When a ransomware attack strikes, negotiating with hackers might be the best way forward for a company, especially if there’s the chance that Protected Health Information (PHI) or other sensitive data could be trading hands.
The team at global data recovery firm Proven Data knows a thing or two about tracking down cyber criminals who’ve locked down networks at companies in frequently targeted sectors like health, manufacturing and education. They’ve got a million dollar demand down to $100,000, a $250,000 ransom down to $60,000, and were in the midst of negotiating another ransom down from 55 bitcoin to 15 bitcoin while speaking with Corporate Risk & Insurance.
“Different hacking groups have different methods of ‘this is how we’re going to go about making our money.’ There are the ones where ‘they’ve surfed the dark web, they don’t really know what they’re doing, and they’ve purchased ransomware and will send out phishing schemes,’” explained Linda Hamilton, client operations manager at Proven Data. “And then there are the more sophisticated attacks with hands on keyboard hackers who know how to create and run their own scripts.”
Proven Data doesn’t condone that businesses pay ransoms every time, said Hamilton. “But in certain situations, if needed, we’re there for them if that’s how they choose to proceed.”
Every ransomware variant has its own quirks. Some variants have hacker portals where keys can be obtained without directly paying the hacker who encrypted a company’s system. In some cases, Proven Data negotiates with someone other than the person who’s impacted a system to get a usable key, so those involved in the hack aren’t involved in the payment.
Then there are the more advanced methods of hacking, when an entire Remote Desktop Protocol (RDP) is brute forced and used as a point of entry. The hacker might destroy back-up systems, and possibly sit in the system for a long period of time, figuring out how the company operates and where they can hurt them even more by deploying additional malware, mining bitcoin, then leaving a parting gift of ransomware.
Working in this field since 2011, Proven Data has seen its fair share of hacking attacks, which aren’t getting any easier to navigate as hackers’ sophistication grows.
“We’ve see them become more and more aggressive as time has gone on,” said Hamilton. “It used to be smaller demands of $200, $500 and it would be anyone and everyone. Now we’re seeing more targeted businesses – small businesses, big business – and they’re looking for vulnerabilities, especially via RDP.”
Despite the risk, cyber security is an area where risk managers have room for improvement.
“There have been companies that actually went out of business unfortunately because of ransomware, so it’s a very serious threat,” said Victor Congionti, CEO of Proven Data.
Besides helping companies evaluate the attack, conduct a forensics investigation, and determine where their vulnerabilities are that allowed for a cyber criminal to enter the network, part of Proven Data’s services includes giving clients guidance on where and how to install preventative measures to avoid being targeted. Congionti advocates adding layers of protection.
“If someone is savvy enough, there’s so many different ways that they can get on your network,” he said. “The more levels of security you have, the more protected you are.”
Before a hack occurs, Proven Data recommends companies implement a robust security awareness program to help employees understand why two-factor authentication is necessary, even if some may see it as an inconvenience, and distinguish phishing emails.
“You’re only as strong as your weakest link. All it takes is a single individual in the company that’s not up to date on their latest security awareness training and they click on something or they do something they’re not supposed to and all of a sudden, the whole organization is at risk,” said Congionti. “The harder you are as a target, the less likely you are to have issues because they want easy money and they want easy companies. They want these companies that have their RDP open – they don’t want to spend too much time on you.”