The unspoken truth of Ransomware payouts in Canada

Daemon Behr

Canadians pay more often for ransomware attacks, and I’ll try to explain why I suspect that is.There are a few key parts to a ransomware attack that I’m going to break down first:

  • Initial access
  • TTPs
  • Ransom request
  • Payouts

1) Initial access

This is done via a number of ways called threat vectors. Phishing, social engineering, compromising websites and installing malware in it (also known as watering hole attacks and Drive-By Downloads), spray and pray searching for vulnerabilities with Shodan, just to name a few. Once multiple systems are compromised, then this access is sold to another party by an IAB (Initial Access Broker). They could sell this access to multiple parties, or sell off database dumps, or access to specific systems within the environment. The average amount an IAB can get on the market is more than $5000 per network. If they want a steady stream of business, then they may become a Ransomware-as-a-Service affiliate. This means that the RaaS service owners get priority access to an a network and the affiliates get a cut of the ransom payment.

2) Threat actor TTPs (Tools, Techniques and Procedures)

In an attack, there are multiple ways that persistence, privilege escalation, lateral movement, etc, can be performed. Depending on how it’s done, the fingerprint of the attack profile can be identified.

  • Tactics, techniques and procedures (TTPs) are the “patterns of activities or methods associated with a specific threat actor or group of threat actors.”
  • Analysis of TTPs aids in counterintelligence and security operations by describing how threat actors perform attacks.
  • Knowing the scope and resolution procedures of past attacks with the same TTPs, allows you to anticipate what to look for and what comes next.

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.

3) RaaS focusing on victims that pay make them more money with less effort. (Big Game Hunting)

From the attackers perspective, it makes sense to follow the Pareto principle, or 80/20 rule. Focus on 20% of the work that will bring in 80% of the profit. They can do this by either big game hunting of large companies, or to do analytics on who will actually pay ransoms, then focus on them.

Here is an example of an incentive from a RaaS service to get its affiliates to focus on Big Game Hunting.

4) RaaS focusing on victims that pay make them more money with less effort. (Payout analytics)

Here is a sobering fact according to Colleen Merchant, Director General, National Cyber Security, Government of Canada:

75% of Canadian companies would pay a ransom after an infection, as compared to only 3% of US companies

Understanding and Addressing Ransomware Threats

So why do Canadian companies pay out ransoms 25x more than their US counterparts? One possible answer to that is because of legal reasons. Have a look at this memo from the US Department of Treasury.

Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments

……The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) is issuing this advisory to highlight the sanctions risks associated with ransomware payments related to malicious cyber-enabled activities. Demand for ransomware payments has increased during the COVID-19 pandemic as cyber actors target online systems that U.S. persons rely on to continue conducting business. Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.……

US companies may be fined, or have legal recourse against them by the government if they pay a ransom that benefits a sanctioned entity. You can consult with a service that can follow the money and let you know if the ransomware group you are dealing with is on the OFAC’s block list. These cryptocurrency tracking companies include Elliptic and Chainalysis. This causes a few cascading effects as shown below.

a) US companies hit by ransomware from a sanctioned entity might opt to not report it, and pay the ransom out confidentially and illegally.

b) US companies hit by ransomware from a sanctioned entity would legally have to engage with the government to spearhead the incident response, thus relinquishing full control.

c) US companies have a heavy handed disincentive to be complacent about their companies cybersecurity. This helps build up the overall security posture of US companies.

Canada does not have this same legal inhibition for paying out ransom, but there there are some grey areas when it comes to payouts. Such as when personal information was being accessed and mandatory reporting to the government. This also means that there is not the same push to secure Canadian networks, which in turn will make them a more sought out target.

5) Payouts

Who actually pays the ransom from a logistical standpoint? In many situations it’s paid out by insurance companies. Cyber Insurance historically did cover certain amounts of the ransom. However that is becoming less common as insurers are not finding it to be a profitable business model. There was also a case where an insurance company was targeted by attackers to get its client base, so that it could target them specifically. That way they would know that their efforts would pay. Some insurers also have clauses that say if a ransomer knows about the insurer, that the policy is void for ransom payouts. I assume this is to avoid the possibility of insider attacks, leaking that information out for a cut of the payout.

