Apr 18, 2023Liked by Adrian Sanabria, Tyler Shields
One thing I think is worth mentioning is that the extortion effect of stolen data is nowhere near as potent as that of data encryption. Companies are almost always more sensitive to availability risks than to confidentiality risks.
Plus, once a criminal crew stole your data you would have to trust them to honor their pledge to not sell it on the black market anyway after you pay them not to. 🤔 So I think most companies not only will but will have to, for compliance reasons, disclose the data as stolen themselves and refuse to pay on that basis alone.
That difference, and increased offensive action against criminal crews by Five Eyes governments, are IMHO the most likely explanation for the recent drop in ransomware payments.
A very good point, which is why I'm so nervous about ransomware's emerging ability to brick hardware, rendering it useless!!
Stealing data could have more value than just holding it ransom, however - any keys, secrets or credentials gathered could be sold to black markets and result in more breaches. We've seen a lot of incidents where credentials from company 1 led to a breach of company 2, because an engineer at company 2 had an account with company 1 and reused credentials (e.g. Adobe -> MongoDB -> Buffer)
Apr 18, 2023·edited Apr 19, 2023Liked by Adrian Sanabria
ABSOLUTELY attacking high cardinality third parties to get to their customers is a force multiplier to attackers. They probably wouldn't even gain much by extorting that third party, but going after their customers instead.
As for bricking hardware... what exactly is the extortion leverage here? If the attacker has already bricked the device beyond repair, what exactly do they have to offer if I pay them? Maybe they brick one device and threaten to brick all others unless you pay... but while victim and attacker negotiate the victim will hurry to isolate the threatened targets, right?. Not entirely sure how effective that will be in practice.
Bricking might not be effective on every target, but I could see it working against certain businesses. Also, if they live in firmware, it could be much more difficult to kill persistent access as well. It's another tool in their toolbox we have to worry about though.
Ransomware attacks may become irrelevant due to changes in attacker motivations and technological advancements. Those attacks have historically been motivated by financial gain, but attackers are increasingly focused on stealing sensitive data for espionage or other purposes. Additionally, advances in cybersecurity, such as the use of artificial intelligence, moving target defense and blockchain technology, may make ransomware attacks more difficult to execute. However, the article acknowledges that ransomware attacks are still a significant threat and that organizations should continue to take steps to protect themselves.
One thing I think is worth mentioning is that the extortion effect of stolen data is nowhere near as potent as that of data encryption. Companies are almost always more sensitive to availability risks than to confidentiality risks.
Plus, once a criminal crew stole your data you would have to trust them to honor their pledge to not sell it on the black market anyway after you pay them not to. 🤔 So I think most companies not only will but will have to, for compliance reasons, disclose the data as stolen themselves and refuse to pay on that basis alone.
That difference, and increased offensive action against criminal crews by Five Eyes governments, are IMHO the most likely explanation for the recent drop in ransomware payments.
A very good point, which is why I'm so nervous about ransomware's emerging ability to brick hardware, rendering it useless!!
Stealing data could have more value than just holding it ransom, however - any keys, secrets or credentials gathered could be sold to black markets and result in more breaches. We've seen a lot of incidents where credentials from company 1 led to a breach of company 2, because an engineer at company 2 had an account with company 1 and reused credentials (e.g. Adobe -> MongoDB -> Buffer)
ABSOLUTELY attacking high cardinality third parties to get to their customers is a force multiplier to attackers. They probably wouldn't even gain much by extorting that third party, but going after their customers instead.
As for bricking hardware... what exactly is the extortion leverage here? If the attacker has already bricked the device beyond repair, what exactly do they have to offer if I pay them? Maybe they brick one device and threaten to brick all others unless you pay... but while victim and attacker negotiate the victim will hurry to isolate the threatened targets, right?. Not entirely sure how effective that will be in practice.
Bricking might not be effective on every target, but I could see it working against certain businesses. Also, if they live in firmware, it could be much more difficult to kill persistent access as well. It's another tool in their toolbox we have to worry about though.
Ransomware attacks may become irrelevant due to changes in attacker motivations and technological advancements. Those attacks have historically been motivated by financial gain, but attackers are increasingly focused on stealing sensitive data for espionage or other purposes. Additionally, advances in cybersecurity, such as the use of artificial intelligence, moving target defense and blockchain technology, may make ransomware attacks more difficult to execute. However, the article acknowledges that ransomware attacks are still a significant threat and that organizations should continue to take steps to protect themselves.