4

I'm reading an article from the Institute for Applied Network Security (IANS) titled "Ransomware 2.0: What It Is and What To Do About It", and there's a piece I don't understand. The article requires a subscription, but here's the excerpt (emphasis mine):

[Attackers] typically threaten to release confidential data to the internet or dark web if the victim refuses to pay. This extortion tactic is fairly new and it is unclear whether it will become more prevalent. If it does, it is uncertain whether attackers will release the data they’ve exfiltrated (and even how much data they’ve exfiltrated in the first place). Obviously, the more data an attacker exfiltrates, the higher they raise their profile and the more likely they are to be caught before the encryption phase. Therefore, unlike attackers motivated by IP theft, Ransomware 2.0 attackers have an incentive to minimize their data exfiltration.

Why would attackers not follow through with the threat of releasing this data? Does exfiltrating more data give forensic scientists, network admins, and the like better insight into the anomalous and malicious behavior--and shouldn't attackers sufficiently cover their tracks? If not, how is the attacker profile increased with the volume of exfiltrated data published?

pancake-house
  • 773
  • 1
  • 5
  • 13

2 Answers2

3

tl/dr: Data exfiltration here means the process of copying data from the victim to the attacker, which generates a lot of network traffic and may therefore be noticed before the encryption/attack is finished. Moreover, publishing stolen data is not quite as simple as it seems, because it is most effective when done "publicly", and in that case legal channels may be used to stop an attacker from doing it effectively.

It's easy to misunderstand what is meant by "data exfiltration" here. So to be clear, when this article talks about data exfiltration they aren't talking about releasing data publicly. Rather, they are talking about the simple act of copying data off of the infected systems and onto a system controlled by the attacker. Consider a typical "lifecycle" of a ransomware infection:

Standard Ransomware

  1. Ransomware is downloaded/executed somehow
  2. Ransomware begins encrypting files locally
  3. Ransomware (theoretically) sends encryption keys back to C&C servers so the files can be unecrypted after payment

All-in-all this is a pretty "low profile" attack, and antivirus and other anti-malware solutions have adapted to try to catch such things early on before they encrypt everything. This is typically done by noting sudden and large spikes in disk usage, which are a sign of ransomware doing its thing (and also a sign of many other typical computer tasks, which can make detection a bit tricky). Sending the keys to a C&C server takes up effectively zero network traffic, so detecting that is virtually impossible.

Blackmail ransomware

Compare that to the lifecycle of a ransomware attack in which the attacker wants to hold data hostage to be released later:

  1. Ransomware is downloaded/executed somehow
  2. Ransomware begins encrypting files locally
  3. Ransomware sends the encryption key to C&C servers
  4. Ransomware begins sending unencrypted copies of all files to the C&C Servers

The big difference is step #4, aka data exfiltration. The important thing here is that this is very noisy. Now not only does the attacker have to worry about local antivirus/antimalware systems noticing the attack in progress, but they also run the risk of being detected at the network level. For a home user that doesn't even use an antivirus program (aka an easy target), their ISP may instead notice, start blocking traffic, and perhaps try to notify the user. In a corporate environment it is even worse: even if policies on the individual machines are lax, there may be network level logging and alerts which may notice the increase of traffic, bring it to someone's attention, and shut the whole thing down before much encryption has happened.

In essence, like any thief, ransomware will be the most successful when it has plenty of time to do its thing before getting detected. Trying to extract the data as you encrypt it is very "loud", and increases the risk of detection for the attacker.

It's like the difference between someone silently trying to steal the TV from your living room while everyone is asleep, versus someone who lights the kitchen on fire so they can steal the phones and laptops out of the bedrooms.

Publishing data

You also asked, in essence, why someone who has stolen data wouldn't publish it if their ransom isn't paid? That's tricky. Of course an attacker may very well do exactly that. However it isn't always that simple. There are a number of complicating factors:

  1. Due to the above, they may have chosen to limit the amount of data they stole, and therefore may know that they don't have anything worth publishing.
  2. The advantage of the classic ransomware attack is that, with the use of Bitcoin, it can be completely anonymous. Staying anonymous gets much trickier when you have to publicly publish your victims data.
  3. Actually publishing the data may itself be tricky to do well. Such data would obviously be published in violation of copyright, so the victim may be able to use legal channels to have the data taken down (which has actually happened). The attacker could publish it in the "dark" web or somewhere that is harder for legality to matter, but then it may not have the same impact to the victim's business (depending on the nature of the secrets).

