According to reports, Minnesota-based business travel company CWT is the latest victim of the latest trend in ransomware.

In fact, we’re probably at the point where we need to stop calling them just “ransomware” attacks, because it’s increasingly common that there’s a lot more to these attacks than just keeping you out of your files, which is how we usually think of ransomware.

When ransomware first became big news thanks to malware such as CryptoLocker, back in the early 2010s, the crooks behind the crime deliberately chose to use in-place encryption to lock up your business.

They didn’t need to do it that way – they could have stolen all your files first and then deleted the copies off your computer, and then sold you back your files.

They could have proved they had the files by inviting you to name a couple and then sending them back for free – given that they wouldn’t know which names you’d pick, this would probably convince you that they had all the others, too.

But that approach would have been slow, and troublesome, especially when the crooks were targeting as many victims as possible and aiming to make $300 a time out of hundreds of thousands of people.

Back then, the average home user or small business on an ADSL connection just didn’t have enough upload bandwidth to make this sort of attack practicable – and getting the files back to victims who paid up would have been unreliable, too, which would have discouraged people from paying up on technical grounds as well as moral ones.

So the crooks encrypted the files in place, and all they needed up upload to themselves (and hide from you) was the decryption key – data that you could fit into a single network packet.

The encryption happened at hard disk speed, not network speed, so it was harder to spot, and the early crooks went out of their way to provide the decryption keys to those who paid up as quickly as they could – paradoxically building up a reputation as “crooks who could be trusted”.

Well, the ransomware crooks are still scrambling your files in place, because that doesn’t just derail your business operations but also rubs the attack right in everyone’s face.

Your files are all there – you can see them, with the right names in the right directories – and in some ransomware attacks the crooks cynically don’t encrypt the first few thousand bytes of each file, so you can reach out and touch the contents if you want – or so it seems.

So near, but yet so far!

The good news is that, by now, many companies have adapted to the ransomware threat in two ways:

  • Organisations are less inclined to pay up if they can possibly help it, because it feels all wrong, and law enforcement understandably urges victims not pay up and feed the criminals.
  • Organisations have got better at backup and disaster recovery, so they are increasingly likely to be able to recover on their own.

A recent survey conducted by Sophos suggests that self-recovery after a ransomware attack typically costs much less than paying the crooks, for the simple reason that even after the crooks send you the decryption program, you still need to run it across all your systems, which requires much the same sort of time and effort as restoring backups. Ransomware decryptors aren’t magic bullets that instantly recover you data as soon as they hit your email inbox.

The bad news is that the crooks have adapted, too.

Some ransomware gangs not only scramble your files, but also steal the unencrypted copies first.

Given that ransomware gangs now mainly target businesses, where outbound network bandwidth is typically much better than on home networks, the crooks really can upload large tranches of data before encrypting files in place.

And given the low cost and easily availability of cloud storage, they don’t have to worry about running of of disk space.

In fact, they don’t need to steal all your files – just a sufficient quantity of juicy ones that they can prove their point.

You can’t be sure how much they did steal, but if they can wave even just a few potentially damaging samples in your face, you have to assume that they stole everything that matters.

Their ransomware demands are therefore no longer just sort-of blackmail, they absolutely are blackmail: “Pay the money or we’ll spill your trophy data to your customers, to the data protection regulators, to the SEC, to your competitors, heck, to anyone who wants to see it; and no amount of backup will save you from the fallout from that.”

So the ransom demand now has a double bite – you don’t have access to your data, but everyone else in the world soon will!

In CWT’s case, reports suggest that the criminals claim to have scrambled files on 30,000 computers and to have uploaded 2 terabytes of company data.

Although those high numbers sound doubtful, the double pressure was sufficient to put CWT between a rock and a hard place.

Apparently, the company finally settled with the crooks (we’re not sure “settled” is the right word, but that’s how the criminals treat these matters, as though they’re legitimate businesspeople) on paying $4,500,000 – in Bitcoin, of course – instead of the $10m that the crooks wanted at the start.

In return, they received the cryptographic material to decrypt the scrambled files, and a “promise” from the criminals that the stolen data is now gone for good.

(Assuming, of course, both that the crooks are telling the truth, and that the crooks themselves didn’t get hacked and have the data stolen from them in the interim via whichever cloud system they were holding it in.)

What to do?

  • Use anti-ransomware tools to block file scramblers as early as you can. Even if no data gets stolen and you have comprehensive backups, recovering scrambled files costs time and money.
  • Protect your login portals to stop outsiders getting access in the first place. Ransomware attacks often start through forgotten, insecure or unpatched systems, notably RDP servers (remote desktop protocol) that are there to let your own IT staff in. Don’t let crooks sneak in via the same route.
  • Watch your logs. Most ransomware attacks are preceded by telltale signs, if you know what to look for and take the time to look. Existing malware can create backdoors for ransomware crooks; the creation of new but unexplained accounts usually indicates crooks spreading their wings; and the presence of sysdmin tools where you wouldn’t expect them is a sign of crooks preparing to pounce.
  • Never give up on user awareness. Use tools such as Sophos Phish Threat to train your users to recognise scammy emails – phished passwords are also a common way for ransomware criminals to get in and form their beachhead. Set up an internal email or telephone reporting line where users can report nascent attacks and get the whole company to be eyes and ears for the security team.

Beratung Consulting

Beratung Consulting are dedicated to Security solutions and are a trusted Sophos Partner.

Sophos Authorised Partner