Calling the bluff of breachstortion gangs

Confidence in the defences and using backup data to test and assess is key to standing up to the latest criminal demands

As if ransomware alone weren't enough of a headache for firms, now we have a new way for attackers to abuse stolen data: 'breachstortion'. Where ransomware typically involves a malicious actor shutting down access to IT systems until a cash sum is paid, breachstortion takes the whole ‘we've got your data' thing to another level.

In a breachstortion attack, the perpetrators will threaten to publicly announce that you've been hacked, and also, by way of an added 'bonus', that they'll sell your data to the dark web - even if they don't have it.

No secrecy and no certainty

Victims of ransomware attacks don't often like to go public and admit they've been compromised, for reasons that should be pretty obvious. Admitting to the outside world that it's possible for your computer systems to be hacked is not good press. Customers might fear for their personal data; your reputation will fall; customers will move to competitors; and you're on the helter-skelter to oblivion. It's no surprise that many organisations pay up and shut up.

Breachstortion gangs take the choice of whether to go public away from their victims by threatening to make an announcement for them, piling on the pressure to pay up quickly rather than spend time trying to find out what the gang has got and if it's of real value.

Click here to read our breachstortion research

That question of what a breachstortion gang might have got is pivotal. How do you know that the gang has found a way into your system? How do you know it's got anything at all? Just because they've not given you any proof doesn't mean they don't have your data. But do they? It is known within the industry that breachstortion gangs often haven't hacked into the organisations they target at all; they rely on the fear factor.

Once an organisation has paid up the first time, a breachstortion gang might come back again and again, especially if they had no data in the first place. If a victim has given in to fear once, they could do so again - and again, and again. It's not a good situation to get into. So how can an organisation be confident their IT infrastructure has no holes for these gangs to find?

Block all access routes and secure backups

If a breachstortion gang does have access to your system, it's very likely it will have got in through similar routes to a traditional ransomware group: phishing details from unaware staff, emails, unsecured ports, external storage media like NAS drives, and data left unsecured in cloud storage (especially public cloud) are all common routes.

Step number one to save yourself from breachstortion woes is to understand your IT estate weaknesses. Where can your defences be breached? Nobody is 100 per cent secure against a cyber-attack, but a resilience test is worthwhile. Achieving this might involve using a third-party service provider, but it will provide you with peace of mind and insights.

Step number two is to ensure your backups can't be accessed by any kind of malware. It is surprising how many backup services just copy malware over along with everything else, so that if they're restored the malware just pops up again. Clearly, that's not what you need. It's also important to make sure your backups are complete enough that they can have you fully up and running quickly, with no odd gaps where crucial data should be. On top of that, you need to be able to restore backups to fully operational status at speed. Downtime costs reputation and money.

Step three is use data insights available to you. Some data management platforms, which you may already have, offer machine learning insights that automatically and continuously monitor for anomalies that humans may miss. For example, if your organisation's data change rate is out of the normal range (based on daily change rates), or backup volumes are suddenly increasing out of sync with normal use and permissions are being changed on files, it's an early-warning sign that something is going on that might be down to a malicious third-party.

Ultimately, a strong security posture is the best line of offense. But, a full backup that you are confident will not restore malware, and that can get you up and running at speed, is your best second line if your walls are breached. Make sure the backup copies are really robust and you're not leaving large windows of time without a backup. Keep your RTO as low as possible - under a minute if your system allows. Your IT system is likely to be mission-critical and your data is a core component of that; you don't want to be without it for longer than necessary.

Extortion: to pay or not to pay?

Some ransomware gangs, like Maze, have made a habit of extortion on top of a ransomware attack, and have publicly shamed major brands as a result. But there are cases where an extortion attempt is made without a corresponding ransomware attack.

If you've ever been subjected to a ransomware attack, you know about it. The attackers might change your wallpaper or screensaver, to draw attention to the file they want you to open explaining the terms of the ransom. But it's perfectly possible that a breachstortion gang doesn't have, and never has had, access to your computer, and is relying on your fear and lack of confidence in your own systems.

That lack of confidence may well be heightened right now, because with more and more of us working from home it's a fact of life that cyberattacks are on the rise. In fact ESG has recently reported that 47 percent of organisations report an increase in cybercrime since mass home-working began.

However tempting it might be, we advise you to not pay ransoms. If someone did access your IT estate and demanded a ransom, there is no guarantee that they're the only one - or that they haven't already passed your details on to someone else. And, if you pay the demands and then fail to do anything other than change passwords, there's no guarantee the attackers won't return in a week, a month or a year, and demand even more. A form of payment to a criminal could also be screenshotted and give them ammunition for extortion, too. It's a downward spiral.

The cybercrime opportunity is not going away, and with more of us working from home and under significant stress, cyberattackers are increasingly trying new tactics. My advice is simple: take stock of your security, assess your resilience to attacks, perform data recovery audits, and increase your frequency of backups to lower your risk to data loss. And finally: don't pay ransoms. It may seem like a dangerous game, but it opens you up for further payments in the future and fuels more attacks.

Ezat Dayeh is UK&I SE Manager at backup and disaster recovery firm Cohesity