CyberWire Daily - Cybercriminals shift tactics from disruption to data leaks. [CyberWire-X]
Episode Date: July 17, 2022On this episode of CyberWire-X, we examine double extortion ransomware. The large-scale cyber events of yesterday – Stuxnet, the Ukraine Power Grid Attack – were primarily focused on disruption. C...ybercriminals soon shifted to ransomware with disruption still the key focus – and then took things to the next level with Double Extortion Ransomware. When ransomware first started to take off as the attack method of choice around 2015, the hacker playbook was focused on encrypting data, requesting payment and then handing over the encryption keys. Their methods escalated with Double Extortion, stealing data as well as encrypting it - and threatening to leak data if they don’t receive payment. We’ve seen with ransomware groups like Maze that they will follow through with publishing private information if not paid. In the first part of the show, Rick Howard, the CyberWire’s CSO, Chief Analyst, and Senior Fellow, talks with Wayne Moore, Simply Business' CISO and CyberWire Hash Table member, and, in the second half of the show, the CyberWire's podcast host Dave Bittner talks with Nathan Hunstad, episode sponsor Code42’s Deputy CISO. They discuss how classic ransomware protection such as offsite backups are no longer enough. They explain that Double Extortion means that you need to understand what data has been stolen and weigh the cost of paying with the cost of your data going public. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Hey, everyone.
Welcome to Cyber Wire X, a series of specials where we highlight important security topics affecting security professionals worldwide.
I'm Rick Howard, the Chief Security Officer, Chief Analyst, and Senior Fellow at the CyberWire.
In today's episode, we are talking about double extortion ransomware.
A program note, each CyberWireX special features two segments.
In the first part, we'll hear from an industry expert on the topic at hand.
And in the second part, we'll hear from our show's sponsor for their point of view.
And since I brought it up, here's a word from today's sponsor, Code42.
Did you know that there's a one in three chance that your company will lose intellectual property or IP when an employee quits?
Cybersecurity teams are facing unprecedented challenges when it comes to protecting sensitive corporate data from exposure, leak and theft.
The annual data exposure report of 2022 from Code42 revealed three key trends that are accelerating insider risk.
First, the continued adoption of cloud technologies and a lack of visibilities into them.
Second, the impact of the great resignation and departing employees' theft of IP and sensitive data.
And third, the challenges of the new hybrid remote workforce and uncertainty over how to address it.
As insider risk grows, Code42's insider risk management approach
helps protect data without slowing down the business. Learn more at code42.com
slash showme. And we thank Code42 for sponsoring our show.
I'm joined by Wayne Moore, the Chief Information Security Officer for Simply Business,
a business insurance company based out of London.
And Wayne is one of our regular subject matter experts here at the CyberWire's Hash Table.
Wayne, thanks for coming on the show.
It's nice to be back. Thanks, Rick.
So, Wayne, here in America, it feels like we've turned around twice,
and all of a sudden, double extortion ransomware is everywhere.
And probably our highest profile double extortion ransomware attack to date is the Colonial Pipeline ransomware attacks of 2021.
Are you all seeing the same thing across the pond in the UK?
Is double extortion ransomware just the standard practice now everywhere we are?
Yes, definitely. It seems to just the standard practice now everywhere we are? Yes, definitely.
It seems to be the default approach now.
So, just explain to our audience what that is.
What's double extortion ransomware?
Why don't we give it that really fancy name?
Well, it started out with, originally, ransomware was once they'd infected your systems,
they'd demand some money for you to get some keys to restore those systems.
But as we got wiser and smarter, I hope most of us anyway,
we learned that good backup strategies were what was going to help us get through and mitigate that
risk. But obviously, as we got better at restoring our systems and meeting those RTOs, our adversaries
realized, well, they're still going to make their money. And they found another novel way to extort
us for some cash. So they decided that they would start publishing or threatening to publish the information that they have managed to exfiltrate as part of the attack to either publicly online or to competitors or wherever.
