US liquor giant hit by ransomware – what the rest of us can do to help

US hard liquor giant Brown-Forman is the latest high-profile victim of ransomware criminals.

Even if the company’s name doesn’t ring a bell, some of its products are well-known to spirits drinkers world-wide: Brown-Forman is a multi-billion dollar business that owns Jack Daniel’s whiskey, Finlandia vodka and other global brands.

It’s a multi-billion dollar business, headquartered in Louisville, Kentucky – a US state that’s famous for American whiskey – and you can see why today’s big-money ransomware crooks might go after a company of that size and sort.

According to business media site Bloomberg, which claims to have received an anonymous tip-off from the crooks behind the attacks, the ransomware crooks involved are the infamous REvil or Sodinokibi gang.

The REVil crew make up one of what you might call a “new wave” of ransomware operators who practise three-stage attacks that end in double-barrelled blackmail:

  • First, they break into a victim’s network and scope it out. During this reconnaissance the crooks will typically work their way up to sysadmin level access, map out all the clients and servers on the network, search out where online backups are kept, locate or introduce powerful system administration tools they can use later to assist in the attack, and reconfigure (or turn off) system security settings to give them the broadest reach possible. Sometimes, they’ll even launch mini-attacks with trial samples of malware as a way to probe your defences and to find which attack techniques are most likely to succeed.
  • Second, they exfiltrate – which is a fancy word for steal – as much corporate data as they can get their hands on. In the Brown-Forman attack, in which the attackers claimed to have purloined 1 terabyte of data as part of the attack, Bloomberg says that it received links to a website where the crooks revealed “proof” of the data breach by listing sample files going back more than 10 years.
  • Third, they encrypt as many files on the network as possible, using a scrambling algorithm for which they alone have the key. The crooks typically copy the malware program across the network first, so that when they kick off the encryption process, it runs in parallel on all your devices, thus bringing maximum disruption in minimum time.

How these stages evolved

As you probably know, the first two stages above are fairly recent developments in ransomware criminality.

Back in 2013, when the infamous CryptoLocker gang were the kings of the ransomware scene, it was all about stage 3: scrambling files and then using the decryption key as a blackmail tool: “Send us $300 or your files are gone forever”.

The crooks generally didn’t target networks back then; instead, they went after millions of victims in parallel, with each infected computer ransomed independently.

The criminals “targeted” everyone – from home users who probably didn’t have backups of any sort and might be willing to spend $300 to get their wedding photos or the videos of their children back – to big companies where 100 users might fall for the latest ransomware spam campaign and the business would need to spend 100 × $300 to get the unique decryption key for each now-useless computer.

Stage 1 arrived on the ransomware scene when criminals realised that by going after entire networks one-at-a-time, they could cut their “losses” early in the case of a network that they didn’t have much success with, and focus on networks where they could cause disruption that was both sudden and total.

Instead of pursuing thousands of individual computer users for hundreds of dollars each, the crooks could blackmail a single company at a time for tens of thousands of dollars a time.

Indeed, the early adopters of the “all-at-once” ransomware approach often took the cynical approach of offering two prices: a per-PC decryption fee, and an “all you can eat” buffet price for a master key that would unscramble as many computers as you wanted – almost as if the crooks were doing you a favour.

The crooks behind the SamSam malware – four Iranians have been identified and formally charged by the US, but are unlikely ever to stand trial – even offered a staged payment “service” whereby you could pay half the ransom to receive half of the decryption keys (chosen randomly by the criminals).

If you were lucky, you might just end up with enough computers running again to save your business for just 50% of the usual price…

…but if not, you could pay the rest of the ransom, presumably now with considerable confidence that the crooks would deliver the decryption tools as promised.

You could even take a chance on paying the per-PC fee for your most critical computers – typically $8000 a time – to tide you over, and “top up” later, once you were “confident” in the criminals, to the master-key price, which was typically set by the SamSam crooks just below $50,000.

Whether they chose $50,000 at a guess, or because they found it represented a common accounting department limit in the US below which it was much easier for the IT manager to get the payment approved, we never found out.

As you can imagine, the exposure of the alleged perpetrators by US law enforcement pretty much drove the SamSam crooks out of business, albeit not before they had extorted millions of dollars from victims around the world, but ultimately didn’t make much of a dent in ransomware attacks in general.

Price inflation

Sadly, the SamSam gang’s fee of $50,000 a network turns out to be small by current standards.

A recent ransomware attack that took US GPS and fitness tracker giant Garmin offline for several days was apparently “resolved” when the company coughed up a multi-million dollar payment, supposedly negotiated downwards from $10,000,000.

