[BreachExchange] Five myths about ransomware

[Sophia Kingsbury]

https://www.washingtonpost.com/outlook/five-myths/five-myths-about-ransomware/2021/06/10/b1e00344-c8b1-11eb-81b1-34796c7393af_story.html

Most ransomware news is bad news, so it was a welcome surprise to learn
this week that U.S. law enforcement had recovered $2.3 million of the
ransom Colonial Pipeline paid to its hackers last month. But even that rare
win can’t overshadow the significant disruptions ransomware has caused in
the past month alone, forcing the temporary shutdowns of thousands of miles
of critical fuel pipeline, as well as several plants in the United States
operated by JBS, the world’s largest meat supplier. As regulators and
companies come to grips with the scale of the problem, ransomware is
receiving more attention than ever before — some of it productive, but some
of it misleading and incorrect.

Myth No. 1

The most cost-effective way to get data back is paying ransom.

Many resources for ransomware victims advise that, as ZDNet says, “it can
make good sense to pay ransomware.” Estimates of how many victims pay
ransoms range from 27 percent to 56 percent, so clearly this is advice that
many firms take to heart.

But organizations that pay ransoms often don’t receive the decryption keys
needed to recover their data. A 2016 survey found that 1 out of 5 companies
that paid a ransom failed to get its data back from the attackers. A 2021
report estimated that only 8 percent of victims who paid a ransom got all
of their data back, and 29 percent were unable to recover more than half of
the encrypted data.

Even when victims are able to recover some, or all, of their data, they
often spend considerable resources to ramp up information security, upgrade
infrastructure and make changes to security staff after an attack. And most
importantly, the decision to pay a ransom contributes to the continued
profitability of ransomware for cybercriminals. So while it may seem
cost-effective in the short term to pay, that decision may just lead to
more ransomware and greater losses down the road.

Myth No. 2

There are only a few thousand ransomware attacks per year.

The FBI 2020 Internet Crime Report lists just 2,464 incidents of ransomware
reported in the United States in 2020, with losses totaling more than $29.1
million. Other reports in recent years with similarly low numbers,
including one from security researchers AV-Test, have been used to indicate
that ransomware is relatively uncommon, compared to other online threats.

In truth, we know almost nothing about how many ransomware attacks occur.
Unlike breaches of personal information, most ransomware attacks do not
need to be reported by law, and victims — especially those who pay — may
have many reasons to prefer to keep them secret, such as preventing their
customers from panicking and avoiding public censure.

The number of ransomware incidents reported to law enforcement authorities
therefore likely vastly undercounts the extent of the problem, but it’s
hard to know by how much. One widely cited statistic by data analysis firm
Statista suggested that there were actually 304 million ransomware attacks
worldwide in 2020 — down from a high of 638 million in 2016 — but the firm
offers little insight into its data sources or how it arrived at those
figures. So while we can be confident there were well over 2,464 ransomware
incidents last year, we don’t have much insight into whether the frequency
of such attacks is increasing or whether we’re instead just starting to see
more high-profile targets across critical infrastructure sectors.

Myth No. 3

There's no way to decrypt data once you've been infected.

Like the idea that the cheapest way to recover from an attack is to pay the
ransom, the notion that “ransomware is irreversible,” as one researcher
puts it in the peer-reviewed journal ICT Express, is widely held. (That
exact phrase also crops up in another recent paper by researchers from
Australian and Malaysian universities.) The concept is that there’s no way
to get your data back — or to regain control of your systems — without
purchasing a decryption key.

But while ransomware is sometimes designed so that decrypting the victims’
devices is an insurmountable obstacle, many common strains of ransomware
have been successfully reverse-engineered to allow victims to decrypt their
own computers without having to make any payment. The No More Ransom
Project, supported by Europol as well as security firms McAfee and
Kaspersky, was designed to aggregate these decryption tools so that victims
can quickly identify what strain of ransomware they had been infected with
and search for any software that could help undo the damage. The Project’s
Crypto Sheriff tool allows victims to upload ransom messages and other
identifying features to determine what kind of ransomware they are dealing
with. If it is a poorly implemented program, or if the decryption keys
associated with it have been seized by law enforcement authorities or
publicized by other victims, then it may be possible to recover compromised
data without paying. Some companies also offer similar services to aid
victims.

Myth No. 4

The rise of cryptocurrencies isn't to blame for attacks.

Ransomware programs typically demand that victims make a cryptocurrency
ransom payment because cryptocurrencies are less regulated and often more
difficult to track than other forms of payment. Cryptocurrency enthusiasts
are, understandably, very resistant to the idea that currencies such as
bitcoin are to blame for the rise in ransomware attacks. In 2016, for
example, an anonymous “blockchain expert” told Forbes that a recent attack
had “nothing to do with bitcoin whatsoever,” and a headline on Coindesk
declared, “Bitcoin is Not the Root Cause of Ransomware.”

But just because there are noncriminal uses of cryptocurrencies doesn’t
mean that they haven’t been a critical component of ransomware’s
proliferation. Without a mechanism for making relatively untraceable and
irreversible payments, there would be no way for criminals to profit from
ransomware. They couldn’t demand cash because, in many cases, they are
located very far away from their victims geographically. Nor could they
rely on credit card payments or bank transfers because those modes of
payment can usually be traced back to specific individuals, and setting up
new accounts takes time and resources.

While it’s true that ransomware predates the ubiquity of cryptocurrencies,
such attacks didn’t take off until recently. This suggests that criminals
couldn’t easily make money from ransomware until they could find a way to
manage payments that typically protect them.

Myth No. 5

Multi-factor authentication protects against ransomware.

IT company Vray exhorts companies to “stop ransomware with two-factor
authentication,” while the website Security Boulevard promises to reduce
the risk of ransomware “by 40 percent” through the use of multi-factor
authentication. Such posts promote the misleading idea that any one
security tool can keep ransomware at bay, while also misleading readers
about the actual function of these tools.

In fact, two-factor authentication — wherein a user must confirm their
log-in credentials via a separate device or platform — is primarily
designed to protect users against phishing and other credential-harvesting
attacks. While stolen credentials can be an attack vector for ransomware,
there are many others, ranging from email attachments to malicious websites
and apps. Two-factor authentication provides little protection against
these types of initial paths into a computer system, so while it’s a useful
and important security tool, it would be a mistake to rely just on this —
or any other individual security product — to protect against ransomware.
As with all cyber risks, there are no silver bullet solutions.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210615/eda83963/attachment.html>