Ransomware and destructive malware attacks have become a regular feature in main stream news, as well as security and risk specific media where they have been a mainstay for years. With such a high volume of reporting it can be difficult to "see the wood for the trees". In the age of information overload, where having the time to read any further than the headline is a luxury and a rarity, the reader may well be forgiven for becoming misled or forming ill-informed conclusions regarding ransomware trends. In this commentary, we have selected a handful of ransomware related headlines from the start of 2023 for a further look.
Decrease in victims paying
January 19: Chainalysis, the blockchain data platform company, published research which was subsequently picked up by industry press and accompanied by headlines suggesting "Ransomware Revenue Down As More Victims Refuse to Pay". As experienced practitioners in incident response, it was this research and associated headlines that first provided the idea of summarising and providing commentary over the detail behind such headlines. On first look, and without reading the research itself, a casual reader might believe the story to be about a reduction in the incidence of ransomware attacks, which is not the case.
Essentially, this is a story about the legal risks of paying ransomware groups. These risks have increased over time, due to factors including an OFAC advisory in September 2021 highlighting sanction risks associated with ransomware payments and the Conti (one of the highest revenue ransomware groups prior to 2022) ransomware group's potential connection with the Russian FSB, a sanctioned entity. The increased potential for committing sanctions violations and rising threat of legal consequences are cited as the main factors behind trend of victim reluctance, refusal and overall decrease in making ransomware payments.
It is noteworthy that, just as payment comes with risks, including sanctions violations and further malicious action by the threat actor, non-payment comes with risks such as leakage of stolen data.
Setting the ransom demand
Moving into February, we saw some headlines relating to the methods by which ransomware gangs are setting the price to "assist" their victims (by which we refer to typical threat actor activities such as providing a decryption key, explaining the methods by which they were able to conduct their attack to assist the victim in preventing recurrence, and making promises not to leak the affected data) in agreeing payment. Two articles were particularly interesting: Feb 14. LockBit ransomware group demanded £65.7 million from Royal Mail in recent Ransomware attack, claiming this was 0.5% of revenue (subscription required). In this example, Royal Mail, the victim, reportedly refused to pay a ransom demand that was set according to LockBit's calculation of a percentage of Royal Mail's parent company's annual revenue. Regulators may set monetary penalties for companies found to have failed in respect of their data protection and cyber security legal obligations, e.g. under GDPR. However, the checks and balances undertaken by Regulators are formal and detailed, whereas threat actors are not held to such standards. This information reportedly became available after chats between LockBit and the Royal Mail negotiator were leaked on the internet. Although, Royal Mail have declined to comment on their authenticity.
By contrast, in an article from Feb 21. HardBit ransomware wants insurance details to set the perfect price, The HardBit ransomware group were reported to be encouraging their victims to share the details of insurance policy coverage in order to agree a price based on what their Insurer would indemnify, apparently attempting to convince victims to do so anonymously so as to not alert the Insurer, and risk insurance coverage and payouts. In a recent LinkedIn post, Mark Hendry (Director of Cyber Security and Data Protection at DWF) provided some comments on the risks of taking an attacker's lead in this way. These include the risk of breaking contractual obligations, and therefore not only risking the policy line cover but all cover held with the same insurer, and becoming complicit in criminal action against a second victim (the insurer) with potential for criminal and regulatory penalties. The coercive language used by the attackers reveal their awareness of these risks, and further highlight the need for high degree of skepticism by victims and their advisors when dealing with criminals.
What does this mean for ransomware as a key threat?
Along with a high volume of commentary regarding the proliferation of ransomware strains, we seem to be witnessing threat actors adjusting their tactics and playbooks in an attempt to maintain revenue. This is possibly in response to societal and global phenomena (the rise of ESG, war in Ukraine, increase in sanctioned people and entities, etc.), and the downward trend in securing payments from victims. This trend is one of many occurring in the threat actor and victim landscape, and we will continue to comment as research, analysis and reporting provide more insights. As to whether the decrease in payments can be considered a good thing overall, it's worth noting that hard times tend to breed innovation and when criminal innovation is the topic, novel and damaging attack types can be expected. However, every payment made funds multiple further attacks according to Trend Micro. Therefore, only by refusing to pay and removing the revenue streams by which threat actors fund their further activities, can victims and those on the side of defence and response hope to end the cycle.
What can you do?
DWF provide a range of security and data breach preparedness and response services, often working with our clients' insurance providers as approved suppliers in instances where legal and technical expertise are required in incident scenarios.
For instance:
- Preparedness: as well as our programmatic and security transformation work, we offer the DWF RAPID tool which is a web-based confidence diagnostic to test your organisation's ability to deal appropriately with a range of security and data incidents. We also offer ransomware training and war game type exercises for legal, technical, operational and senior leadership teams, as well as playbook development.
- Response: We provide a range of services, including the establishment of appropriate legal privilege environments; instruction of other specialist third parties (including technical investigators and responders); crisis management and leadership; executive briefings and advice; regulatory engagement and litigation; third party engagement and litigation; and civil claims and litigation handling.
All of DWF's services can be retained in advance of an incident, to avoid the need for time-consuming contracting amidst of an incident scenario.
For more information please get in touch with the below author or your usual DWF contact.
