Ransomware is a hugely profitable business. The only way to end it is to stop criminals from making money off your data.
By Elliot Lewis, Co-founder, and CEO of Keyavi Data Corp.
It’s every CEO’s worst nightmare: You report to work early one morning only to find your computers frozen, your essential data locked and an ominous message from cybercriminals demanding an outlandish ransom to restore them. In the meantime, your employees can’t work, your customers can’t buy your products and you’re bleeding revenue by the minute.
Could it happen to you?
Unfortunately, the odds are bad and getting worse. Between 2019 and 2020, attacks increased 62 percent worldwide and 158 percent in North America, according to cybersecurity firm SonicWall. The pandemic ushered in a new era of of remote and hybrid work – and with it, new opportunities for criminals to worm their way onto the corporate network through VPNs and remote desktop applications. Last year, 61 percent of companies were hit with ransomware. Nearly 300 have been attacked so far this year, earning cybercriminals at least $45 million. And those are just the attacks we know about.
No sector of the economy is immune. The more critical data is to organizations, the greater the leverage it offers to criminals, who have extended their sticky fingers from businesses to schools, hospitals – and with the Colonial Pipeline attack –national infrastructure.
Even if you don’t pay the ransom, an attack represents a severe financial hit. Costs –including lost productivity, investigations and forensics, breach notifications and reputational damage – are rising at a clip of 30 percent a year, according to research firm Cybersecurity Ventures. By 2031, the organization predicts ransomware will cost companies $265 billion, with an attack occurring every 2 seconds.
What accounts for this stupendous rise in size and scale?
In a word, money. Technically, ransomware is just another form of malware, but financially, it’s a juggernaut for criminals, who know that today’s companies simply can’t function without access to their data. In recent years, they’ve found ways to extract revenue from it long past the initial ransom demand. To understand and outsmart their lucrative business model, you need to examine the dynamics of an attack.
The Three Phases of Ransomware
Companies experience ransomware as a sudden, incapacitating hit – which of course is part of the plan. But for criminals, it’s just the tip of the iceberg. Behind the scenes, they engage in many other activities, and not all of them make money.
Attacks are staged in three phases:
Phase 1 – Entry, reconnaissance and launch – a loss leader for attackers.
Criminals hop onto the corporate network by inserting malware into a phishing email or sending out a fake software update. They use rootkits and other tools to spy on users, scope out systems, escalate privileges, disable security software and – most importantly – find and steal the organization’s most valuable data. Masking techniques allow them to snoop and filch data undetected for weeks or even months. Finally, at the end of Phase 1, they launch the file-encrypting ransomware. Only at this point do victims become aware that a problem exists.
Phase 2 – Making the victim pay: the cash to criminals starts flowing
Attackers attempt to extort companies by demanding payment to decrypt the victim’s data files. Paying the ransom, however, doesn’t end the problem. A Cybereason study found that while 46 percent of companies who pay a ransom to regain access to their data, some or all of it is corrupted. Much worse, though victims are unaware of it at this point, attackers may have made and kept copies of all the data the company just paid to restore. Decrypting files does not address this problem at all.
Phase 3 – Criminals make even more money from exfiltrated data: a wealth of recurring revenue opportunities.
The first attack is just the beginning. Eighty percent of organizations that pay a ransom go on to suffer a second attack, Cybereason found. Attackers threaten to publish their stolen data if companies don’t pay another ransom, often upping the ante if they don’t meet a specified deadline.
Ransomware today has evolved into a complex criminal enterprise involving a shifting, interlocking network of gangs and cartels, including Maze, LockBit and Ragnar Locker, which work together and on their own to make money through extortion and selling stolen data to third parties. Some, such as REvil, have even devised ways to make passive income, selling the tools of their trade to other criminals in ransomware-as-a-service franchises.
Anatomy of the Ransomware Business
In this ransomware business model, attackers expend time and resources but make no money in Phase 1. The cash flow starts with the direct victim ransom demands in Phase 2, but there’s a catch. Companies with good, secure backups know they can get their systems up and running again, and may refuse to pay. Many mistakenly believe the attack is all about unlocking their data, and once they regain access to it, everything will be fine.
But attackers know they can count on Phases 2 and 3 – extorting companies for the same data (sometimes called double extortion) and/or selling it to others. They can do this because companies have no way of getting their data back after it’s been stolen in Phase 1.
Once companies understand the predicament they’re in during Phases 1 and 2, they’re often willing to pay up. For example, meat producer JBS recently paid an $11 million ransom after its operations had already recovered from a ransomware attack. Why?
Their published statement said: “In consultation with internal IT professionals and third-party cybersecurity experts, the company made the decision to mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated.”
They paid $11 million to “ensure” that no data would be exfiltrated. But their only assurance was the word of a cybercriminal gang, which still has their data. Those criminals may someday decide that $11 million – or $21 million or $31 million – actually isn’t enough. In fact, there’s no limit to the number of times an attacker can come back and demand more money. Or sell stolen data to third parties. Or both.
The Heart of the Problem – A Flawed Security System
The JBS example illustrates a fundamental flaw in modern security systems: They can’t ensure that sensitive data won’t fall into the wrong hands. That simply isn’t possible with current security protocols, which fall into two main categories:
- Attempts to keep data contained. These include identity and access management systems, mobile device management, sensitive data encryption, cloud access management and secure storage. These are all important measures, but they’re not perfect. An attacker only needs to get through one of these layers to penetrate the corporate network and steal data.
- Forensics, monitoring and intelligence, including SIEM and SOAR. These solutions exist because the first solutions too often fail.
