This week, the gang behind the Maze ransomware strain launched a public website listing victims who have yet to pay up, threatening that if no payment is received they will publish the data stolen from those companies for all to see. Ed Dubrovsky, Managing Director of Cyber Breach Response weighed in on the discussion with IT World Canada.
With the risk of stolen data being released and being publicly named, there are other questions: Is not paying worth the reputational risk to the organization of the data breach being made public? And will not paying only increase the organization as a target?
Ed Dubrovsky, managing director of cyber breach response at Toronto-based incident response consulting firm Cytelligence, knows first hand about the threat by the Maze group. He has been advising firms on their negotiating strategy with it “almost on a daily basis.” A few days ago he learned about the new website.
“We’re starting to see a shift where threat actors are becoming sick and tired of clients that have enough controls to recover from ransomware events on their own,” he said. “They need to evolve their tactics to pressure them to pay up for silence.
“So what’s happening with Maze is that from a ransom perspective they are very expensive — typically in the millions of dollars [in bitcoin], doesn’t matter the size of the client. For some clients, the demands are impossible to fill, whether they want to or want. And their process is before they encrypt systems is to take data away.”
On the other hand, Dubrovsky added, Maze’s claims that it has taken hundreds of gigabytes of data may not be true. In his firm’s experience typically only a small number of documents are taken along with screenshots of directories to prove the threat is real. That’s because exfiltrating a huge amount of data takes time and risk detection.
Still, that allows the gang to “take enough damning information” before encrypting the rest, he explained.
Deciding to pay a ransom still has to be a business decision, Dubrovsky said, and that includes knowing whether the victim is a public or private organization. Government-affiliated organizations may have to follow a policy, he added.
“If you don’t have backup and all your data is encrypted and your only option is to close your door or start from scratch, you’re left with little option but to pay and hope for the best. And in many cases we see victims pay.” One bright spot: Ransomware gangs are usually willing to negotiate the payment if they believe they will get paid.
So how can an organization avoid being victimized by ransomware?
“This is a complicated question because we’re dealing with sophisticated adversaries that are very motivated and know very well they can hold a company for ransom if they completely shut it down. So make sure you have backups, but also make sure you have a strategy of how to communicate this [attack] to the outside world. It’s becoming a lot more difficult to hide a ransomware event in any organization unless you’re very small. A large organization needs to stand in front of the media and explain what has transpired, how you recovered and whether you paid. Because if you don’t pay they may publish the event to the media anyway, and if you pay there’s no guarantee they won’t go public.”
Organizations of all sizes have to face ransomware, he said.
“It’s becoming a very serious epidemic.”