From Ransomware To Blackmail, With Assaf Dahan

Hackers keep modifying and improving their methods of operations. Assaf Dahan, Sr. Director and Head of Threat Research at Cybereason, tells us about the recent shift to Blackmail - as a way to pressure Ransomware victims to pay the ransom.
Assaf's Webinar will take place on July 14th, 2020. Register to the webinar at: https://www.cybereason.com/ransomware.

Hosted By

Ran Levi

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 14 million downloads as of Oct. 2019.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Special Guest

Assaf Dahan

Sr. Director, Head of Threat Research at Cybereason

Cyber security expert, with over 15 years of experience in the InfoSec industry - Military and civilian background.

Episode Transcript:

Transcription edited by @hakinadey

[Ran] Hi and welcome to Malicious Life in collaboration with Cybereason.
Next month, on July 14th, Assaf Dahan, senior director and head of threat research at Cybereason, will be doing an online webinar on the topic of the state of ransomware 2020.
We already had Assaf on our show a couple of times before, so I figured this would be a great opportunity for us to talk to Assaf again and learn about the current trends in ransomware. And in particular, one very interesting and worrisome trend, the shift from the “classic ransomware” scheme to actual blackmail. If you would like to watch the webinar, which is happening on July 14th, you can register on malicious.life/ransomware.
Assaf, thank you for joining us.

[Assaf] Thank you for having me, Ran.

[Ran] Great to have you again.
So, firstly, tell us a little bit about the upcoming webinar. What are some of the topics that you’ll be presenting there?

[Assaf] Yeah, so actually, it’s going to be a really cool webinar. It’s going to be led by me and my colleague, Jim Hung, who’s the director of incident response engineering at Cybereason. And we’re going to cover the evolution of ransomware across three decades, actually. And we’re going to talk about the trends and shifts that we’re seeing within this cybercrime ecosystem.
So, that’s going to be like the first part of the webinar. And the second part will be dedicated to lessons learned from incidents response. We’re going to provide some insights and recommendation based on some of the more sophisticated attacks that we’ve been seeing since the beginning of the year.

[Ran] Yeah, so ransomware is, I think, the number one threat currently on most organizations map, so to speak. It’s going to be very interesting. I hope I can also join the webinar myself.
But we’re going to talk in this short conversation that we’re going to have about one particular topic which I found, as I said, very interesting. And that’s the shift from ransomware to blackmail. A very new development in ransomware.
So let’s start from the basics. What’s the basic difference between ransomware or ransom and blackmail?

[Assaf] So it’s a very good question.
So we’ll start with some definitions and nuances in the English language before we dive into our world of ransomware, right? So a ransom is a sum of money that is paid in order to release a captive. It could be a person. It could be an encrypted file for that matter, right?
Whereas blackmail is a criminal offense where there’s a payment or benefit that is paid in return for the criminal not to reveal compromising or damaging information about the victim. So that’s an interesting nuance to keep in mind.
Now when it comes to our world of ransomware, what we’ve been seeing that the ransomware operators, the cyber criminals, are facing some problems sometimes with getting the money, getting paid. Now that could be because of legal or ethical reservations or restrictions. Some organizations are prohibited from paying ransom to cyber criminals or cyber terrorists.

[Ran] Such as governmental agencies, I’m guessing?

[Assaf] Yeah, for instance, and there’s a lot of also ethical issues. Some organizations believe that if they pay, you know, it doesn’t stop the attackers from coming back and demanding more ransom.
So like it’s, you know, a never-ending vicious cycle of payment.

[Ran] Plus, you’re never totally sure that even if you do pay the money, you’ll get the information back.

[Assaf] Exactly, exactly. And also in recent years, since, you know, the surge of ransomware, we see a lot of organization actually implementing good backups and disaster recovery plans.
So a lot of the organizations can partially or even fully recover their data without paying. So ransomware operators needed to find a clever way into making the victims pay, in a way to twist the victim’s arm into paying. And here comes the blackmail part.
So what they’re doing is not only they’re encrypting the data, but before they encrypt the data or even after, they exfiltrate ridiculous amounts of sensitive data about the company, about its financial statements, employees, customers’ data, super sensitive information that is, you know, under almost every regulation, you know, a company like that would be fined if the information got out, right? And also, I mean, like there’s a reputational damage, there’s a lot of collateral damage there.
So what we’ve been seeing is that a lot of ransomware operators, such as the REvil Group, Maze and other type of prominent ransomware are doing this shift and they now have like blogs in the darknet, such as the happy blog of REvil, where they each day almost they’re auctioning data of other victims, basically. Starting price ranges usually between like $20,000 to $50,000 and it goes up and up and up and up.

[Ran] So you mean they’re auctioning data from companies which refuse to pay the blackmail and now they’re making money off of auctioning that same blackmailed data?

[Assaf] Yes.

[Ran] This is so clever, I mean, nefariously clever, but very clever.