But it's that additional threat after your systems have been locked up to try and get you to pay regardless of whether you can restore your systems or not.
pay, regardless of whether you can restore your systems or not. So five years ago, the standard defense against the old-fashioned ransomware, like you said, was simply just to have a good backup
program. So even if the bad guys encrypted all of your data, like they did in the Colonial Pipeline
attacks, that was 100,000 gigabytes of data, we would just restore it from backups and everything
would be peachy. But that's no longer adequate, is it? If the bad guy is also exfiltrating 100,000 gigabytes of data and selling it to God
knows who on the darknet, that data is exposed even if you do have a good backup and restore
program. So what are you doing in addition in your program, in addition to the backup program,
to safeguard against that? When you start looking at the threat of this data being published or
sold on and things like that, we're talking about reputation risk starts to come into it more than operational risk,
or it's not only about operational risk anymore, shall we say. So your mitigation strategies need
to be working out, well, how are you going to manage that reputational risk? So things that
we're seeing people do now are having much better PR communication strategies, making sure that
those comms plans are more readily executed than they
may have been prior. And you're more likely to be in a position now where you may need to consider
paying that ransom because paying that ransom may buy you some more time to work out how are you
going to get ahead of the messaging that might be coming out with it being published. So you need to
be having those conversations with your boards and your senior managers about there's even more likely we may need to pay the ransom to buy ourselves some time.
Are you comfortable that?
Is that something you want to do?
So looking at comm strategies, looking at decisions around paying ransom, and if you are looking at potentially paying ransoms, it's about having people out there, providers that have to help you negotiate that ransom.
There are whole entities set up for handling that.
Instant response plans need to change as well to make sure that you are potentially executing on those PR comms plans much sooner than you would normally in an operational recovery scenario.
So what you're talking about here is resilience planning and crisis action planning.
And like you said, deciding on whether or not you're going to pay the ransomware,
that's not something you should be doing
in the middle of battle, right?
In the heat of the moment.
That should be a long conversation
you have with boards and senior leadership
about whether or not they'd be
even willing to do that.
So how do you approach that subject
with your senior leaders
about whether or not
they want to do that or not?
I think it's running the scenario with them
and just being open.
This is a real scenario that we may encounter.
So I prefer to just approach it directly and say,
look, this is the scenario in our industry
and in financial services.
There are some real examples to draw on as well,
which really brings it home.
And the next thing is painting the scenario,
a situation where you're unable to recover
and that could impact your customers, your ability to provide services,
your shareholders, everyone.
And if your only option to save the business is to pay the ransom,
would you do it?
It's really putting it in those realistic terms and some real scenarios
and drawing on what's happened in the industry out there really helps with that.
Those kinds of things don't have to be that complicated.
I know we can do these exercises where it's an all-day affair and all the executives have to spend a whole day participating.
But it doesn't have to be that complicated.
I know in my last job, I would just invite the senior leaders into a lunch.
They would come because it's a free meal.
Even senior leaders want a free meal.
You just dropped a scenario on the table.
What if we got ransomed?
Would we consider paying the ransom?
Just get their thoughts at least initially
so we could draft a plan.
Do you guys have kind of a range of scenarios
that you run executives to?
Or is it all very formal?
Before even approaching the board or senior leadership,
it would be with my stakeholders
that I'm meeting with on a regular basis,
just running the scenario and saying,
listen, what were your thoughts on this? And it's interesting
listening to different leaders in the business, how they see things. Legal have a different view
from, say, someone who's looking after the operations side of things. That's really
interesting understanding the different perspectives on the same problem, because
they can come at it very differently sometimes. So I like to get that kind of understanding before
bringing it maybe a little more formally to a meeting with the board or senior management or something like that.
Does the topic ever come up on the probability of the criminals actually delivering on the keys?
Because it's not 100%.
It's a lot less than that.
Is that part of the equation they have to figure out?
Definitely.
I mean, when I'm saying about being open and honest, I've also got to paint the reality there.
When I'm saying about being open and honest,
I've also got to paint the reality there.
I think the last stats I saw was I think about 50% of cases aren't recoverable
because either the bad guys made a mistake
with the encryption algorithms
or they delivered a bad key
or some kind of mess up.
I mean, they're human as well.
They make mess ups.
Definitely part of the equation to say,
listen, there's only a 50% chance that if we pay,
I mean, I'm assuming those numbers are correct,
there's a probability associated with whether recovery is reasonable after that payment. So that's definitely going
to be part of it. Otherwise, you're providing assurances that are not real. And even if you
got the key and whether or not how easy it is to recover it, because sometimes you get a messy
process to unlock everything. So that all has to figure into the equation. Exactly. Sometimes just
burning it all and restoring from scratch is much simpler than trying to surgically unpick all the problems that
have been introduced. I was reviewing the Colonial Pipeline attacks last week, and that company,
the Colonial Pipeline, they clearly had a plan because the message popped up on one of the
operator's consoles to say, hey, we got your ransomware. Within an hour, they started
shutting down the pipeline flow. And that same day, they notified the FBI and had $5 million
in Bitcoin ready to go. And they gave it to the dark side ransomware group that day. So,
they were ready to go. So, they had already decided that we're going to pay the ransomware
and not worry about it. That's called crisis planning, I think.
