Combating Online Extortion with Readiness and Response

Extortion over the internet is often a cybercriminal’s quickest path to profits. It can take little more than a commodity exploit to drop ransomware onto a vulnerable endpoint, or a weak password to commandeer a poorly configured online storage service or database.

The end result for the victim is instant angst as proprietary or customer information is encrypted or stolen, and subsequently held for ransom. Rather than focus on the core business, decision-makers must stop everything and respond in a manner in which operations continue, data is recovered, a company’s reputation doesn’t suffer, and a similar incident never happens again.

That’s a lot to deal with on the fly. It also dredges up many questions that business and IT executives rarely imagined a few short years ago. For instance, in the short-term, do you have the capacity to buy and transfer cryptocurrency safely if you make the decision to pay a ransom? Are your people equipped to communicate and interact with an attacker? Do you know enough about the attacker to trust this isn’t a hoax? How will you respond to stakeholders and the public, if necessary?

When an organization is the target of a ransomware or cyber extortion attack, it must quickly determine the nature and extent of the attack and mitigate quickly because the longer an attack lingers, the more potential damage the organization suffers as a result of data and service inaccessibility. For those entities with even more critical services, such as financial services companies or healthcare providers, downtime has serious implications.

The response to a ransomware or extortion attack may include a determination by the victim to pay—or negotiate payment of—the requested ransom. Payment of the demanded ransom may result in prompt return of data and data functionality at a fraction of the cost of reconstructing from backups, or in the case where no backup exists, rebuilding data repositories from scratch.

Law enforcement and the security research community don’t advocate the funding of a criminal economy by paying ransomware demands or giving in to extortionists who may have a company’s encrypted data in their possession. But organizations concerned with impermissible downtime and the prospect of critical systems and data remaining inaccessible may seriously weigh those losses against the cost of acquiring and storing of cryptocurrency for such an eventuality.

Support services such as Flashpoint’s new Threat Response & Readiness Subscription go beyond the acquisition of cryptocurrencies to pay off a ransom demand. Flashpoint provides research to organizations impacted by attacks, as well as directly engages with threat actors; part of this engagement may also include providing access to cryptocurrency.

It anticipates many pre- and post-infection factors that feed into that decision, including some that organizations may not consider as they enter into such an engagement with an attacker. Flashpoint’s subject-matter experts and unique access to the Deep & Dark Web (DDW) provides clients with the necessary intelligence to support a number of critical assessments. The Response portion of the service makes the determination of whether an attack is a true ransomware or extortion situation, and whether the lost data may be recovered by other means. Analysts can also make a determination about the integrity of the attacker in such situations, and also learn more about the history of the wallet accepting the ransom payment, in addition to the quick acquisition of cryptocurrency and engagement with the attacker.

The Readiness portion of the new service covers pre-infection preparedness starting with a ransomware workshop in which clients are educated about ransomware, how it works, why organizations become infected, the evolution of this threat, profiles of attackers, cryptocurrency and issues related to payments, and other details relevant to the customer organization or vertical. It also includes tabletop exercises where critical stakeholders can put a response plan through its paces before it’s tested in a real-life attack. Stakeholders discuss simulated scenarios, assess the efficacy of current plans, ensure clarification on roles and responsibilities, and improve coordination to help better mitigate future attacks.

In both Response and Readiness, Flashpoint will also work with companies to develop contingencies in the event of an attack, including establishing a process to ensure payments can be made securely and quickly.