Multi-Faceted Extortion: Insider Look at Ransom Payments and Cyber Defense 

Day 3 at RSA Conference 2022 was filled with fascinating discussions on enhancing our cyber defenses to defeat the ever-proliferating spate of increasingly common and expensive ransomware attacks.

First, the experts at Mandiant walked us through multi-faceted extortion and ransomware trends. Wondering what “multi-faceted extortion” is? Well, it’s a variety of tactics, often of a threatening harassing nature to ramp up the pressure on the victim to pay the ransom. Mandiant aptly called these “extortion accelerators” such as stealing data, threatening to sell the data, threatening to publicize the stolen data, reaching out to company leadership, regulators, or press to try to shame the victim into paying the ransom.

What are these bad actors after? Personally identifiable information (PII) and intellectual property.

Next, Mandiant walked us through alarming statistics. A study by Chainanalysis showed that approximately $602 million was paid to cyber threat actors in 2021. Year over year, the FBI is reporting a 69% increase in ransomware related losses. While the FBI was able to successfully recover 40% of the ransom payment in the 2021 Colonial Pipeline attack, Mandiant indicated that 98% of its clients that make ransom payments do not attempt to recover funds.

This, however, is considered to be incomplete data due to the under-reporting of ransomware attacks and voluntary nature of reporting cyber incidents (currently, but CISA is working on mandatory reporting obligations to implement Congressionally mandated reporting).

You might be wondering: what kinds of security did these victim companies have? Was it deficient – is that why the threat actor got into their systems? Mandiant noted that these victim companies had security measures deployed. The victims frequently had end point tools that identified credential harvesting (e.g, stolen usernames and passwords) and sent alerts. The analysts failed, however, to understand the alert and what was happening on the end points, leading Mandiant to conclude that to improve cyber defense, companies need to invest in what goes around their toolset – in their employees and their analytic capabilities.

Finally, Mandiant walked us through their key takeaways for effectively defend against multi-faceted extortion and ransomware attacks:

• Build a robust security program but prepare ahead of time for successful attacks. In other words, be prepared to fail and have a plan to respond.
• Effective cyber defense is not just about the latest tools. Effective cyber defense is about the intelligence, expertise, and execution that goes along with tools.
• Strong security architecture begets strong cyber defense.
• Multi-faceted extortion increases pressure to pay ransoms.

Now, after a quick stop at the Equality Lounge, I’m off to see colleagues from the National Security Institute at George Mason Scalia School of Law.