync all the folders they set out to take. It’s much easier for them because they don’t have to sit there and wait for data transfers to happen or manually do it.” He also shared how attackers are innovating and now deploying custom data uploaders.
While Ilyas closed his session on negotiating with attackers and when to make a decision to pay, panelists in the session, Mapping the Ransomware Payment Ecosystem and Opportunities for Friction, took a deep dive into the complexities of the system and what can be done to make it more difficult for ransomware actors to profit from their crimes.
Zoe Brammer, Senior Analyst at the Institute for Security and Technology, started by highlighting the Ransomware Task Force which was launched in April 2021 with the goal of providing recommendations to mitigate the threat of ransomware. “One of the central pillars of these recommendations was to disrupt the profitability of ransomware and disincentivize actors from carrying out attacks,” Brammer stated.
Cryptocurrency is the payment type demanded in nearly all ransomware attacks; Bitcoin accounts for about 98% of those payments. Once a victim goes through the process of acquiring the cryptocurrency and making a payment to the attacker, the process of obfuscating the funds begins. Bammer stated, “While you don’t need to give your full name and address to use a cryptocurrency wallet, your identity does exist in that it’s traceable on the blockchain.” However, bad actors obfuscate their identity on the blockchain using many methods including exchanging cryptocurrency for other types of crypto assets and P2P exchanges. Crypto mixers, a service that blends the cryptocurrency of several users to make it more difficult to trace the origin or owner of specific funds, is also a common method.
Jacqueline Koven, Head of Cyber Threat Intel at Chainalysis, has thoroughly followed the payment paths of ransomware actors noting that transparency is actually one of the benefits of cryptocurrency. “We can actually track that ransom payment made to a threat actor, and it doesn’t go straight to the bank. They have a lot of expenses they’ve racked up. There are multiple people involved, multiple tools and services. A lot of these services take payment in crypto.”
A lingering question throughout the industry and across law enforcement has been “to pay or not to pay” an attacker. In the U.S., there is no law that prohibits an organization from paying a ransom demand (with the exception to any entity on the OFAC sanctions list), however, the Federal Bureau of Investigation (FBI) has taken an official position to not support the paying of ransom demands. The EU law enforcement agency, Europol, has taken a slightly different approach through its No More Ransom initiative which offers over 130 decryption tools to help businesses unlock their encrypted files.
So why not outright ban ransom payments to attackers? Australia is the latest country being pushed to outlaw such payments after a large consumer lender was hit by a ransomware attack resulting in the loss of nearly eight million driver’s license numbers and other customer records. However, Koven offered a different perspective against criminalizing ransom payments. “Penalizing or revictimizing victims would diminish reporting,” she stated. It is critical to have the ability to track ransom payments to quantify success and quantify the impact of policy decisions. She continued, “By being able to trace payments to a service that might lead to attribution or interception or seizure and trace to the infrastructure providers, we can really hone in on the centers of gravity of these attacks. We see reuse of the same bulletproof hosting providers and VPN services which can also open up a lot of policy options and opportunities for disruption.”