SBN

Ransomware and the C-I-A Triad

In earlier, more innocent (?) times, cyberattacks seemed to be fairly straightforward. You have the data exfiltration attacks, where copies of sensitive personal information and intellectual property are stolen, often without the victims’ knowledge since the original data are left intact. Sensitive nonpublic personal data are then either sold on the Dark Web or used directly. Stolen intellectual property is sold or used in industrial espionage. Both types of data are used for political purposes.

Then there are DDoS (distributed denial of services) attacks which swamp websites with messages so that legitimate users do not have access. These attacks are generally meant to be disruptive rather than money producing.

Similarly, direct attacks on infrastructure, supply systems—such as electricity grids, sewage systems, water-supply systems—are intended to be disruptive and perhaps warn victims that they are vulnerable and can be controlled or taken down at any time to gain political advantage, for example. The above attacks have not gone away—indeed, they are continuing to grow. But they have been overtaken, in the press and in actuality, by ransomware, whereby victims are held to ransom if they want their encrypted data back, or to prevent release of sensitive data, or avoid having their systems tampered with. Seemingly, ransomware started out by gaining control of victims’ systems, encrypting the latter’s data, and offering to sell the decryption key to the victims to enable the victims to have access to their data again. The attackers soon realized that they could exfiltrate the data prior to encryption and make additional money by threatening to release the data unless the victim paid additional funds. The attackers discovered that they could also threaten those whose data were stolen directly, opening up a whole new population of victims. Thus, availability and confidentiality were compromised in the first two generations of ransomware.

The third leg of the C-I-A triad—integrity—is a somewhat different animal. One might argue that the ransomware attacks on Colonial Pipeline and JBS meat processing were physical integrity-related, but was that actually the case? DarkSide, which was behind the Colonial attack, went to great lengths to assure everyone that they had no intention of closing down the pipeline, but only wanted to get the ransom money. Presumably the DarkSide gang did this because they were afraid that shutting down the pipeline, which Colonial management did in “an abundance of caution,” might have been construed as an act of war and might have initiated both cyber and kinetic responses. But who is to say that an enemy wouldn’t consider holding critical infrastructure to ransom? This would, of course, be a very dangerous turn of events that could rapidly escalate.

While not generally publicized, there appear to be many actual integrity issues, even when the ransom is paid and crypto key provided. According to a cybereason report, “Ransomware: The True Cost to Business,” some 46 percent of respondents found that some or all of their data were corrupted, whether intended or not. We do read of occasional data integrity issues of victims, but this information is generally suppressed. The cybereason report is a rare revelation of the true magnitude of this significant issue.

Another interesting finding in the cybereason report is that some 80 percent of those who paid a ransom experienced another attack, about half of which were thought to be from the same source as the first attack. This raises the stakes in an already devastating interplay. It would appear that organizations do not, or are not able to put up defenses in time to prevent further damage.

As described above, ransomware differs from earlier types of cyberattack in that the victim is forced to foot the bill rather than profiteers seeking to sell information to the highest bidder. It is so effective because victims have so much to lose, whereas ransom-seekers and profiteers have little to lose and much to gain.

*** This is a Security Bloggers Network syndicated blog from BlogInfoSec.com authored by C. Warren Axelrod. Read the original post at: https://www.bloginfosec.com/2021/07/19/ransomware-and-the-c-i-a-triad/?utm_source=rss&utm_medium=rss&utm_campaign=ransomware-and-the-c-i-a-triad