Companies are pouring a lot of money into these systems. Spending on cybersecurity and risk management is the top priority for CIOs and is expected to reach $150.4 billion this year, according to Gartner.
Many companies also purchase cyberinsurance, but as ransom amounts rise and governments crack down, insurers are getting pickier about issuing policies. Some, like European insurer AXA, may stop offering them entirely.
A Game-Changing New Cybersecurity Paradigm: Self-Protecting Data
Despite their best efforts, companies can’t stop ransomware attackers from extracting and holding sensitive data, which is at the heart of their lucrative business model.
But what if data could protect itself? Then companies wouldn’t have to spend millions of dollars in a vain attempt to keep it out of the hands of ransomware attackers – or try to trace it after they’ve already gotten hold of it.
In fact, the technology to do this exists today. Instead of trying to keep data contained, Keyavi encases it in multiple, industry-standard encryption layers with continually changing PKI encryption keys. It then infuses each of those layers with very specific governance policies and forensic capabilities.
That means sensitive data can safely travel anywhere – because everywhere Keyavi-infused data goes, it follows the rules of the individual or organization that owns it.
How does that work?
Example 1: A ransomware attacker compromises a privileged account – a typical tactic during Phase 1.
With traditional security systems: The company encrypts its sensitive data and has an identity and access management system in place, but these protections aren’t effective enough. Once the attacker gains control of an account with high-level access privileges, he can access the authorized user’s decryption keys, decrypt the data, export it, copy it ad infinitum, and send it wherever he pleases.
With Keyavi: Even though the attacker has successfully tricked the security system into believing he is the actual user via identity compromise, the built-in data protections will not allow him to decrypt and read it – much less copy it, export it or send it to others.
Why? Because policies are embedded in the data – policies that extend beyond just identity. As soon as the hacker tries to open sensitive data, it automatically asks itself, Where am I? Am I allowed to be here? Why did I ever leave my owner’s office? And right away, this highly intelligent data realizes: This is not a pre-authorized location. Therefore, I don’t care who he says he is, I won’t open in this location.
And that’s the end of it. No matter how many accounts the attacker hacks into or creates, no matter how many spying tools he uses or legitimate-looking requests he issues to access sensitive information, the data will refuse any access that is not authorized by company policies.
The data won’t just sit there silently, either, but will capture full forensics of the attacker and his location, then send it to the data’s rightful owner.
Example 2: An attacker has already stolen a company’s data.
With traditional security systems: Even if the company pays a ransom to unlock its files, there’s no guarantee it will ever get all copies of its data back. The attacker can return to make multiple extortion attempts or sell the data to third parties at any time.
With Keyavi: If data is stolen during a ransomware attack, whoever owns that data can revoke access anytime, anywhere at the mere touch of a button. This includes exfiltrated data that resides on an attacker’s devices, websites or storage systems. The attacker, and anyone he sends it to, will never be able to see, access or use the data again.
Example 3: An attacker posing as a software consultant tries to copy sensitive data onto a USB drive.
With traditional security systems: Once the attacker leaves the premises, the data goes with him, never to return.
With Keyavi: Even if data has been copied onto a USB, the data’s built-in protections will never allow itself to be opened on an unauthorized device for an unauthorized user at an unauthorized location.
These examples illustrate just a few of over 50 protective capabilities Keyavi can infuse into data. Policies can prevent data from traveling to devices that don’t have specific anti-malware applications installed and running. They can prevent print screen screenshots or data-sharing on Zoom. They can apply different permissions, such as read-only or edit, to different users. Whoever owns the data can control and alter these policies at will, even if their data has already left their possession.
Keyavi’s Silver Bullet
Unlike other security systems, self-protecting data strikes at the heart of ransomware’s business model: its money-making machinery. If attackers can’t demand extortion payments or sell data to third parties, their major sources of revenue dry up, and they remain stuck in Phase 1. While criminals may have broken into the mansion, if they can’t take anything out, it does them little good.
Because most enterprises today have off-site backups, many will refuse to pay the initial demand to decrypt. For example, cloud storage company Spectra Logic and chip manufacturer MaxLinear refused to give in to extortion threats, even though both carried cyber insurance, which likely would have footed at least some of the ransom payments. Instead, they chose to get help from the FBI and work to restore their systems.
Criminals make so much money from selling and extorting companies for stolen data during Phases 2 and 3 that they can afford to skip Phase 1 extortion attempts if a company refuses to pay and move onto their next victim. But the advent of self-protecting data eliminates these sources of income – and with it, the incentives that draw most of the bad actors into this business. When attacks require the same amount of work, but become far less profitable, the motivation to launch them will fade, forcing attackers to turn their attention to other exploits.
To learn more about Keyavi’s unique self-protecting data solutions, visit www.keyavidata.com.
About the Author
Elliot Lewis is an internationally renowned cybersecurity expert protecting some of the world’s most valuable intellectual property – both as a security executive for Fortune 100 companies and as an industry, government and military advisor helping hundreds of customers solve their most challenging data security problems. Before launching Keyavi Data in 2020, Elliot held a number of leadership roles at technology companies such as Microsoft, where he ran the network security division of Windows, then became the senior security architect for the Security Center of Excellence for Microsoft itself. He was also director of strategic services at Cisco, served as chief information security officer (CISO) at Merrill Lynch worldwide and was chief security architect at Dell Corporation. A published author and sought-after speaker, Elliot is also the co-inventor of five network security patents for Microsoft and Dell. He can be reached online at [email protected] and through Keyavi’s website at https://www.keyavidata.com