File a Ticket and a Threat Actor Will Be With You Shortly

The Pitfalls of Conducting a Business Transaction With a Malicious Actor

This may seem like a strange title for an article, but ransomware has been big business over the past couple of years and shows no sign of stopping in 2020. This article will not debate the merits of not paying ransoms, in cases such as Atlanta and Baltimore, or purportedly paying as in the recent case of Garmin, since that is a personal/business decision. The fact is that company after company and city after city continue to find themselves in the unenviable position of losing access to important data, or, in extreme cases, entirely unable to operate due to maliciously encrypted servers and workstations.

When faced with the dilemma of paying a hefty ransom versus the extended downtime required to restore operations from scratch, many organizations decide that paying the ransom is the ‘least-bad’ option. Presented with a firehose of cash from organizations around the world, ransomware actors have developed a professional business model that makes transactions nearly as fluid as charging a credit card.

File a Ticket Please…

Dealing with a modern ransomware actor often feels very similar to opening a support ticket with any technology vendor or helpdesk. One typically visits a support portal and provides the required identifier to allow the actor to identify your specific infection (out of the many they operate simultaneously).

Members of some ransomware groups assign themselves the sort of job title one would expect to encounter in any customer service organization. For example, you might be surprised to find yourself corresponding with the ransomware actors ‘Sales Director’ (never mind that the product for sale is access to your own systems). A pleasant demeanor is adopted, and the intrusion may even be framed simply as an unexpected and involuntary proactive security assessment for which the bill is now due.

A recent Reuters article detailed a surreal chat session between the ransomware actor's customer support staff and a victim. The threat actor in that case was kind enough to provide details regarding how the intrusion was accomplished, and even provided recommendations for the organization to improve and prevent such breaches in the future. The entire exchange hardly feels like negotiating the terms of your own extortion with a criminal enterprise.

This begs the question, why not simply pay the ransom, implement the recommended changes, and resume normal business operation?

Figure 1: Publicly available chat between the threat actor and a CWT representative

You Decide: Can You Trust the People Who Did This to You?

Buyer beware. In recent Incident Response (IR) engagements concerning customers who paid ransoms to the threat actors, we observed numerous different ransomware actors establishing persistent backdoors that continued operating even after the ransom has been paid and the client's data decrypted.

In one such case, the ransomware actor provided details of the intrusion to the victim in a manner similar to that described in the Reuters article. However, this description of the intrusion notably did not provide details of two persistent backdoors established on the victim's systems that would provide a means of continued access for the threat actor once business operations were re-established.

Recommendations

The decision to pay the ransom is highly contentious and is not debated in this article. However, if a business finds themselves the victim of a ransomware attack, it is important to conduct a thorough Incident Response investigation to ensure that all potential avenues of threat actor access have been eliminated.

Additionally, consult your trusted security provider to reverse engineer any “decryption tools” received by the threat actors since they could decrypt the files, but could also be Trojanized to provide the hackers additional access to the environment at a later time. The payment to decrypt does not provide a ‘no re-entry’ guarantee.

Ransomware infection vectors are diverse. The BlackBerry Incident Response Team responds to ransomware incidents at companies of diverse sizes and in diverse verticals stemming from phishing emails, remote exploitation of vulnerabilities, and brute force of exposed login interfaces.

Remaining reactive is a costly endeavor so it is imperative that all businesses conduct proactive assessments of their security posture, as the trend of accelerating ransomware incidents shows no sign of slowing.