Cyber threat analyst: Keizer ransom payment furthers hackers’ efforts

Of late, Brett Callow, a cyber threat analyst, is like a spider sitting on the world wide web waiting for news of hacking strikes like the one that hit Keizer two weeks ago. 

Within an hour of Keizertimes reporting what had happened, Callow, who works for the malware and ant-virus software company Emisoft, reached out to inquire whether city employees had recently been returning to work after the pandemic. Emisoft is expecting to see a rise in hacking of public agencies and private companies as workers return to the office, often with computers loaned out by the agencies they work for and were operating in less secure home environments.

On June 10, hackers put the data on Keizer’s city computers put behind an encrypted door, and required a ransom payment of $48,000 before turning over the numeric key to unlock it. 

Not all ransomware works the same way and the latest versions are more sophisticated than the old version that arrived on hacked programs downloaded from the internet, Callow said. 

“Networks are initially compromised via email or improperly secured internet-facing servers. At this point, the first-stage malware performs various checks in order to determine whether it has landed on a potentially valuable target. For example, by checking whether the system is connected to a corporate network. If the system is determined to be potentially valuable, the attack will proceed and the data will eventually be encrypted,” Callow said. 

Paying ransoms only exacerbates, and accelerates hacker activity, he added. 

“Payments are the fuel that drives ransomware,” Callow said. “Every organization that chooses to pay a ransom is not only incentivizing the criminals, they’re also providing them with additional resources to invest in ramping up the scale and sophistication of their operations. That means more victims, more ransoms paid, more ramping up, more victims, etc. It’s a vicious circle and the only way to break it is for organizations to stop paying.”

Paying ransoms, alongside statements that no data appeared to have been downloaded or misused, is thought to be the end of the crisis, that also isn’t always the case. Callow cited three incidents where data stolen in ransomware hacks surfaced later in other ways. In Torrance, Calif., data initially thought to have been untouched was later discovered to have been stolen; in Prince Edward Island, Canada, data ended up being posted for to the website of the hacking group known as Maze; and, data scraped from a Saskatchewan, Canada-based health provider ended up being sent outside its network. 

“Prior to the data being encrypted, it may also be exfiltrated. The threat of releasing – or, in some cases, auctioning – the stolen data is used as additional leverage to extort payment,” Callow said. “What the cities actually paid for was a pinky promise that the stolen data would not be destroyed and not posted online. But that pinky promise is coming from criminals.”

Forensic investigation after the attacks can lead to clues regarding what happened, but the hackers typically delete the tools they used to enter the system and scramble internal logs as they exit. 

Callow said ransom demands are often victim-specific and based on a victim’s perceived ability to pay. There is also often a lag time between when a piece of malware enters the victims’ computers and when they shut it down. 

“Consequently, they are usually well aware of an organization’s financial position. In many cases, they’ll even know whether an organization is insured and what its coverage limits are,” Callow said. 

It is incumbent upon the victims of ransomware hacking to completely rebuild their computer networks, Callow said. 

“If they do not do this, the criminals may continue to have access and attack for a second time. In one recent case, the criminals had ongoing access to a company’s emails – including emailed transcripts of phone calls – so they were able to monitor their response to the ransomware incident. They then posted all that information online along with an accusation that the company was committing insurance fraud,” he said. 

Most hacking attacks are avoidable, but simply backing up data to the cloud or an off-site server isn’t the solution either – in both cases the data can then be accessed without causing a recognizable uptick in network activity. 

“What would make a difference is if organizations would adhere to security best practices – something which governments seem to be particularly bad at doing,” he said.