Some companies have a risk-centric slush fund that would be used for ransom, or other risks that the company would have. The payouts would normally be requested in a manner that is difficult to trace, so bitcoin is often the currency of choice. The problem that arises for victims is that it can sometimes be difficult to get bitcoins in a short period of time. If you are not currently trading BTC, then you need to sign up for a service that allows you to buy some with fiat currency. Then there can be limits on the transaction size and it may require multiple transactions. All of this can increase the time that a company is down because of this logistics.

A couple of strategies that could be used to speed up the payouts, is to use a 3rd party to handle the negotiation, payment logistics, etc. This takes the burden off of the victim to scramble and do this. Insurance companies handle this by leveraging an Incidence Response company for triage, attacker isolation, data recovery and ransom negotiations. Then they have their own systems in place to handle the payouts.

Companies that go it alone and don’t have cyber insurance, should have crypto wallet with a nominal amount of BTC in it for incidents. It is also recommended to stock it when the market is in a downturn, and the value of BTC is at a low point. Initially plan for about a week to stock the wallet by going through a reputable site like Coinbase.

The most commonly asked question with regard to the ransom payment is, “Will these criminals actually decrypt my files if I pay?” The answer here is a bit complex. The short answer is yes, they will almost always provide you with a way to decrypt your files. There is a moral dilemma here, after all, the hackers want money and they will provide fast and accurate customer service and tech support to facilitate the payment. If it is discovered that when users pay up and the hackers DON’T decrypt the files reliably, the hackers will lose all credibility and a quick search by other future victims would reveal that it would be fruitless to pay. So, in an odd way, the only way they can encourage victims to pay, is by actually following through and decrypting your files when you pay them.

To finished this post, I could into into a rant of how its better to put your efforts and money into preventative measures, active scanning, and minimizing dwell time. And it is true…. But how you plan to respond to an incident after you have been breached is just as important. The City of Troy was seen as impermeable, until it was breached by the wooden horse we all know. This is the simplified version of what I think a good strategy consists of.

Plan A) Know your castle, including all the trap doors and secret passages. Seal up the holes and board up the service tunnels. Keep active watch and threat intelligence. Arm your guards well and be vigilant.

Plan B) Uh oh, your breached. Well, that’s okay because you have defense in depth. You have isolated and logically segmented environments with microsegmentation, inline traffic filtering with IPS systems, protection at the endpoint, non-persistent clustered workloads spread across multiple availability zones, near 0-RPO backups with off-site immutable backups and the capability of restoring in the cloud with a low RTO. In this scenario, a breached network can be cut off from the rest of the environment and re-imaged without skipping a beat, or impacting users.

Plan C) Lets say that the threat actors get past your planning, scanning and defenses. Sneaky like a fox, and want to watch it all burn down. They destroyed your backups and poisoned the data in your DR site, doxed your dog, swatted your grandma, and they are ransoming your data with a double extortion. You need to figure how to get to good as quickly as possible with the least cost and business impact.

This is where an Incident Response team can come in and help. Sure they can help with plan A and B, but when things really hit the fan and you need to seriously consider plan C, there is no better call to make. However, I strongly suggest having a plan C ready before you need to use it.

An Incident Response team(which is essentially a highly trained tactical cybersecurity swat team) can come in quickly and assess the situation, provide you with options, countermeasures and be the point team in negotiations with threat actors. They will work directly with you if contacted during a breach, or proactively with a retainer. If you have cyber insurance, you just need to tell your insurer that you want a specific company as your preferred IR provider and your good to go.

IR teams can sometimes negotiate down ransoms to a fraction of what is being asked. Remember, this is a plan C scenario, but an once of planning is a 1000lbs of saving your company’s data.