Ransomware, Leadership

Roger Grimes says ‘quintuple extortion’ is the new ransomware reality. And it’s getting worse

Roger Grimes, data-driven defense analyst at KnowBe4.

In early 2020, the cybersecurity community began warning the public of the latest ransomware trend: double extortion. Extortionists would not only encrypt your data, but also steal it and threaten to publish it online.

Those were the days.

Soon enough, attackers will be doing it all – fully compromising victims, selling off their data in pieces to the highest bidders, sapping their processing power to mine cryptocurrency, threatening to ruin their reputations. Encryption and doxing are just the beginning, according to Roger Grimes, data-driven defense analyst at KnowBe4 and a computer security veteran for the last 34 years.

To a degree, it’s already started. Just this week, for instance, it was reported that the Conti cybercrime group has changed its business model: Rather than doxxing exfiltrated data, Conti is offering it to interested buyers – so even if the ransom isn’t paid, the criminals still make a profit.

Indeed, double extortion is a misnomer; it’s more like quintuple extortion, said Grimes, who believes we are living in the golden age of ransomware – from the adversary’s perspective, anyway.

And for as long as we are living in this age, it will be imperative that businesses take the proper steps to effective prevent, detect and respond to attacks. With that in mind, Grimes has comprehensively laid out those steps in his newest book, “Ransomware protection playbook.”

Available in paperback and digital formats (i.e. Amazon Kindle), Grimes’ book also examines cyberinsurance and legal considerations, and makes predictions for how the ransomware threat will continue to evolve. Grimes spoke with SC Media and explained some of the core messages he aims to convey through his latest publication.

Much has been written about ransomware as it continues to plague the business community. What does your book add to the conversation?

True prevention. Most ransomware prevention is really about “Have a good backup.” And that’s not prevention, that's part of recovery… Don't count on a cybersecurity insurance policy… and a good backup to save you, because they won’t.

I talk about [how ransomware] isn't double-extortion; it's really quintuple extortion. When ransomware breaks in, it's stealing not only your data and emails, but also your employee and customer credentials, and then trying to find all sorts of other ways to extract value from your company. They could do cryptomining inside of your company. They can do lots of other things that a good backup is not going to prevent.

So I think the number-one thing [my book] brings is it really talks about prevention – that you have to stop social engineering, you better patch your software, use MFA, and have a good password policy. If you don't do those four things, you're not going to stop ransomware… 

I also have a whole chapter dedicated to cyber insurance – about what it is, what it covers… what it's like when you go through an event. [And] all the things it doesn't cover. Almost every ransomware victim after they get hit starts buying all the software and devices they should have had before they got hit. Well, cybersecurity insurance isn't covering any of that.

[We also look at] responding to ransomware… It takes a structured approach: “This is [what you do] hour one, day one. This is week one, this is week two, this is [next] month, and the rest of your life. And then I go further and talk about what the future of ransomware’s going to look like… I don't have a lot of superpowers, but one of my superpowers is I'm pretty good at spotting where things are going. And you think it’s bad now? It's going to get a lot worse.

The cover of "Ransomware Protection Playbook."

Your book says that we’re currently living in the Golden Age of Ransomware (from the attacker’s perspective). How did we allow things to get this bad, and what do we do about it?

The number-one reason why cybercrime exists is that we have criminals that can't be prosecuted. Once we learn how to identify the criminals and prosecute them, it stops. That’s the way we stopped bank robberies in the 1920s… Now most people don't do bank robberies because you’ll more than likely get caught, not get a lot of money and go to jail. Until the Internet changes that equation for ransomware and cybercriminals, they're going to keep robbing.

For a long time, [the ransomware landscape] was death by a thousand cuts or boiling the water slowly… but then the ransomware people just started making so much money that it made [even more actors] jump into the game, like, “I can't miss out on this gravy train.” So now you have anywhere between 100 and 170 ransomware people, gangs, strains that are making a lot of money.

We were talking millions before. Now we're talking billions – and some people are predicting hundreds of billions of dollars being stolen within a year or two. That's real money, and the cyber insurance industry is literally saying, “Hey, you want cybersecurity insurance? You’ve got to prove to us that you have MFA and that you're trying to defeat social engineering and that you have encryption.

And as your book notes, attackers have gotten better at applying pressure to victims as well, whether it’s threatening to publish stolen data, contacting a firm’s customers to tell them their data was compromised, or timing an attack at the worst possible time, like the ransomware attack on candy company Ferrara Candy Co. right before Halloween.

You have to look from their perspective. They're illegal, unethical criminals. But if you ignore that part, they're businessmen, and their business organization is looking to maximize profits.  So they are doing a great job of extorting, a maximum amount of money by [inflicting] a max amount of pain.