[Assaf] Exactly. So if you didn’t want to pay us at the beginning to, you know, recover your files, okay, no problem. We’re going to auction it and we’re going to offer it to the highest bidder.
So in a way, they’re twisting their victims’ arm into paying. So a lot of the companies will do it covertly. Like there’s also the questions of, you know, whether you pay or don’t pay. And a lot of companies, even if they pay, they try to make it very hush-hush.
And that way, you know, it’s very hard not to pay because if you have all of this data about your customers, about your intellectual property, about your financial statements, all of that, if it’s, you know, out there up for grabs for the highest bidder, you want to make sure that you pay that ransom or blackmail fee.

[Ran] Do we know, or can we at least estimate what percentage of the companies choose to pay versus those who choose not to pay the blackmail?

[Assaf] Well, it’s very difficult to estimate because as I mentioned before, it’s probably not at the proudest moment of a company when they have to pay a ransom. Some of them, even if they’re paying the ransom eventually, they wouldn’t admit it. They’ll do it in a very hush-hushed manner because of, you know, fearing legal ramifications or even reputational damage. So even if companies do pay, very little will actually admit it.

[Ran] So we can’t really, really know what’s going on out there.

[Assaf] What we can know is that a lot of people or a lot of organizations do pay. And just because if you track down Bitcoin wallets and you see cryptocurrency transactions, you can see that the wallets of the cyber criminals and especially ransomware operators is increasing and their annual revenues exceed even a billion dollars in some years.
So someone has to pay this money, it cannot all come from individuals. Probably the bigger payouts come from companies and organizations. This is where the real money is.

[Ran] What about mitigation?
We know that the usual recommendation to mitigate the risk of ransomware is to have backups and regulations on how to get back if you were hacked and ransomed. But what about blackmail? Do we have any mainstream advice on how to prevent this kind of attacks?

[Assaf] So I think the best advice is the general advice when we talk about targeted attacks. Because what we’ve been seeing with those more sophisticated ransomware attacks, what we call distributed ransomware attacks, where a company, when they hit hundreds, even thousands of endpoints at a given company, what we see often is that the dwell time is quite long.
The amount of time that the threat actor is present on the victim’s network ranges between one month and I’ve even seen nine months dwell time.
So that’s a pretty long time that, at least for us as defenders, it gives us time to, assuming that you have the right endpoint solution or the right security solution, you have skilled staff and mature security practice, you should be able to nip it in the bud and stop this attacks from evolving into a ransomware attack.
Because they’re following a very, almost a very predictable pattern of initial compromise and then they move laterally, compromise critical assets until they get to, let’s say the domain controller or other assets, and then they infect the entire network with ransomware. These operations usually take time. And if you have the right tools and a mature security practice, you would be able to stop it. Because again, it takes time.

[Ran] Maybe that’s the vulnerability of the attackers in this case, because in ransomware, the attack can be very fast. You deploy some sort of malware on the network. It encrypts everything. It could be over within minutes or something like that.

[Assaf] On individual machine.

[Ran] Individual machine. Yeah. While with blackmail, as you said, it’s weeks to month of operations.

[Assaf] It’s the same with ransomware as well, but also it does take a bit more time with blackmail because they actually have to exfiltrate the data, which is another important thing. If you have good network monitoring and you see that you have gigs and gigs of data all of a sudden flowing into a weird IP or domain, that’s a very telling sign. And also they, of course, they’ll try to do it in a stealthy manner, maybe take more time and to make it less suspicious.
But the point is, and it goes to ransomware operations and blackmail operation, these things usually take a long time. It’s not something that can be done within a day or two. We see an average dwell time of one month.
So it gives the defenders enough time to look for it and to hunt for it. And you have to do it proactively, not only count on alerts that you get from your antivirus or your other security solutions, you have to proactively look for signs of intrusions.

[Ran] What about encryption as maybe part of a solution for such blackmail?
If your data is encrypted voluntarily, that is not as part of ransomware. If you keep all the data of the organization encrypt, that could maybe prevent such blackmail. They can’t unencrypt it.

[Assaf] In theory, yes.
Practically speaking, I think it would be quite difficult to, at least within the next, for the foreseeable future, I think it would be a bit difficult to implement, especially in large organizations. There’s a lot of issues to consider there, whether it’s performance and other issues.

[Ran] It’s not easy.

[Assah] Yeah, but it might also help to prevent it.

[Ran] Amazing. I mean, I’ve been following the world of cybersecurity for, I don’t know, 20 years or more, and every year there’s something new, and here we have something extremely new again. Amazing.
Thank you, Assaf. It’s been a pleasure to talk to you as always.
And for you, the listeners, if you wish to join Assaf’s webinar on July 14th, you can register for the event at malicious.life/ransomware.
I’ll also use this opportunity to remind you about our own live recording event, which will take place on July 29th, 12 p.m. Eastern Time.
That’s 9 a.m. Pacific Time and 5 o’clock in the afternoon in London. Again, that’s July 29th, 12 p.m. Eastern Time. My guest will be Israel Barak, cybereason’s CISO and an expert on multi-stage ransomware, the almost APT-grade ransom attacks we hear about so often against corporations and part
of what we spoke today with Assaf.
If you wish to join our live recording, you’ll find the registration link on our website, malicious.life. Registration is free and will dedicate some time to answering your questions to me and to Israel.
That’s it for this episode. Thank you for listening.
Malicious Life is produced by PI Media. Thanks again to Cybereason for underwriting the podcast. Learn more at cybereason.com.
Bye-bye.