Ransomware is one of the most sophisticated and feared attacks in the modern threat landscape. A specialized form of malware, ransomware is designed to forcibly encrypt a victim’s files. The attacker then demands a payment from the victim in exchange for the decryption key to restore access to the data upon payment. Costs can range from a few hundred dollars to millions, in addition to the disruption suffered while data remained inaccessible. And even if the ransom is paid, there’s no guarantee that the promised key will be provided. The ability of a ransomware attack to render its victim’s data inaccessible makes it a far greater threat than simple data theft—making ransomware protection a top cyber defense priority for every organization.
In this article, we’ll define ransomware, including the rise of data exfiltration tactics, and discuss recent ransomware attacks on victims including Garmin, Lion, and The Toll Group.
What Is a Ransomware Attack?
Ransomware attacks can be initiated in many ways. One of the most common is a phishing exploit, in which an email delivers an attachment disguised as a legitimate business file. Once it has been downloaded and opened—often by a victim with good intentions and no awareness of the threat it contains—the malware takes over the victim’s computer, and can even use built-in social engineering tools to gain administrative access. At this point, the ransomware can spread laterally from one computer to another and ultimately infect the entire network. The most aggressive forms of ransomware, such as Petrwrap/Petya, bypass the user entirely and infect computers via existing security holes.
Once the malware has taken over the victim’s computer, the typical next step is to encrypt some or all of the user’s sensitive files and forcibly reboot the user’s system. The user is then informed of the exploit and notified of the ransom being demanded, usually in the form of an untraceable Bitcoin payment, as well as a deadline for payment. If the targeted organization pays the ransom, the decryption key will be provided—or that’s the promise. If not, the data will remain permanently encrypted and inaccessible.
While any kind of organization can fall prey to this exploit, targets for ransomware attacks are often selected based on factors such as their perceived vulnerability, the sensitivity of their data, or their desire to avoid harmful publicity. For example, universities tend to have lower levels of ransomware protection and other cyber defense than other organizations and have a high level of file sharing, making them relatively easy prey for a phishing attack. Cities and other government agencies rely on computer systems for vital public services such as law enforcement, emergency response, public transportation, and the court system, increasing the pressure for a rapid restoration of data access. For hospitals and other medical facilities, data can literally be a matter of life and death. Financial institutions, law firms, and major corporations may be willing to pay quickly to avoid being associated with a ransomware attack—and have the resources with which to do so.
In a sense, ransomware can pose an even greater danger than simple data theft. While data theft can be embarrassing and costly to its victim, the data that has been compromised remains accessible. In a ransomware attack, on the other hand, the data is effectively gone—making normal business operations impossible.
How Does Data Exfiltration Relate to Ransomware and Data Theft?
Ransomware attacks continues to evolve in terms of both technology and technique. In recent months, cybersecurity experts have been alarmed by the convergence of ransomware with data theft and data exfiltration to create an especially pernicious threat.
Traditional data exfiltration is itself a blend of data theft and extortion. A hacker compromises an organization’s defenses and exfiltrates sensitive data of measurable value—financial records, intellectual property, business data, and so on. After offering the data for sale on the black market to establish its value, the attacker then contacts the victim and demands a payment to prevent a sale. The attacker’s leverage in this case is the significant reputational damage, potential regulatory files, and other fallout that would result from the data’s release. Still, the data itself remains available to the victim.
Over the past year, ransomware variants such as Maze and DopplePaymer have been used to add the threat of data exfiltration to a ransomware attack. If a victim hesitates to pay the demanded ransom, the hacker releases a portion of the data to publicize the exploit and heighten the pressure. Combining the reputational damage of data theft or data exfiltration with the operational disruption of a ransomware attack, this type of attack can be dangerously effective in countering the use of data backups as a defense against ransomware, as advised by the FBI.
Ransomware Attacks in 2020
Major ransomware attacks have rocked the cybersecurity community in 2020. Garmin, a major technology company with businesses from civil aviation GPS to personal fitness, suffered a ransomware attack using the WastedLocker exploit that froze the company’s online services for millions of users. Subsequent reports suggested that Garmin had paid a ransom of as much as $10 million to obtain a working decryption key.
A ransomware attack on Lion, an Australian beverage giant, delayed the company’s brewing operations and limited its visibility into its products.
Rhode Island College Foundation and the Providence Children’s Museum were both affected by a ransomware attack on Blackbaud, an outside software service provider for engagement and fundraising, that might have exposed personal information.
The Toll Group, a global transportation company based in Australia, was hit by ransomware twice in less than six months. The attacks included the theft of massive amounts of data, including financial reports and invoices, and led to months of operational disruption. While the company had initially refused to pay the ransom, the publication of its stolen data on the dark web suggests that data exfiltration tactics have been at play.