By: Casey Allen with Concentric
Where there is commerce, thar be pirates! The techniques, tactics, and procedures of modern-day pirates have expanded significantly since the Lukkan buccaneers first raided Cyprus back in the 14th century. The practice of maritime piracy is still alive and well, but as technology has advanced from bronze to blockchain the booty of choice for 21st-century corsairs has evolved from gold to Bitcoin. Data has become the world’s most valuable commodity, and the submarine communications cables that form the backbone of the internet are the shipping lanes for trillions of dollars worth of global commerce. With so much at stake, it should come as no surprise that cybercriminals continue to raise the Jolly Roger in digital form.
Ransom has been a staple of the pirate’s playbook since Teuta, the Pirate Queen of Illyria, captured the Epirus capital city of Phoenice in 231 BCE. Queen Teuta was successful in holding the city hostage long enough to force the Epirotes into paying her a ransom to release their citizens and vacate its borders. The extent of Queen Teuta’s means, the sophistication of her organization, and the insatiability of her greed made her an “Advanced Persistent Threat” (APT) to victims all over the Mediterranean. As cybercriminals have become more sophisticated and organized, they too have become APTs, with their reach extending the entire breadth and depth of our information superhighways.
Ransomware is a specific type of malware that infects information systems with the goal of making them inaccessible until a ransom is paid in exchange for restoring the victim’s access. Such a disruption can be crippling for an organization, often leaving leadership with no other choice but to submit to the ransomer’s demands in order to resume normal operations as quickly as possible. Information security professionals and government agencies agree that paying these ransoms is incentivizing future attacks, and should only be done as a last resort. However, without adequate alternatives, the average cost of downtime remains 24 times higher than the average ransom amount, resulting in ransom payment being considered the most expedient and cost-effective solution for the victim.
The U.S. Department of Treasury announced in October of 2020 that companies facilitating payments on behalf of ransomware victims may be in violation of federal law if the cybercriminals are on a list of sanctioned entities identified by OFAC (Office of Foreign Assets Control). Several states have followed suit and begun drafting legislation that would criminalize paying these kinds of ransoms. There is significant debate in the security community as to whether or not this outright ban on paying ransoms would cause more harm than good. Banning ransom payments would almost certainly result in the creation of another black market to facilitate these transactions and discourage victims from reporting ransomware incidents to the authorities. A similar position was taken by the USG in response to hostage ransom payments by families. Ultimately, however, punishing the victim was determined to be an ineffective—and unethical—deterrent, nor did we see ripples of that preclusion within the international hostage-taking market. The Treasury Department’s recent involvement in cyber extortion response, specifically their success in returning $2.3M of the $4.4M ransom paid for the Colonial Pipeline extortion event, is a significant demonstration of the benefit of including the USG in extortion response efforts.
The scale and sophistication of ransomware attacks have been steadily increasing since Joseph Popp—widely credited as the father of digital ransom—first attempted to extort victims of the PC Cyborg Trojan he authored nearly 30 years ago. Once a system had been infected, Popp’s malware asked victims to send $189 to a post office box in Panama in exchange for a repair tool. By comparison, the largest single payout for ransomware to date was made in May of 2021 by CNA Financial in the amount of $40M worth of Bitcoin.
The final step in any sales funnel is always the completion of a financial transaction. One of the major enabling factors for the profitability of cybercrime has been the proliferation of cryptocurrency. $40M worth of pirate booty would weigh around 1,370 pounds in the form of gold, or just over 880 pounds in the form of $100 bills. Bitcoin, on the other hand, weighs absolutely nothing. Not only is cryptocurrency easy to store and move around, but it’s also hard to track and easy to launder. While this is advantageous for the attackers it can present additional challenges for their victims.
Many organizations that fall victim to ransomware don’t have the liquidity to pay such ransoms, let alone cryptocurrency assets on their balance sheets. Ransomware attacks typically involve a ticking clock intended to create a sense of urgency in victims. The time factor compounds victims’ panic by threatening to delete their data permanently if the ransom isn’t paid by a certain deadline. For organizations who don’t have any backups of their data, this could be the iceberg in their hull that sinks them for good. For organizations who have the means and foresight to maintain robust backups, attackers will often threaten to publish their sensitive data and invaluable intellectual property if their ransom demands aren’t met; this trend is called “double extortion”. For victims scrambling to make ransom payments, getting their hands on enough cryptocurrency can be a challenge. Cash is still king in terms of liquidity. Even Bitcoin—easily the most liquid of all cryptocurrencies—isn’t anywhere close to fiat currencies in terms of its liquidity. The popularity of Bitcoin has led to dramatic increases in the volume of transactions, which can lead to significant delays in conversions and transactions. When evaluating the risk ransomware poses to your organization it is critical to consider these secondary and tertiary risks beyond the inability to access your data.
If your organization maintains digital assets of any significant value, the possibility of falling victim to a ransomware attack should be high on the heatmap of your risk assessment. However, there are steps individuals and corporations can take to ensure that an extortion-level event does not become an extinction-level event. So, what can you do to not be a victim of piracy on the IPs?
- Prepare. Conduct a business impact assessment to understand the impact a cyber extortion event could have on your organization. This should include a financial analysis for potential ransom responses and techniques for ransom payment, if necessary. Develop a robust incident response plan and conduct table-top exercises on a regular cadence to build muscle memory, test its efficacy, and identify gaps.
- Prevent. Use a password manager and long, strong, unique passwords in conjunction with multi-factor authentication wherever possible. Keep systems up-to-date to limit vulnerabilities and restrict access to information systems according to the principle of least privilege. Educate your workforce with engaging security awareness training, especially with respect to identifying and reporting phishing emails.
- Partner. Experts in the cyber crisis field can assist you prior to and during these extortion events. All too often ransomware victims wait to reach out until after the breach has occurred. For best results, it is highly recommended to establish a relationship with a trusted partner prior to an incident occurring to enable efficient and effective solutions.