New trend in ransomware: Anonymity
Imagine if you were attacked and you didn’t know the identity of the assailant. Not knowing who they were, what their motivations are, or their attack track record would leave you feeling helpless.
There is a disturbing new trend in ransomware attacks: anonymity. In the "halcyon" days of early attacks, the group attacking the victim would always say who they were. Now though, we are seeing a spike in attacks where the offending group is concealing their identity, and finding out who they are is a complicated process. If you’re lucky enough to have a wealth of dark web and other data to examine, threat actors are human, which means they usually make a mistake that reveals them.
To Pay or Not to Pay?
Recently there was a case we were working on where the offenders took a copy of all the victim’s data, deleted all the data at the victim’s site, and then sent an anonymous email to them asking for payment to get the data back. There was no indication of who the attacking group was -- in most cases, attackers proudly identify themselves in the ransom note. When the identity of the group was finally determined (they were human, so they made a mistake!), it was discovered that they were very unreliable for making good on their ransom demands, so the victim chose not to pay the ransom. While the FBI says to not pay ransom in all cases, most organizations are looking for the most cost-effective way out, so they always wrestle with the question, "Should I pay ransom or not?"
For most organizations that don’t have the ability to uncloak an attacker, anonymity is a problem. For one, without the name of the offending group, there is no way to know their track record with ransom payments or to answer questions like "Do their decryptors work?" Or "Are they a ‘string along’ group that only gives you back some of your data with a ransom payment, and then they ask for more money?" Or "What are their motivations…why did they choose us?" These are all questions that organizations consider when deciding whether or not to pay ransom. Yet, if you don’t know who the attacker is, it can be difficult to get answers.
Why are Attackers Going Anonymous?
A few ransomware attacks wind up in the headlines, but many more occur in lower profile organizations that don’t have the resources to resolve their situations. For them, anonymity is a particularly vexing problem. This raises the question: why have the bad guys chosen to go anonymous? There are a few reasons behind why they do:
- The ransomware-as-a-service trend lets virtually anyone become a ransomware operator. This has enabled new, inexperienced operators to enter the fray who may just be looking to make a quick buck and don’t care about following any playbook. These "affiliates" are often acting more tactically than the traditional ransomware groups.
- It’s harder not to pay when the ransomware request is anonymous. If you don’t know who is attacking you, often the easiest thing to do to make them go away is pay. The problem organizations run into with this approach is there’s no guarantee they’ll get their data back if they pay ransom. There is no track record because of the attacker’s concealed identity, so there’s no way to know if other victims of the attacker were able to get their data back by paying.
- Avoiding U.S Treasury Department sanctions. The U.S. Treasury tracks individual actors and groups that you cannot legally engage with due to international sanctions. If the attacker has no name, it makes it difficult to attribute who is attacking you and whether you fall under these sanctions.
- The attackers may not care about their brand. The goal of any ransomware actor is to make money. First-generation attack groups would want to establish a good reputation for having good encryptors and restoring data, so victims would be more likely to pay. They cared about their "brands," because they helped them make money. Many current attackers hide their identities because they don’t care about their brands and opt to make money faster.
- Attackers are repurposing leaked or stolen ransomware code. A number of the larger ransomware organizations have had their source code leaked or stolen. As a result, mildly technical individual actors can use this code to execute tactical attacks to make a quick buck, with no intention of continuing operation. Therefore there is no need for a brand. They want to buy that car at the dealership, pay off debt, take care of a sick family member, and move on.
Ransomware is a scourge and the volume of cases we have seen in recent months has gone way up. Anonymity is a recent development with attackers, and it can raise the stakes in making successful resolution of a ransomware attack. This represents a real threat to the economy because, as we’ve seen with recent headline attacks, organizations can’t function if they don’t have access to their data.
Kurtis Minder is CEO of GroupSense. GroupSense provides digital risk protection services to organizations worldwide.