Although we tend to think of ransomware, whereby data is encrypted via malware infection and a 'release fee' demanded to disclose the decryption key, as a consumer-facing threat the news from Kroll Ontrack would seem to suggest that it's something businesses might need to take increasingly seriously as well.
The mechanics of the threat have, it would appear, evolved somewhat though.
Kroll Ontrack engineers say they have seen a "significant spike" in the number of inquiries regarding data recovery following ransomware attacks on virtual drives, although the actual severity of this increase has not been disclosed to us.
Shane Denyer, a data recovery engineer at Kroll Ontrack, confirmed that the company is seeing "a definite move away from attacks that target large numbers of small business or home users" and a move towards "more of a spearphishing approach where individual, larger corporations come under fire."
In particular, our attention was drawn to attacks where hackers are said to be deleting virtual drives completely on corporate systems and replicating the data on their own servers. "The first time the companies know about the attack is when they find a note from the hacker where the virtual drives used to be, criticising their security arrangements and requesting payment for return of the data or threatening to sell it on the open market," Kroll Ontrack explains in an emailed statement.
In a recent case, SCMagazineUK.com understands that payment was demanded in Bitcoin with the threat that the stolen data would be auctioned off after two weeks if payment was not made. In this particular case, Kroll Ontrack informs us that it was successful in being able to recover the data without any ransom being paid.
Bitdefender's chief security strategist, Catalin Cosoi, points out that simply because hackers are targeting virtual drives doesn't mean the attacks are virtualised. He goes on, talking to SCMagazineUK.com, to argue that malware isn't even necessarily deployed during the attack process. "Infection methods aren't necessarily state-of-the-art," Cosoi said."They can range from classic social engineering schemes to steal employee login credentials to exploiting unpatched software vulnerabilities – it can be virtually anything." In a similar vein,
TK Keanini, CTO at Lancope points out that what is going on here is technically not ransomware but rather extortionware, something he predicted a while back as being the evolutionary path such attacks would follow.
"The difference is the fact that the attacker, instead of just keeping you from your data, has your data and threatens to publish (or delete) if the ransom is not paid," Keanini told SC. This evolutionary path isn't finished yet, Keanini reckons, warning that we will likely see more attacks where the threat actors don't care if you have a backup of your data as the payload isn't in holding access to that data to ransom but rather being paid off to mitigate the threat of publishing commercially sensitive or potentially embarrassing information to a public audience. "Here we are dealing with disclosure issues that can only be solved by well implemented data level encryption," Keanini said, adding:"The technology is available to solve this problem, the habits are not."