Traditionally, data backups are thought of as a central element of an effective ransomware mitigation strategy. Even if a bad actor succeeds in contaminating a PC or an enterprise network with a strain of file-encrypting code, the victim can easily restore files as long as an up-to-date backup is available. There is no need to pay a fortune to the adversary to redeem those records, and the entire recovery footwork boils down to purging the malicious program – as simple as that.
This tactic makes perfect sense, but with a caveat. It used to work and still does in most cases, but sometimes the damage goes beyond unauthorized data encryption. The latest quirk of ransomware operators is to steal victims’ data before rendering it inaccessible. This way, the criminals can demand a ransom from a position of strength, threatening to leak the files if their target refuses to cooperate.
The worth of backups is being depreciated
If the above scenario kicks in, backups are nearly futile when it comes to emerging unscathed after a ransomware incident. Moreover, they may even do the victim a disservice – here is how. Having infiltrated a computer network via phishing or crude implementation of the remote desktop protocol (RDP), malicious actors use a post-exploitation tool (e.g., Mimikatz) to find and exfiltrate access credentials from the breached database.
If this foul play pans out, malefactors can access the backup solution deployed in the organization or gain a foothold in cloud storage containing backups. This exploitation is a shortcut to retrieving the victim’s most important files, which are usually prioritized and backed up in the first place.
What’s worse, attackers can erase these backups after copying them to their server. An extra benefit for ransomware makers is that the process of downloading files from a victim’s cloud backup does not look like an anomaly to conventional network protections. This hallmark allows the breach to stay undetected until things get out of hand.
Under the circumstances, companies should rethink their incident response plans to fit the current security context. Not only do they need to follow proper backup practices these days, but they should also encrypt data to prevent it from being used against them.
A ransomware attack now equals encryption plus data theft
At the time of this writing, more than a dozen widespread ransomware lineages pilfer their victims’ files in addition to pulling off malicious encryption. The following strains are known to use this approach: Ako, Cl0p, Conti, CryLock, DoppelPaymer, Nemty, Nephilim, Netwalker, ProLock, Pysa, Ragnar Locker, Maze, Sodinokibi (REvil), Sekhmet, Snake, and Snatch. Some hacker groups have set up “public shaming” web pages to which they upload data stolen from unyielding organizations.
The Maze ransomware, one of the big names on the threat map, gained notoriety for being the first to adopt the two-layered extortion model in November 2019. The list of companies that have since fallen victim to this detrimental threat includes the US facility services firm Allied Universal; cable manufacturer Southwire based in Georgia; the city of Pensacola (Florida); Andrew Agencies, an insurance company headquartered in Manitoba, Canada; and most recently, Canon USA.
Starting from June 2020, Maze ransomware operators have been establishing a cartel-style network of affiliated extortion campaigns. They have already teamed up with cybercriminal crews in charge of the Ragnar Locker, LockBit, and SunCrypt ransomware nasties. The gangs now share the same data leak site and exchange expertise to take their combined efforts to the next level.
The DoppelPaymer ransomware follows in the footsteps of Maze in this regard. To top it off, its distributors mishandle backups as part of their tactics. In one of the recent data dumps published on their leak site called “Dopple Leaks,” the felons listed a victimized organization’s username and password for Veeam, a popular backup application. It means that the attackers had full access to the reserve copies of files belonging to a non-paying business.
Sodinokibi, also known as REvil, is one more ransomware family that obtains organizations’ data before locking it down. Its high-profile victims include staffing and technology company Artech Information Systems based in New Jersey and the Kenneth Cole Productions fashion house, to name a few. Aside from spilling the stolen data to frustrate their most stubborn targets, Sodinokibi operators have been reportedly selling it on hacking forums.
Data encryption as a game-changing countermeasure
With ransomware operators increasingly targeting backups, protecting these records with a cipher could be an effective move to make attackers frown. Even if files are stolen, they are useless to attackers without a secret decryption key or a public-private key pair. When taking this route, it is important to differentiate between data at rest and data in transit.
Data at rest. This term denotes static information stored or archived on physical media such as a hard drive or a flash drive. It is not being actively transferred between devices or networks.
Data in transit. Also referred to as data in motion, this concept spans files that are actively “traveling” across the Internet or within a private network. Records in a real-time database, emails, and items manipulated by an application are a few examples of this info.
At first sight, data at rest appears to be the only type that needs to be protected against ransomware raids. However, in today’s hybrid cybercrime world, attackers may also try to intercept data in motion as it is being synced to the cloud or exchanged via email and instant messaging services. The latter is a far less likely scenario in a classic ransomware incident, though.
With that said, encrypting data at rest is every company’s first priority. Here are the most common methods to protect such information:
- Transparent Data Encryption (TDE). This technique is used to encode files stored with popular managed database solutions by Microsoft, including SQL Server, Azure SQL Database, and Azure Synapse Analytics (formerly known as SQL Data Warehouse). TDE secures secret encryption keys with a certificate, making it impossible for evil actors to unscramble fraudulently obtained data.
- Symmetric and asymmetric encryption combo. When a symmetric cipher such as the Advanced Encryption Standard (AES) is applied at the database column level, a single key is used to encrypt and decrypt data. To raise the bar for black hats, it is a good idea to additionally encrypt this key with an asymmetric one that inherently has a larger size. This adds entropy to the process and prevents the cipher from being cracked.
To protect data in transit, organizations should resort to the end-to-end encryption that makes information unreadable during transmission while revealing it to a receiving party. In most cases, symmetric encryption with a set session key or a certificate should suffice to safeguard sensitive communications against man-in-the-middle (MITM) attacks and other forms of unwanted tampering.
Furthermore, the use of the Transport Layer Security (TLS) cryptographic protocol reliably protects sensitive communications between a client and a server. It generates a unique key for every connection, thereby stopping eavesdroppers in their tracks.
David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs MacSecurity.net and Privacy-PC.com projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.