All this to say that this whole "we'll publish your data if you don't pay up" situation is not quite as simple for the attacker as it seems. That's not to say it is safe to ignore such threats, but I think it may still be a bit unclear if this new take on ransomware will have much more success than the original kind.

Conor Mancone
  • 29,899
  • 13
  • 91
  • 96
  • Well if getting caught on the network level before the encryption phase is over is a problem, why can't the ransomware start exfiltration after completing the encryption phase? They already have the keys so they can decrypt it later on. – nobody Jun 28 '20 at 14:52
  • 1
    @nobody It's.... complicated.... You couldn't send up the unencrypted contents like that because computers don't have enough memory. But you could wait until everything is encrypted and then start sending up the encrypted files one by one. However even that won't necessarily work in a corporate environment because then you don't want to encrypt just one computer - you want to traverse the network and encrypt as many vulnerable computers as you can find. – Conor Mancone Jun 28 '20 at 15:04
  • 1
    What happens if the first computer you encrypted starts sending up files when you've only "penetrated" a fraction of the computers on the network? Your whole attack may be stopped before you've *really* crippled their systems, which means that your ransom won't be effective and you may not have found anything juicy. Maybe if you can find a way to coordinate across the whole network so that all the machines don't start transmitting data until you give the signal, but that is quite complicated and error prone itself. So to recap, it's just not quite as straight-forward as it might seem. – Conor Mancone Jun 28 '20 at 15:05
  • Oh I get it. I was thinking about it from the perspective of a single machine. – nobody Jun 28 '20 at 17:16
2

A so-called ransomware 2.0 attack can only be done properly as part of a targeted attack. In opportunistic attacks, where the criminals infect a huge number of machines, siphoning a lot of data from every target is going to be impractical. The alternative of course is to perform a "fake" ransomware 2.0 attack, where only a few files (or even nor files at all) are actually stolen from the target.

The reasons why an attacker might decide to not publish your data:

  • Getting all your data has a cost: it takes time, bandwidth, storage capacity, and it might trigger some security controls or be very noticeable anyway. To optimize this process, the attacker would need to filter the data and only steal the valuable files, and this process is not easy to automate. Imagine a HDD with several GB of pictures, and all of them could be published without much harm (actually, most of them might already be published on social media), except for only a couple of pictures that would destroy your reputation. How does an attacker find those pictures, without investing a huge amount of resources on you?
  • Publishing all your data has a cost as well: it takes time, storage capacity, etc. Plus, why publish it for free? What's the advantage? It would be better to sell it, but of course you can only sell it if it's valuable, and valuable files should be extracted from a lot of other noise. As you can see, publishing information also has a cost that should be considered, and cyber criminals are not interested in wasting their time.
  • To pay a ransom you just need to be scared, so if the criminals can make you believe that they have your data, that's going to be enough for the attack to work. So the attacker might not publish your data because they just don't have it.

On the other hand, there are reasons why an attacker might decide to publish your data, at least partially:

  • To pay a ransom you need to be scared, but if the victims start to realize that there's nothing to be scared about, ransomware attacks won't work anymore. In a typical ransomware attack the criminals actually try to restore your files after you have paid the ransom. This way they are sending a message: "paying the ransom works, paying the ransom can be worth it". And so many victims end up paying. Likewise, in a ransomware 2.0 attack, the criminals might decide to publish some data to send a message: "we do have your data and we are willing to publish it".
  • Stealing all your data has a cost, but the attacker might be able to scare you enough by just siphoning part of your data, or even just a few random files, and then publish a couple of files as a "proof" they have all your data.
  • If the criminals realize that you might be a interesting target, they might invest more resources specifically on you. Imagine some ransomware that gathers a list of social media accounts used in the browser. If the attacker realizes that they have probably infected a machine that belongs to some famous (and hopefully rich) influencer, they might decide to target that influencer and try to find out if there are compromising pictures stored anywhere.
reed
  • 15,398
  • 6
  • 43
  • 64