[BreachExchange] The Ransomware Sausage Factory – Do You Really Want To Know How They Got Your Data Back?

[Inga Goddijn]

https://www.riskbasedsecurity.com/2018/04/the-ransomware-sausage-factory-do-you-really-want-to-know-how-they-got-your-data-back/

Statistics vary, but a prevalent theme is that ransomware attacks rose by
as much as 250% in 2017. Since a considerable number of incidents go
unreported, potentially a majority of them in fact, it is difficult to
fully understand just how deep the problem goes. That said, we can all
agree the problem is bad.

Always on the lookout to fully understand security issues organizations
face, we came across an interesting Tweet:

There were several types of initial reactions to this, ranging from “it’s a
get-rich-quick scheme” to an outright scam, and even invoking a bit of
laughter at the creativity of the solution. Others may think it is a
legitimate service, and that recovering data is what they advertise, and
that is precisely what they did.

Kevin Collier, a BuzzFeed News cybersecurity correspondent, followed up
with links confirming the security company involved is Proven Data Recovery.

Collier referenced their 97.2% success rate, and ties it to Ransomware
recovery.  However, that figure does not exclusively mention ransomware.
Instead, it appears to cover their entire portfolio of data recovery
services, which could include hard drive failure. Looking at the Proven
Data Recovery page covering their recovery services, you can see their
ransomware service offering and they don’t reference that 97.2% figure.

On PDR’s website they do have two bullet points that speak to when
ransomware is in play that are worth highlighting as it relates to
evaluating this case:

Pay after the ransomware recovery service – We provide you with the peace
of mind that we aren’t going to just take your money before getting any
data back. We do not bill you until after you’ve verified your data was
successfully recovered.
After conducting a thorough analysis of the intrusion, Proven Data
Recovery, may also offer assistance in helping you pay the ransom as a last
resort effort to help you get your data back. Proven Data Recovery makes no
claim to cracking RSA 2048 encryption or higher as it is currently
mathematically impossible to do so with current technologies.

To many IT and security professionals, on the surface charging someone a
lot of money to recover from a Ransomware attack, when the customer could
have just paid the ransom themselves, seems shady. But if we look at this
deeper, the service isn’t necessarily a bad thing.

Consider the following:

Most companies have no clue how to buy Bitcoin or other CryptoCurrency
needed to pay the ransom. Bad actors don’t take Paypal or corporate checks.
Anyone that has bought CryptoCurrency knows there are exchange and purchase
costs in doing so that may be daunting to a first-time buyer. It would take
a company a lot of time and cost to figure it out themselves all the while
the clock is ticking on the ransom demand.
As mentioned, on the Proven Data Recovery website they say they will
attempt to decrypt, but they also say they may pay as well. While several
varieties of Ransomware can be decrypted, there are many variants cannot.
Perhaps the Proven Data Recovery business model figured out that paying in
some cases is more cost effective. Hopefully they have extensive experience
in knowing when that is the right option and fully explain this to their
clients.
The company takes the financial risk in not charging for their services
until they recover the data (by any means).

The primary concern among some security professionals discussing this
business model is how transparent the company is being with clients when
they do opt to pay the demand. More specifically, is Proven Data Recovery
informing clients the data was recovered by paying the ransom or is that
kept confidential, while billing the client with a huge mark-up rate? Based
on their Yelp reviews, they have happy customers one way or another. In
this case for Herrington and Company,who are real estate agents in
Anchorage and based on the timing appear to have a hosting agreement with
Liquid Web, Inc. in Alaska, the ransom was apparently $1,600 and the Proven
Data Recovery fee was $6,000. Given that the FBI are involved and a search
warrant was executed, it appears that someone for some reason was not happy
with their services.

Companies hit by Ransomware really only want one thing; their data back and
their company operations back to normal as quick as possible. Even though
the FBI recommends not paying a ransom – for good reasons – the end result
is really what matters, right? Depending on the infection and speed you
need the data recovered, it actually may make sense that a company would be
prone to pay it. Even the FBI recognizes this fact. Their guidance does not
flatly state do not pay under any circumstances. Rather, in their
Ransomware Prevention and Response for CISOs document, they state while not
encouraging payment, “whether to pay a ransom is a serious decision,
requiring the evaluation of all options to protect shareholders, employees
and customers. Victims will want to evaluate the technical feasibility,
timeliness, and cost of restarting systems from backup.” So in their own
unique way, the guidance comes down doing a cost-benefit analysis on
whether or not to pay.

One good option to consider when thinking of Ransomware risk reduction is
cyber insurance. The days of limiting coverage to data breach events alone
are long gone. These policies can now include options that change the
financial equation for calculating the pros and cons of paying. Coverage
does vary from one policy to the next, but it is possible to buy cyber
insurance that can pay elements of both the ransom demand itself as well as
recovery costs associated with the event. What’s more, many insurance
companies maintain a panel of vetted incident response providers ready to
answer the call for help. That offers fast access to assistance along with
a level of confidence in the integrity of the provider. Stay tuned for our
next installment on ransomware, which takes a closer look at the potential
reasons that you should or should not pay, and some actual costs incurred
by organizations.

Risk Based Security has the most comprehensive database of breach events
including nearly 400 ransomware events that exposed sensitive information
in addition to locking up data and systems. The resulting wealth of breach
data coupled with actionable security ratings for organizations has made
Risk Based Security a leader in vendor risk management, cyber insurance and
risk modeling.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180502/87fac591/attachment.html>