What I think the future is, is that they're absolutely going to look at every target now not only as a ransomware target for quintuple extortion. They're gonna go, “Okay before we go in there, how can we maximize the amount of value that we can take out of this victim?” So instead of just attacking a candy company before Halloween – which is just a brilliant evil strategy [feigns evil laugh] – they’re going say, “Okay, we can install cryptocurrency miners, we can use their resources to mine Bitcoin and pick up some money that way. And then we can sell their credentials on the dark web and then we can sell email information and data information. So it's going to be a “Pay us, or we're going to release your data” scenario.

I've heard this story where [a] CEO was having an affair with his secretary, and the attacker said, “You pay us or we're going to tell your board of directors you’re having an affair with your secretary” and… it’s not only going to affect his life, he could lose his job.

If you look at the natural evolution of ransomware, it started out with, “We're just going to encrypt immediately.” Then it was, “Let's go ahead and encrypt more machines.” Then they're stealing data in credentials. Now they're routinely [conducting] distributed denial of service attacks and you'll find a few that are doing cryptocurrency mining. I think you're going to see all of them [realize]: “The thing that we actually that have that’s the most value is undeniable access to these organizations and their digital assets. How can we maximize that value?

If you want to really maximize your value, you're stealing data that you give to competitors, data that you try to sell to nation-states, research, intellectual property, credentials. You’re cryptomining, you could use their network to do a denial of service attack against somebody else. And when they discover us, boom, we go off and do the encryption.

Your book makes some other worrisome ransomware predictions. For instance, you said we may see ransomware developers expand their reach beyond desktop computers and instead design code that infects mobile devices, industrial control systems, SCADA systems, IoT devices and more. Can you paint a picture of what that scenario might look like?

Twenty years ago I created something I call the Grimes Corollary which is: Whatever becomes popular, becomes hacked, and it is never in 20 years not proven to be true… And right now you're seeing this massive move to both mobile and IoT, and also the decentralization of data, in all kinds of ways.

The most common malware today is malware against devices like DVRs, cameras and routers,  where it used to be the most common malware programs were against Windows… We've already had ransomware hit TVs a couple years ago… So, as we become more distributed the attackers are going to [realize] they can take out a whole bunch of mobile phones and create the same pain [as a traditional attack, even they can’t] get to your data center… So it seems to me that as we go to more IoT, as we go to more mobile, as we go to more distributed systems, hackers will follow, whatever the technology trend is.

Any positive predictions regarding ransomware?

Ultimately, I think the success of ransomware is going to lead to its downfall… People are waking up… When you have President Biden talking about the defeating ransomware every week, there's a significant amount of resources going into the defeating it. For a long time, up until this year, the president of the United States didn't talk about ransomware a whole lot, and now he's mentioning it every week. That is a change, and that change is going to lead directly or indirectly to better security.

You note in the book that you devote many more words and chapters to ransomware response than you do prevention and detection because recovery and response is the most complicated and complex phase to navigate. Explain.

Once anything's taken over – software, a device or whatever, you don't know what they've done. You don't know where they’re hiding.

Let me give a really common example: Do I change all my passwords now or later? The bad guy’s broken in… I need to change all the passwords now to keep the bad guys out, but if I change all the passwords and they've got backdoor trojans then they're just back in and they have my new password. If I wait until I make sure I get rid of all the bad guys, I'm taking longer [and] that can cause more damage.

So, there are all of these struggles of “What do I do? In what order?” And then, “Do I rebuild everything? do I just try to recover from it?” Ultimately, the best security decision is completely rebuilding your environment from scratch... [But] most companies are not doing that because they don't have the time to do it and so they're going to do a recovery, versus a rebuild. And so a lot of the book is talking about that.

I liked that you also included a section on what not to do in the event of an attack. For instance, don’t lie to or argue with your extortionist. What was your thinking behind this chapter?

It’s amazing to think that somebody would argue back to an attacker that has absolute control over them, or insult them. But it does happen, and those attackers like: “Good riddance.” Or sometimes they actually even make things worse. Like maybe they're just ransomware attacking you and now they start doing a distributed denial of service attack.

[You might say] “I got a good backup.” Well, it turns out you didn’t know that they corrupted your backups and deleted your backups – and now they're asking for double, and now you've got to start arguing… back to the original payment that they were talking about. Or they could sell your information.

[Also,] in the United States it could be illegal for you to pay a ransom… There have now been two memos from the U.S. Department of Treasury, stating that you cannot pay ransom to somebody that's on the “Do Not Pay” list, even if you don't know that they're on the “Do Not Pay” list. You or a service on your behalf has to do some due diligence because… you don't want to break that law [and create] additional problems.

prestitial ad