Yes, I mean, that's an excellent example of good planning.
You know, I think with the double extortion, your planning and practicing has also got to be on how are you going to engage with the public on that as well.
It's not just being ready to pay and get your systems back up and running and report to the right entities.
It's also how are you going to manage that message if it leaks out?
That may be something that we don't practice often enough.
Yeah, that was part of the Colonial Pipeline plan.
They announced the next day to the public, and they did every day until the crisis was averted.
So, yeah, they definitely had a plan in place to go forward.
One of the other tools that we could use to prevent the second part of the extortion ransomware is encrypting our material data. If we encrypted our data
so that they couldn't pass it to anybody else
that causes harm,
isn't that an option on the table
that we should be thinking about too?
Yes, absolutely.
And then it puts more emphasis
on how you're protecting the keys.
If it's all very well and good encrypting,
and you should do that,
and especially if it's not all encryptable,
you should certainly be prioritizing
your most sensitive data.
But if you aren't looking after those keys and during the operation,
they've had enough time to kind of work out how your key management system works,
intercept all of that, they could technically still get it and unencrypt it.
So let's go back to the comm plan too, because that takes practice.
That's not something you roll out during the crisis either.
You need to have a pretty firm idea of what you're going to do because there's kind of two options here, right? You can either announce
early with incomplete information, and then that runs the risk of when you change the information
layer, customers and other people thinking that you're withholding information or lying about it.
So that's one thing you got to worry about. And then the other way you can do it is wait till you
have perfect information, and then you get accused of withholding information
and not telling your customers what's going on.
So your leadership has to decide
which way to go there, right?
Yeah, 100%.
Because dealing with reputational risk
may be a little more tricky
than the operational side of things.
Because you can at least test and predict
what's going to happen in the operational side of things.
But it can be quite hard to predict
how the public will react, depending on the context and all of that. So
have some empathy for the people that are going through this with you, like your customers and
things like that, and understand that they also want to know what's going on. And so there's
potentially a middle ground there in the sense that you could go in early and saying, listen,
we know that something's up. We don't have complete information just yet, but they need to know when
you're going to update them next, et cetera, et cetera. You know what I mean? Managing expectations about what you
know to date and certainly not lying about the situation. If you're caught out on that, then you
do your reputation much more damage. Even the perception of lying, even though you weren't,
that's even a trickier line to walk sometimes. Yeah, absolutely. It's difficult, isn't it?
Because if you keep quiet about it, it leads to even more speculation about what you're not saying. So, as I'm saying, it's very difficult. And there's a lot of people that need to be trained for how to interact with the media, how to say things. It's definitely something you need to have practiced and trained for. We maybe have people trained in our businesses for that, but how often have they practiced that?
Yeah, practice. Yeah, you need to practice. Yeah, it's a lot different when it's live, right?
It's a lot different that way.
Let's raise it up to the strategic level.
We're really talking about resilience here.
And one of my favorite definitions of resilience is to be able to continuously deliver your services regardless of some cyber event like a ransomware attack.
If you look at the Colonial Pipeline attacks, they had a great plan.
They bought the keys and they had a calm plan.
But still, the United States on the eastern seaboard,
we were out of fuel for over a week.
So they didn't really meet the resilience strategy objective.
What are the things we could do to make sure we are continuing to deliver the service,
especially for like your business, Simply Business?
Are there things you can do on the IT side
to make sure everything is working
as we work through the crisis?
You can do a lot for the things
that you're in control of.
So your world and the systems
you build and all of that.
But where it gets really tricky
is in the supply chain.
That could be
quite a complex supply chain.
We're talking nth degree on that chain.
Options are, first of all,
at least getting
a good understanding of your critical suppliers, the ones that if something goes wrong, they impact
your most critical business systems, the ones that have almost a direct revenue impact quite quickly.
You've got to understand what their security posture is like. What are they doing? What are
their third parties doing for all of this? So your third party assurance processes need to be in
there. And if they are really critical and you have anything going wrong with you, it has a major impact
downstream as well. I know the FCA is looking at ops resilience in this area, where if you have a
material impact to the whole industry, you have a lot more control you need to put in place. So
you need to look at that and think, do I need backup suppliers in case of one of them being
hit? So if that's a payment provider, maybe it's so risky that you do need to spend the extra money to have
another payment provider that you can swap out in the case of them being hit, that kind of thing.
