An analysis of the Southwire and City of Pensacola attacks, and how it changes ransomware response.
As 2019 drew to a close and 2020 began, there was a dramatic change in the way ransomware attacks operate. The traditional ransomware attack of the last five years went as follows:
- Hackers break-in.
- They encrypt the organization’s data.
- The organization either pays and gets their files back or doesn’t pay and gets nothing
- Hackers go away*
* LMG Security’s forensics team has detected multiple cases of infected ransomware decryptor tools, which would provide hackers with long-term, persistent access to the network. Assuming the infection was properly and completely eradicated, however, the typical end result was that the hackers moved on to other targets.
This dynamic shifted dramatically in December, when Southwire, one of the largest wire manufacturers in the USA, and the City of Pensacola, FL, were hit with Maze ransomware. This attack brought a new aspect to the ransom – public shaming – and has expanded ransomware into exposure extortion.
Breaking away from the traditional script, the hackers took the extra step of stealing the data before dropping the ransomware, and openly touted it in the ransom note. After asking for a little over $6 million from Southwire and $1 million from the City of Pensacola , the hacking group also publicly announced that they had the hacked data and would not only leave the files encrypted, but also publish the data on the web unless the ransom was paid. “We have also downloaded a lot of data from your network, so in case of not paying this data will be released,” the criminals wrote in the Southwire case. The Maze operators also suggested searching for news articles about their prior hack of a security firm and the data they released, as proof of their sinister promise.
This substantially changes the ransomware response playbook. Exposure style extortion isn’t necessarily a new concept, but pairing it with newer Ransomware-as-a-Service offerings is a potent new combination. Previously, most ransomers focused on encrypting files, and often did not take the time to steal large volumes of data. As a result, once the data was successfully decrypted and the network was cleared of residual infections and back doors, businesses could move on and operate with some sense of relief. With the changes in the last month, that may no longer be the case.
Why Did the Maze Ransomware Group Steal the Data?
In both cases, the hackers were looking for leverage. Stealing and threatening to disclose the data not only offers the potential of public backlash if the organization doesn’t pay, but also can trigger expensive fines if any of the data is covered under GDPR or CCPA regulations. With the pricey fines for GDPR and CCPA violations, there is a rising trend in which hacking groups are beginning to tailor ransom requests to come in slightly under the GDPR fines. These GDPR and CCPA fines are offering a benchmark that hackers are leveraging to push companies to pay, suggesting it will cost less and avoid GDPR issues, as well as public embarrassment.
Following Maze’s example, ransomware gangs Sodinokibi (aka REvil), BitPyLocker, and Nemty publicly stated that they would similarly begin releasing files when a ransom was not paid. Sodinokibi specifically invoked GDPR as additional leverage: “In case of refusal of payment – the data will either be sold to competitors or laid out in open sources,” they wrote in a forum. “GDPR. Do not want to pay us – pay x10 more to the government. No problems.”
While there were certainly occasional cases where files were exfiltrated in the past, the new emphasis on public exposure changes the typical ransomware response. When the City of Pensacola and Southwire both refused to pay the ransom, the Maze group publicly released 2 GB of data from the City of Pensacola, and incrementally released Southwire’s data for each week that they refused to pay the ransom.
Southwire’s Ransomware Response Breaks New Ground – But What Strategies Were Effective?
Southwire broke new ground in their ransomware response. Here’s what was interesting in this case:
Southwire must have had good, current back-ups. In less than a week, the company reporting being back to normal operations.
After Southwire refused to pay the ransom, Maze called them out publicly and followed through on their promise to release data. Maze released a good chunk of data publicly which other hackers turned into an interactive database with impressive search functions.
Southwire sued the anonymous “John Doe” ransomware gang, and also filed an injunction in the court of Ireland, requiring the ISP to take-down the site that was disclosing the information. This was a ground-breaking ransomware response. The web site came down (at least, temporarily). Southwire also may have given themselves a legal advantage in recovering funds, if the criminals are ever tracked down and held to justice.
Unfortunately, the takedown was short-lived. Soon afterwards, the hackers re-launched their website out of a different country and released a lot more information – including personal information for customers and employees – on a Russian hacking forum and encouraged those hackers to use the information however they want. There is no doubt that the publicity around the takedown and re-release of the data has fueled curiosity and resulted in a much greater exposure of Southwire’s data, which is probably not the result they were looking for.
How These Attacks Change Our Ransomware Recommendations
Historically, there have been differing views in the industry on ransomware recommendations – some experts advise paying the ransom if it is a reasonable amount, while other experts advise to never pay a ransom.
The new ransomware twist of exposure extortion is a game-changer. While ransomware recommendations will vary on a case-by-case basis, if there is the possibility of exposure extortion, the industry standard best practice is not to pay. Consider how much you really trust criminals: if you pay, and they promise to delete the data, what is to stop them from holding you for ransom in a couple of months, or just selling the data anyway to a private buyer? By paying and not disclosing, your organization may also risk violating notification laws, which could land you in even more hot water down the road. Nobody needs a skeleton in the closet.
With exposure extortion, there is nothing to stop the hackers from continuing to ask for more money and creating an endless cycle of demands. Now that the game has changed, so will ransomware response strategies.
How to Reduce Your Risk of a Ransomware Attack
Let’s face it, breaches happen. However, there are steps you can take to minimize your risks. Here’s a checklist for preventing ransomware:
- Phishing Prevention – Make sure all employees receive regular training to defend against phishing. Ensure your spam filtering is effective and use a web proxy to detect and block malicious sites. (Read more on phishing prevention)
- Strong Authentication – Deploy two-factor authentication for remote access whenever possible, and make sure to include vendors. Pick strong passwords and use a password manager program to help employees store passwords securely.
- Backups - Backup your data. Test your backups. Store a copy securely off site. Repeat.
- Antivirus – Install antivirus software on ALL computers. Use it and keep it up-to-date. Check at least monthly to make sure it is running properly on all systems.
- Monitoring & Threat Hunting – Catch intruders quickly, before they have a chance to detonate ransomware. Make sure that your monitoring systems detect suspicious activity and alert immediately if an intruder is inside your network. Conduct proactive threat hunting to detect activity that automated systems may miss.
- Privilege Limitation – Limit what staff can do on their desktop. Make sure they cannot change the system configuration or install any software without prior approval.
- Software Updates – Keep your software up-to-date with the latest patches at all times. Software updates include new security ‘fixes’ that can save you money and hassles.
- Network Segmentation – Separate systems on your network so that a high-risk workstation is less likely to infect an important server.
- Supply Chain Management – Have a strong supply chain/third-party vendor vetting program. A rising number of attacks come through third-party vendors, so create policies and ensure vendors and partners meet your minimum security requirements. (Read more about vendor risk management policies and vetting tips.)
Final Recommendation on Ransomware Response
When it comes to ransomware, it’s time to update the response playbooks! Make sure exposure extortion threats are in your breach response plans. Remember that the best defense is proactive security and implementing our seven steps above on how to mitigate ransomware attacks. It’s always cheaper to invest in prevention than it is to fix the problem after an incident.
If you need help securing your network or developing ransomware and data breach prevention policies, please contact us – we can help.