Will the public nature of ransom payments change CISO strategy over whether to pay?

Reports that a Fortune 50 company paid a $75 million ransom to the Dark Angels ransomware group back in March is raising questions about whether CISOs should revisit their ransomware decision processes.

The payment, which Zscaler said is almost double the previous top ransom paid, is concerning, not solely for the large dollar amount, but in how public these payments have become. There are many ways these payments can become public — Zscaler confirmed that they know specifically who made the payment — especially if they are processed via Bitcoin, which is ransomware groups’ favorite payment mechanism.

If a ransom is paid via Bitcoin, “there’s a good chance that it will get out,” said Brett Stone-Gross, the senior director for threat intelligence at Zscaler. “There are a large number of ways to potentially identify these companies.”

Stone-Gross said the company was identified as making this transaction not solely from the public ledger, but also via other sources that he did not want to disclose. 

There are many other mechanisms for paying ransoms, but Bitcoin is the favorite among the ransomware groups. Other cybercurrencies, such as Monero, are better at keeping identities secret, but they are “kind of a second choice for these ransomware groups,” Stone-Gross said.

Although the identities can absolutely be revealed, as happened with this Fortune 50 company, today’s crypto payments can be exceedingly difficult to track. There are often multiple middle players and payments are frequently split into many payments of smaller amounts. That said, companies will often reuse Bitcoin wallet addresses, which gives investigators something to track.

Does this change payment decisions?

All this might start to change the nature of discussions about whether it makes sense to make the payment. Does this public a payment make the paying enterprise a target for every other ransomware group on the planet? Will it pressure companies and their extortionists to move away from public ledgers and find a more secretive means of paying?

“Paying the ransom, especially one of this size, may have the unintended consequence of emboldening cybercriminals to ramp up their activities, now knowing that large-scale payoffs can be attained,” said Jacob Kalvo, CEO at Live Proxies, an IP firm. “This could translate to greater frequency and more complex attacks, since the ransomware groups take an instance of successful extortion as vindication of their actions. It basically boils down to the immediate alleviation from recovery of the data versus the prospect of future vulnerabilities and attacks for organizations.”

Brian Levine, a managing director at Ernst & Young overseeing cybersecurity strategies, agreed, saying that enterprises need to seriously consider their options when it comes to paying ransom today.

“If an organization pays a ransom, it should assume that the fact of the payment and payment amount will eventually become public. And ‘eventually’ may come a lot sooner than they think,” Levine said. “The increase in the size of ransomware payments will hopefully incentivize organizations to take greater efforts to avoid having to make such payments.”

He added that he did not “think the possibility of the payment becoming public materially changes the calculation of whether to or not to pay. For the most part, I think organizations are only paying ransom when they feel they have little other choice.”

Other ransomware trends

A Zscaler report on ransomware also noted some other patterns. 

“The manufacturing, healthcare, and technology sectors were the top targets of ransomware attacks, while the energy sector experienced a 500% year-over-year spike as critical infrastructure and susceptibility to operational disruptions make it particularly attractive to cybercriminals,” the report said. “The energy sector experienced a 527.27% year-over-year increase in ransomware attacks, likely due to its critical nature and the high ransom potential it offers to attackers.”

The report listed the most prolific ransomware groups today, with the largest being LockBit (988 identified attacks), BlackCat (410), 8Base (352), Play (345), Clop (291), BianLian (268), Akira (224), Black Basta (202), Medusa (169), and NoEscape (126). 

It also noted what it described as the “newest ransomware groups on the scene”: Cloak, RansomHub, and Slug, which all surfaced this year.