So it's much more than backups and encryption is what you're saying. It's a much bigger resilience
plan that we have to consider, right? And as the evolution of ransomware has happened, I guess
that's what we're all saying
to senior security executives. Think more strategically and not with the thing that's
happening right now, I guess. Would you agree with that? That's right. And I think that's also why,
if you look at here in the UK, in the financial sector anyway, the FCA has got this sort of
operational resilience initiative that they're putting in. And there's been some deliverables
early this year where financial institutions have had to look at their business processes, the resilience around
those processes, their vulnerabilities, and put a plan in place to shore up those risks.
But a big part of it is not just about the business itself. As I said, it's also about
ensuring that the suppliers to your business and those third parties are also getting up to
scratch. So even non-financial institutions are now having to raise their posture to, I suppose,
the kind of network effect that that regulation is starting to have, which, you know, could have a
lot of benefit in this area. Oh, that's all good stuff, Wayne, but we're going to have to leave it
there. That's Wayne Moore, the Chief Information Security Officer for Simply Business. Wayne,
thanks for coming on the show. It's always a pleasure. Thank you for having me, Rick.
Next up is my colleague Dave Bittner's interview with Nathan Hunstad,
the Deputy CISO for Code42, our show's sponsor.
So today we are talking about double extortion and how we got there, got here,
some of the things that we can do in the face of that.
Can we start off with a little bit of the backstory here? I mean, I think, you know, we saw the rise of ransomware
and that led to a certain set of presumptions about how folks could respond to it.
Yeah, absolutely.
Ransomware's been around for quite some time.
The earliest instance of ransomware, I think, dates back all the way to 1989, actually. But it didn't become a huge security issue
until around 2014 or 2015 in that timeframe.
And like you said,
when it started taking over the headlines
and affecting organizations,
there was really just one attack.
And that was the ransomware creators would gain access to an organization's network
and sensitive data, and they would just encrypt the data and keep the data there encrypted and
request a ransom to provide the decryption key. And so at that time, since the data was just sitting there,
it was unreachable. But if you had good backups and recent backups and he would thoroughly test
it and so forth, an organization could choose to not pay the ransom and restore their data from backup and go on their way.
And so that was the operating principle that a lot of security teams and organizations used
when they were talking about how to deal with ransomware.
And that changed starting a few years ago.
And that's when the ransomware proprietors started adding another tactic.
And like you said, it led to what's called double extortion ransomware, where they're not only encrypting the data now, but they're also exfiltrating it. So that does change kind of the response for security teams because it's not enough to simply be able to restore from a backup and get your business operating again.
Now you have to be concerned about the loss and public exposure of the data that they were able to exfiltrate while they were encrypting it.
that they were able to exfiltrate while they were encrypting it.
And so where does that put organizations these days in terms of best practices to protect themselves?
So it's still incredibly important to have those backups in place and to regularly test them.
It's not enough to simply say that you've backed up the data.
If you're not testing your restoration processes, then you don't know how good your backups are.
So that remains, I'd say.
What is new is dealing with the data exfiltration side of it, because this really needs to be treated as any kind of data exfiltration event. And so knowing what data was taken, knowing what
the sensitivity of that data is, and knowing what legal or regulatory consequences there are to the
public release of that data is something that security teams also need to keep in mind when
they're dealing with these kinds of attacks.
Can you walk me through some of the specifics of that?
I mean, if I'm an organization and I receive a notice from one of these ransomware groups, and they say, hey, guess what, we've taken a bunch of your data,
and if you don't pay us, we're going to start releasing it.
First of all, how do I know that they're telling the truth,
that they're just not trying to put
one over on me to get me to write them a check? Yeah, that's a really good question. That's where
you're likely going to want to engage a forensic investigator, if you don't have those skills
within your own security team, to look for those indicators of compromise. And most likely, if they are telling
the truth and not just trying to pull a fast one on you, you will see that evidence of encrypted
data in your environment. From there, you need to talk with asset owners and the business to
understand, all right, what's in that encrypted file?
What's the value and where do we take it from here?
Yeah.
So, I mean, it really becomes a risk conversation then, I suppose.
I mean, is that a fair way to say it?
Yes, absolutely.
And the risk is much more open-ended than it is with just a simple denial of service or business interruption kind of
ransomware case where you may be down, your servers may be inoperable, but if you can restore
from backup, you're basically to the point where you were before the ransomware attack started.
With this double extortion ransomware, that's not the case. You can
still be up and running from a business and operational perspective, but the risk is still
there with regards to the possibility that that data may be publicly exposed. So it is much more
of an open-ended risk conversation that security teams need to have.
an ended risk conversation that security teams need to have.
I've heard folks talk about using some technology to try to mitigate this sort of thing, encrypting everything.
All of our data, even while at rest, is going to be encrypted.
