GigaOm called OTORIO “the lone outperformer and pioneer” among the IIoT security vendors it analyzed.

See why

Understanding the Ransomware Victim Profile (Part Two)

Understanding the Ransomware Victim Profile (Part Two)

02 Jul 2020

The earlier a company understands its ransomware "victim profile", the better it can prepare for a potential attack.

Today’s ransomware attacks are much more sophisticated than they used to be. The days of “spray and pray” are over. We are now seeing Advanced Persistent Threats (APT) with tactics, techniques and procedures (TTPs), such as establishing a foothold in the victim’s network, collecting data and files, and spreading different tools before implementing the encryption and claiming the ransom payment. We can therefore assume that the victims aren’t picked randomly, but are analyzed deeply before they are targeted. The attackers calculate many factors, such as the wealth of the owners, the pressure imposed by clients, the cost of a day of downtime, or the impact of a delayed supply. All of these factors increase the pressure on the victim and the ability for attackers to offer a deal that the victim seemingly can’t refuse.

For example, if an attacker knows the daily turnover of a company (based on publications, leaks, or breached data), he can fine-tune his ransom claim to a sum that will not be disproportionately high, nor ridiculously low, but precisely within the parameters to make the victim think seriously about paying the ransom and buying back its network and peace of mind.

Leaking Data and Leveraging Privacy Laws as Additional Means of Pressure

Some ransomware hackers threaten to leak information, usually gigabytes of data or thousands of documents, if the victim refuses to pay. In some cases, this is how we learn that an attack has already occurred. Different companies may have different concerns regarding their data, but generally speaking, a massive data leak from the organization’s network is the nightmare of any CISO. Especially if it includes source code files, intellectual property in any form, sensitive financial figures, private information about employees and partners, or other confidential business documents.

By calculating the potential damage of a leak, executives might reach the conclusion that there’s nothing to hide or lose, and they address this threat with resilience. Things change when the attackers threaten to leak to the dark web Personally Identifiable Information (PII), such as ID documents, credentials, payment methods, etc., which are stored in the victims’ systems. The damage in this case is double – a hit to the company’s reputation and credibility, accompanied by a possible lawsuit for violation of privacy rules such as CCPA, GDPR, or other local privacy laws. Such violations may incur fines reaching up to 20 million EUR or 4% of the global annual turnover of the company according to the GDPR fines key, or $700 USD per entry if CCPA is applicable. The choice of paying the ransom in order to avoid a lawsuit becomes more of a question of finance and legal affairs, rather than a cybersecurity issue.

Preparing for an Attack

To prepare your business for a ransomware attack scenario and reduce risks and potential damages, we suggest that you answer these questions:

  • What are the most sensitive pieces of information in the network and what might happen if they are exposed externally?
  • Is there a reliable backup in a safe place (where it will not be encrypted if the rest of the network is encrypted)?
  • Do you store PII of employees or customers? If yes, is it necessary? Can you reduce it?

Understanding Your Victim’s Profile

Ransomware can hit anyone unexpectedly, yet we see that some organizations are at higher risk. The earlier a company understands its “victim profile”, a term that represents the perception of a ransomware attacker, the better it can defend its assets and prepare employees, suppliers, clients, and internal stakeholders for a potential attack. 

Answer the following questions. If the majority of your answers are “yes”, then your “victim score” is high and you should start taking preemptive steps:

  • Is your business vertical making the headlines?
  • Are you a supplier of critical materials, products, or services?
  • Do you supply anything that is delay or shortage sensitive?
  • Are you a supplier for governments, defense, or advanced technologies?
  • Do you or your partners own unique intellectual property?
  • Do you depend on your IT/OT network for business continuity?
  • Does your company keep PII of clients and/or employees?

The Next Steps

No one enjoys preparing for a ransomware attack, just as no one likes the idea of seeing their house, car, or property damaged. In the case of natural hazards, we apply the best practices of safety, do an evacuation drill every now and then, and buy insurance policies in case things get out of control. When it comes to ransomware attacks, the procedure is similar: 

  • Design your digital assets wisely with architectural standards
  • Perform a laser-focused penetration test periodically
  • Make sure you have a capable incident response team on-call

You cannot eliminate the risk of being hit by ransomware, but you can significantly reduce the potential damage and ensure fast recovery.

Read part 1 of Understanding the Ransomware Victim Profile.

Matan Rudis
Threat Intelligence Team Leader

Ran Finkelstein
Threat Intelligence Researcher

For more information contact us at [email protected].