Ransomware Stopper: Mandatory Ransom Payment DisclosureWhy Requiring Victims to Reveal Payments Would Help Blunt Criminal Business Model
"Silence is gold." So says ransomware operator Ragnar Locker in the latest "press release" to be issued via its Tor-based data leak site.
Ragnar Locker has been attempting to impress on future victims its desire for them to not turn to any law enforcement agency, legal firm or especially ransomware incident response firm to assist. Do so, it says, and it will simply dump their stolen data and never sell them a decryptor (see: Ragnar Locker: 'Talk to Cops or Feds and We Leak Your Data').
"Mandatory federal reporting of any ransom payment ... would have a positive impact on the government's grasp of the problem, and create a decreased propensity for victims to pay."
Responding to that threat, John Fokker, the principal engineer and head of cyber investigations and operational intelligence at security firm McAfee, told me earlier this week: "Perhaps the criminals watched too many TV shows, because this isn't how the real world works."
Indeed, businesses and other entities that get hit by an online attack regularly turn to third parties to help, and security experts recommend they especially do so after any attack involving ransomware. "The fact that gangs don't want victims to involve negotiators or law enforcement help is a very clear indication that they should," Brett Callow, a threat analyst at security firm Emsisoft, told me in the wake of Ragnar Locker's threat.
Needed: A Clear View of Who's Paying
What would also help is to expose to the light as thoroughly as possible not just what ransomware-wielding attackers are doing, but how victims are responding.
Law enforcement agencies, however, say that cybercrime continues to be woefully underreported. In July, Bryan Vorndran, the FBI's assistant cyber director, told the Senate Judiciary Committee that the bureau believes only 25% to 30% of online attacks get reported to federal law enforcement agencies.
In the U.S., publicly traded companies are required by the U.S. Securities and Exchange Commission to inform investors when they've suffered a data breach or other major security problem. But some organizations have allegedly underplayed the extent to which they've been breached, which begs the question of how many might be hiding ransomware hits and payoffs too (see: Pearson Slammed for Breach - Wasn't Just 'Data Exposure').
That's one reason why ransomware incident response firm Coveware, which says it works with thousands of ransomware victims every quarter, recommends legislators make it mandatory for organizations that pay a ransom to criminals to make this fact public.
"We feel very strongly that mandatory federal reporting of a ransom payment will have a positive material impact," Coveware says in a recent report. "Mandatory reporting may not seem like a major forcing function, but piercing the veil of disclosure will tilt the mindset of decision-makers further away from making this specific kind of payment."
The call from Coveware is notable in part because while victims may not alert law enforcement agencies, many do work with a ransomware response firm. Thus, such firms may have much greater insight into just how many organizations are not only being hit, but also choosing to pay a ransom without publicly revealing that fact.
FBI to Congress: Act Now
Senior law enforcement officials have also been urging Congress to act. "Mandatory incident reporting would also assist federal efforts to defend the nation against cyberthreats and to pursue the actors responsible for them," Richard Downing, deputy assistant attorney general of the Justice Department's Criminal Division, told the Senate Judiciary Committee in the aforementioned July hearing (see: Congress Urged to Update Federal Laws to Combat Ransomware).
In July, a bipartisan group of senators introduced a federal data breach notification bill that would require mandatory reporting of any incident involving ransomware. But it would only apply to organizations designated as being in critical infrastructure sectors.
Legislators in some states have also drafted bills that would either ban ransom payments or make them mandatory. But like the FBI, Coveware argues that Congress is best positioned to act. "Mandatory federal reporting of any ransom payment, along with submitting a standardized subset of incident data, would have a positive impact on the government's grasp of the problem and create a decreased propensity for victims to pay."
Mandatory disclosure of ransom payments would help highlight the true scale of the problem. Attackers always prefer to keep their efforts on the down low, not least because if a victim doesn't contact police, then police won't pursue the criminal for that offense.
Attacker to Victim: Act Now - Don't Wait
Ransomware-wielding attackers are not the first to try and compel victims to not tell anyone they've been the victim of a crime. Playing on shame, or the risk of being publicly shamed, has been a common tactic used by many different types of criminals - including scammers, fraudsters and sextortionists - to manipulate victims. So too is trying to force a victim to quickly make a decision, because they'll be more prone to make a rash and ill-considered one that works in the attacker's favor.
Many ransomware attackers also pressure a victim into paying as quickly as possible, often warning that ransom demands will double in a short time frame following an attack - sometimes within 48 or 72 hours.
Numerous ransomware attackers also threaten to "name and shame" a victim by posting their name to a list of victims on the operation's dedicated data leak site, and then leaking stolen data if they don't pay. Beyond this so-called double extortion tactic, some operators have gone for triple extortion, meaning they target nonpaying victims with distributed denial-of-service attacks. Some even engage in quadruple extortion, in which they'll contact customers or business partners to tell them the victim has been breached and refuses to pay a ransom to safeguard the customers' stolen data.
To safeguard their ability to bring in third-party experts, one step every organization should take immediately, in advance of perhaps becoming a ransomware victim, is to ensure they have robust out-of-band communications channels established, says Allan Liska, an intelligence analyst at Recorded Future.
Most ransomware groups aren't monitoring email communications, he says. Regardless, "it is a good idea to practice using out-of-band communications during incident response," Liska says, "especially now that Exchange vulnerabilities are so readily exploited."
Planning and practicing ahead remains essential, so everyone knows what to do. "Don't send an email saying 'Let's switch to Signal' in the middle of an incident," Liska says.