We'll decrypt it on the fly for our own use.
And that way, if someone takes something from us, it'll be useless to them because we've already encrypted it.
Where do we stand with that?
I mean, is that a practical solution that folks are actually adopting?
You know, I think that there are some benefits to that kind of solution, but it's certainly not something that I've found has been easily implementable across an organization. For very narrow and
probably your most sensitive or the data that has some regulatory requirements around it,
taking that approach can help to some extent. But at the end of the day, the data has to be decrypted somewhere
for it to be useful, whether it's in a downstream system, whether it's an analyst doing some kind of
just business-related work on their endpoint. The data is going to be unencrypted somewhere,
so that kind of approach isn't going to work to completely
mitigate the risk. And so what are organizations to do? I mean, what are your recommendations
as you're out and about consulting with people, you know, working, collaborating with your own
colleagues? What sort of advice are you putting out there? Yeah. So the good news is that there
are things you can do to help mitigate this. And it does really come down to a lot of the security fundamentals.
So things like an asset inventory and knowing where all the data is in your environment and who's responsible for that data.
So that can be a daunting task depending on the size of your organization, but it's not something that's impossible to do.
So talking with your business partners, putting this as part of your business continuity and disaster recovery planning or tabletop sessions to sit down and ask, all right, what data does your business process use?
Where is it?
all right, what data does your business process use? Where is it? Drilling down into important details like, does this data exist on user endpoints? Is it only in a server? Where
does this data travel? And what other business applications does it go through?
So once you have that kind of high-level inventory and some of those process and data flows of the data in your environment, then you can do two things.
You can identify any gaps in your security controls where there may not be the appropriate security visibility to data in certain applications, for example.
applications, for example. And if you ever find yourself dealing with one of these double extortion ransomware attacks, you'll be much more certain of the data that was actually taken. And then you
can have that informed risk discussion with the people within the organization who need to be a
part of that. Can we touch on reputational damage here? Because it strikes me that there are a couple elements here.
I mean, obviously, there's the extortion of the data itself.
If the bad guys start releasing the information that they took from you.
But it seems to me like even just the fact that they could make a public disclosure that you were breached at all could potentially have reputational damage.
Yes, absolutely. With double extortion ransomware,
the reputational hit is much more significant than with the more old-fashioned business
interruption kind of events around ransomware. So the fact that you did get hit with ransomware
and you did lose control of your data can be a very significant
reputation hit. So that's something that, again, organizations should keep in mind as they're
having those risk decisions and maybe have some kinds of remediation plans in place or at least
talk with the appropriate people in the organization to determine how would we deal with this kind of reputational hit.
Yeah, it's a really good point. And I suppose it emphasizes the idea that, you know, being in the
middle of an event like this is not when you want to be making those decisions. The importance of
pre-planning, of having those plans in place ahead of time, boy, it's hard to underestimate that, right?
Absolutely. And if you're not including a ransomware scenario in some of your incident tabletop exercises or your BCDR planning, you absolutely should. Because like you said,
you don't want to be making these decisions while you're dealing with an incident under the gun with the clock ticking.
It's a lot easier to do a tabletop, sit down, game out one of these attacks, and then without any pressure, have that frank and open discussion around what went well, what went poorly, and how can you prepare your organization just in case it
actually happens. Nathan, I mean, do you think that we are in a place right now where if an
organization puts the right things in place, if they do the work ahead of time, can they go forward
with confidence that the odds of them being hit by something like this and it having
a significant impact are relatively low? You know, it's hard to say that because the
landscape is changing day to day. And there are new vulnerabilities that are exploitable
on a weekly basis. I don't know how many times I've had to update Chrome, for example,
this year due to zero days. So it's really tough to be able to say that if you have the right
protections, you'll have a low probability of being hit. What I think you can say, though,
that if you have the right protections, you'll feel a lot better about how you'll actually deal with it.
If it happens and you will have planned this out, you'll have a playbook and you won't be making decisions, you know, on the fly and making mistakes that could be avoidable.
and making mistakes that could be avoidable.
We'd like to thank Wayne Moore, the CISO for Simply Business,
and Nathan Hunstead, the Deputy CISO for Code42,
for coming on the show to help us understand how security leaders are thinking about double extortion ransomware.
CyberWireX is a production of the CyberWire,
and is proudly produced in Maryland
at the startup studios of DataTribe, where they are co-building the next generation of cybersecurity
startups and technologies. Our senior producer is Jennifer Eidman. Our executive editor is Peter
Kilpie. And on behalf of my colleague, Dave Bittner, this is Rick Howard signing off. Thanks for listening.