Interview: Deepen Desai on ransomware gangs and the question of paying up

Cyber Daily: What really amazes me is how, with just 2 per cent of the world’s ransomware attacks targeting Australia, that still puts us at number seven on the list of most targeted countries, in this year’s report from Zscaler. Are these hackers simply opportunistic, or is there something about the Australian environment that makes us particularly susceptible to ransomware attacks – are we just an attractive target?

Deepen Desai: The breakdown that you see in the report is where the team is actually tracking real successful ransomware attacks that are publicly known. So, these are where leak sites are already listing the companies.

Seventy-three is what I see as successful attacks that we saw in our latest annual report. Before that, it was around 68, so it’s mostly flat, but it is still an attractive target.

What you’re seeing is even though the growth is not that high in terms of percentage, and I wish we had that number, which is the ransom amount that was demanded from all these victims, that amount is slowly and steadily going up. And as you saw in the latest report, we spotted US$75 million as the highest ransom getting paid this year, in March, by a Fortune 50 company. So we’re seeing more of a big game hunting approach, where they’re going after smaller targets, more opportunistic, but where the probability of payout is very, very high, and large payout is what we’re talking about.

Cyber Daily: I guess that would mean targets like hospitals and education, you know, where you have this huge trove of intensely personal data and a community of people who do not want to see it compromised, and so the hospital or school will pay up just because it’s the safest thing to do. Do you think that’s the wise thing to do?

Deepen Desai: So look, this is a hard question – it’s a hard, hard, controversial question.

Hey, is it OK to pay ransom? Not OK to pay ransom? This is my personal advice – depending on the situation you’re dealing with, if it’s a life and death situation, where the physical security case of hospitals, it’s the life of the patients that are there getting treatment, if the systems are down because there was an encryption attack carried out, you will have to pull the trigger in order to save those, those real lives.

Similarly, there are a lot of scenarios where there is so much sensitive information that is getting stolen by these bad guys that it can cause a national security risk, or it could risk an IP that this company will entirely go down, and they will have to pull the trigger in that case, as well as paying the ransom. We’ve also seen examples like, in the US, a gaming casino chose not to pay ransom, right? And then they incurred a big loss because it was not operational for a few days while they were recovering.

VIEW ALL

But that’s a completely probable option as well for an organisation. Again, in that case, no life was getting lost. Yes, there was revenue getting lost. If the company wasn’t generating revenue for a week, maybe not. And that’s where… That’s the path they took.

Another casino, it chose the path of paying US$50 million in ransom. So again, there is a grey area where, depending on the business, depending on the situation you are in, you may choose to pay the ransom. You may not choose to pay ransom. But the core requirement is, especially in the US now, you have to report these attacks. You have to make people aware. The SEC mandates that for all publicly traded companies, and we will see more and more of regional enforcement across the globe around this, because what these bad guys are doing is they’re trying to stay under the radar. They don’t want law enforcement to know when they successfully target a victim.

In the case of the US$75 million ransom that we mentioned in the report, they did not encrypt the files. They did not cause any business disruption, so the company stayed operational. This is a Fortune 50 company, but they stole tons and tons of data, which is falling in that category that I just described, which is so sensitive that it cannot leak out, and then these guys pay up.

And so, the government cracks down, and regulation around this will continue to increase because they ultimately want to stop this threat. And there are a lot of global operations being carried out, but it’s a hard problem to solve.

Cyber Daily: So earlier this year, RansomHub was particularly, particularly active in Australia. It felt like every other day I was writing a story about them. They got three engineering firms, just randomly. What do Australian businesses need to know about how a gang like RansomHub, which is a ransomware-as-a-service operation, go about doing what they do to their victims?

Deepen Desai: Many of these – and I’m going to generalise, since RansomHub is one of several ransomware-as-a-service affiliates – they all have a similar profit-sharing model where there are initial access groups. We call them initial access brokers, right? Those are basically experts at getting inside your environment, whether it’s through phishing, whether it’s through vishing, [or] whether picking up the phone and calling your IT help desk, we’re seeing more and more initial access brokers leveraging different techniques to get inside and then they’re renting this ransom-as-a-service infrastructure to carry out end-to-end ransomware attacks, including encrypting the file, decryption tools, data exfiltration, lateral propagation, all of that.

In any of these attacks that we see, they are following four stages, where they find you, they compromise that first identity, first asset, first application. They move laterally in your environment; this third stage, where they move from that first identity, first asset, to all your assets in the environment, leading them to the crown jewel application, is the biggest damaging stage of the ransomware attack.

And the fourth stage is where they’re stealing data, and they’re stealing terabytes and terabytes of data. So, coming back to your question, what do organisations in Australia need to do? Just like we’re seeing a strong push from the US government around zero-trust adoption, we need to start seeing that over here as well.

It’s already happening, though. It’s not like organisations over here are not on that path, but it needs to be pushed by the government as well, where… “Hey, this needs to be a bare minimum zero-trust requirement, where you’re able to get ahead of some of these common TTPs that we’re seeing over and over again in many of these attacks”. Entry point is the only changing thing.

But think about it: if you have a true zero-trust implementation, that entry point will lead to one incident, one machine, one identity incident, not an entire environment- or entire organisation-impacting incident like we see today.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.