Controversy surrounded CD Projekt Red, a Polish videogame company, when their release of Cyberpunk 2077 was met with negative reception due to excessive glitches in console versions of the game. On February 9th, CD Projekt Red announced on Twitter that they experienced a targeted ransomware attack. Their servers were encrypted, and both business documents and proprietary source codes were exfiltrated. This attack may have been a reaction to Cyberpunk 2077’s negative reception, as the ransom note threatened to ruin CD Projekt Red’s image “even more.” Motivations aside, CD Projekt Red’s response to the incident was remarkable. They confirmed that personal data related to players had not been compromised, restored their infrastructure through backups, and refused to pay the ransom. This story is an example of two trends: the rise of extortion attempts that threaten to leak the data of big targets, and the fall of companies giving in and paying the ransom. These two trends reflect recent changes in the ransomware landscape.
There are two reasons why a company would pay the ransom associated with a ransomware attack: to decrypt their data so they could resume business operations ASAP and to keep information private to protect their reputation. The former incentive is why industrial organizations are heavily targeted by ransomware operators. According to a recent report by the cybersecurity company Digital Shadows, the industrial goods and services industry was targeted the most by ransomware operators last year. Industrial facilities are targeted by non-ransomware attackers too, one example being the water treatment facility in Florida that was hacked early this month. For industrial organizations, business operations need to continue for the sakes of those who rely on them, which is why they feel more pressure to pay ransoms. However, ransomware operators have started to shift their focus towards threatening to disclose sensitive data. According to Jamie Hart of Digital Shadows, the cybersecurity company “saw the ‘pay or get breached’ trend take off like a rocket” in 2020, and there are websites that serve as repositories for leaked information exfiltrated from ransomware victims. Toby L of the UK’s National Cyber Security Centre (NCSC) notes that this overall change in strategy is the result of the widespread practice of making backups of important data. This is reflected in the ransom note given to CD Projekt Red, which acknowledges that the videogame company could restore their infrastructure by using backups.
Ransom payments do not guarantee the prevention of financial and reputational damage. A recent blog post by Toby L of the NCSC includes a story about an unnamed organization that paid ransomware attackers billions of euros to decrypt their data, but paid the ransom again after being struck by the same ransomware operators two weeks later. The attackers were able to strike again because the organization did not fix a flaw in their security. In Coveware’s ransomware report for Q4 of 2020, the ransomware specialists note that “defaults are becoming more frequent when exfiltrated data is made public despite the victim paying,” and because of this, “fewer companies are giving in to cyber extortion when they are able to recover from back ups.” The median ransom payment steadily rose from 2019 to 2020, but it decreased by 55% in Q4 of 2020, a sharp reduction attributed to the growing number of companies choosing not to pay cyber extortionists. In Q4, 70% of ransomware attacks involved threats of leaking sensitive data, but “Coveware continues to witness signs that stolen data is not deleted or purged after payment.” Additionally, Coveware is “seeing groups take measures to fabricate data exfiltration in cases where it did not occur.” Ransomware operators are not interested in safeguarding the privacy of victimized organizations. They are interested in making money, which is why they launch ransomware attacks in the first place. If they can make more money by tricking people and/or selling stolen data to third parties, they will do so without hesitation.
2020 was a big year for ransomware. The enforcement of social distancing resulted in employees working remotely for the first time in their lives. Employees new to teleworking were more likely to fall victim to scams that spread ransomware. Cybercriminals send out phishing emails to impersonate IT staff, or claim to contain information related to COVID-19 vaccines or relief payments, in an effort to trick people into downloading ransomware. They also exploit misconfigured server infrastructure and specific vulnerabilities in order to gain a foothold into corporate networks. In addition to exploiting insecure organizations, cyber extortionists are organized. Not only are there various Ransomware groups—including Egregor, Conti, Sodinokibi, DoppelPaymer, and NetWalker—but cybercriminals can purchase Ransomware-as-a-Service (RaaS). Just like Software-as-a-Service (SaaS), ransomware can be sold or leased to cybercriminals, and this increases the pool of ransomware attackers.
Overall, the best defenses against ransomware are preventative. Server infrastructure should be properly configured, and employees should practice good cyber hygiene. A while ago, we posted a two part series of articles about making backups. Backups are useful for recovering data necessary for business operations. They should be stored in locations disconnected from the networks and computers that were backed up. Additionally, paying ransoms will not guarantee the restoration of data or the prevention of data leaks. The FBI does not support ransom payments because it incentivizes future ransomware attacks. Ransom payments make ransomware attacks profitable, and as long as they are profitable, they will continue until companies fortify their defenses.