Brian Linder is an Emerging Threats Expert and Evangelist in Check Point’s Office of the CTO, specializing in the modern secured workforce. Brian has appeared multiple times on CNBC, Fox, ABC, NBC, CBS, and NPR radio, and hosts Check Point’s CoffeeTalk Podcast and Weaponizers Underground, and has teamed on keynote CyberTalks at Check Point’s CPX360 events. For 20+ years, Brian has been an advisor at the C-level to firms big and small in financial, legal, and telecommunications, on next generation cyber security solutions and strategies for cloud, mobile, and network. Brian holds a B.S. in computer science from Drexel University and an M.S. in Information Science from the Pennsylvania State University.
In this thought leadership interview, Brian Linder provides the inside scoop on ransomware. Discover why ransomware is running rampant and get essential information that can help you sidestep triple extortion threats.
How has ransomware’s evolution contributed to its proliferation (and success)?
Ransomware is not new, but notable stories in the media have elevated its visibility. Everybody’s talking about it. There are two key points here:
- Ransomware has evolved into a cottage industry; a business sector; a market sector.
Ransomware is now a sophisticated and profitable endeavor where platforms, partners and revenue sharing all occur in highly organized ways. Many ransomware attacks begin with something called Ransomware-as-a-Service, which is nothing more than a platform that somebody has developed. Imagine a ransomware platform where you can shop. Perhaps there’s a virtual shopping cart. A user can rent tools and invest money in those tools to launch an attack. This is one of the ways in which ransomware has really evolved over time.
Hackers no longer have to invent their own ransomware tools. There’s a whole industry of platforms out there operated by ransomware gangs that individual hackers can partner with. Hackers can now plug-and-play, launching ransomware attacks with a few clicks of a button. This has made ransomware a highly accessible kind of attack.
2. Secondly, we see an emphasis on scalability.
Now, what do I mean by that? Well, one of the common objectives for a ransomware attacker is to amplify their attack. Amplification means that instead of attacking one customer, a hacker attacks a target that then yields a high volume of secondary targets.
For example, when the IT firm Kaseya was hit with a ransomware attack, their clients were also affected. And, because Kaseya is a managed service provider, their client’s clients were also hit with ransomware. Managed service providers have customers such as dentists’ offices and other small businesses that have no ideas as to what Kaseya is or what a ransomware attack is; nor do they care.
However, hackers might approach smaller affected businesses in order to extort them for, say, $10,000 or $100,000. In order to restore systems quickly, these smaller organizations might feel coerced into paying the extortion fees.
As a result of the Kaseya attackers’ planning, the attackers managed to amplify their attack. In turn, this generated greater potential for profit on the part of the hackers. The point is that ransomware attackers can now leverage these new platforms to maximize their profits.
Can you talk a bit about another major point in ransomware’s evolution; extortion?
We all know what extortion is; either you do something for me or I will hurt you. This is the general idea of extortion. Well, let me explain how extortion has evolved in the ransomware world…
If I were a bad actor, I would encrypt a machine and make you pay for recovery. You want your pictures and your data back? You’ve got to pay me money.
That money would take the form of cryptocurrency or some other untraceable payment form. If it worked well, you would get a decryption key, and then you would decrypt it and that’s the end of it.
However, the ransomware actors have become more sophisticated than ever. They’ve determined new means of gaining leverage over victims. One common practice includes using multiple dimensions of extortion.
Contrary to popular belief, it isn’t the case that a victim downloads malware and five minutes later, all files are encrypted. It’s not quite that simple. These days, most ransomware attacks begin with an extended period of reconnaissance and exfiltration.
Can you speak to that further?
During the reconnaissance and exfiltration process, the malware lives in the company’s network, unobserved. It quietly searches for customer data, for blueprints related to critical business resources, for analyst lists, for trade secrets…etc., and then it exfiltrates the information. This privately owned data is then used as leverage later on.
In a concrete example of this, within the Colonial Pipeline ransomware attack, one of the scarier aspects was that hackers may have obtained plans –blueprints- for the pipeline itself. Now, you can imagine a blueprint of a pipeline ending up on a place like the dark web. A nation state might be willing to pay a lot of money for those plans. Or, hackers might approach the pipeline and say ‘you can pay me a ransom and we won’t release the data that we’ve stolen from you.’
Let me take it up one more level
Cyber security researchers have begun to investigate something called triple extortion. I’ll explain.
The first level of extortion is encrypting the data, then demanding that you pay to have that data returned to you. The second level of extortion involves pressuring victims to pay by threatening to otherwise disclose sensitive data. Then, hackers start in on phone numbers and customer names, and having an automatic Robo caller dial customers, telling them in a pre-recorded message that their data has been compromised. Further, Robo callers will state that the company data might be sold and identities could be stolen.
All of these things are then held as leverage. They’re extortion vectors. Hackers will say ‘so you don’t want to pay the ransom? We’re going to do all these things.’ They might:
- Release data about your organization or sell the data
- Robo call your customers
- Robo call analysts
- And on top of that, computers and systems will remain encrypted
So you can see how a tremendous amount of leverage is built up through the use of these multiple dimensions of extortion. This is a “golden” attack technique, in that it improves effectiveness and efficiency for hackers.
PS. Don’t forget to sign up for the Cyber Talk newsletter here.