That incident attracted controversy because the ransomware involved was alleged to have been the work of a Russian cybercrime outfit known as Evil Corp, and transactions with that group are prohibited by US sanctions imposed in December 2019.

And US travel company CWT is said to have coughed up $4,500,000 recently – again, down from an opening demand of an alleged $10 million for unscrambling what the crooks claimed were 30,000 ransomed computers.

If true, $10,000,000 for 30,000 devices comes out at $333 each, a fascinating full-circle back to the $300 price point of the 2013 CryptoLocker ransomware, which was itself an intriguing echo of the first ever ransomware attack, way back in 1989, where the criminal behind the malware demanded $378. (With no prepaid credit cards, online gift cards or cryptocurrencies to use as a vehicle for pseudoanonymous payments, this early attempt at ransomware, known as the AIDS Information Trojan, was a financial failure. Indeed, it wasn’t until the early 2010s that cyberextortion based on locking up computers or files worked out at all for the cyberunderworld.)

The biggest tactical change

But the biggest tactical change in ransomware is stage 2 above.

By perpetrating data breaches up front, before unleashing the file scrambling component – in Brown-Forman’s case, the breach allegedly includes 1 terabyte; in CWT’s attack, the criminals claimed that 2 terabytes were thieved up front – the crooks now have a double-barrelled weapon of criminal demand.

You’re no longer being extorted to pay for the crooks to do something, namely to send you a set of decryption keys, but also being blackmailed into bribing the crooks not to do something, namely not to go public with your data.

Early ransomware had more in common with kidnapping, though with jobs at stake rather than the victim’s life: the theory was that if you paid up and the crooks released a working decryption tool, you not only got your data back but also quite clearly ended the power that the criminals had over you.

For the crooks to ransom your data again (sadly, this happens), they’d need to break into your network again and essentially start from scratch, assuming that you worked out how they got in before and closed the holes they used last time.

But today’s ransomware is turning into old-school, out-and-out blackmail: the crooks promise to delete the data they already stole, and thereby to “prevent” your ransomware incident turning into a publicly visible data breach, but you have no way of knowing whether they will keep their promise.

Worse still, you have no way of knowing whether the crooks can keep their promise, even if they intend to.

For all you know, the data they took illegally could already have been stolen from them – remember that many of the cybercrime busts written about on Naked Security, including ransomware arrests, happened because of cybersecurity blunders made by the perpetrators that allowed their evil secrets to be probed, uncovered and ultimately proved in a court of law.

Or the criminals themselves may have been victims of “insider crime”, where one of their own decided to go rogue – after all, we’ve also written about crooks getting busted not through operational blunders but through a falling-out among thieves, where one of the gang has ratted out the others or otherwise co-operated with the authorities to save themselves

What does this new-look ransomware mean?

Technically, or at least from a regulatory point of view, all ransomware attacks are data breaches, even if all they do is scramble your files in place.

After all, if an outsider is able to modify files they weren’t supposed to access at all, that clearly amounts both to unauthorised access (a crime in most jurisdictions) and to unauthorised modification (a yet more serious crime) – and even though this makes you a victim of crime, it also means you’ve failed in at least some way at protecting information you were supposed to protect.

And ransomware crooks who steal your data before scrambling it are really in the pound seats when it comes to blackmail.

Even if you prevent the final stage of the attack, or if you have reliable backups so you don’t need the decryption keys, the crooks are going to squeeze you anyway, by threatening to make a bad thing much worse by deliberately releasing the stolen data.

The good news, in the case of the Brown-Forman attack, is that current reports suggest two important things:

  1. Brown-Forman prevented the file scrambling part (stage 3) of the attack. That’s great news, because it means that the company is unlikely to go offline like Garmin had to, which reduces the impact on the people that do business with the company, including suppliers, creditors, partners, distributors, retailers, and more.
  2. Brown-Forman has supposedly told the criminals to stick their blackmail demands where the sun doesn’t shine. Paying up simply encourages – indeed, it helps to fund – the next attack.

All we can say to that is, “Well done, and thanks for standing firm.”

Grubman Shire Meiselas & Sacks, a law firm that represents numerous high-profile celebrities, recently faced a demand similar to Brown Forman’s, where the ransomware criminals menaced company founder Allen Grubman in broken English with threats to auction off celebrity data in the cyberunderworld:

We have so many value files, and the lucky ones who buy these data will be satisfied for a very long time. Show business is not concerts and love of fans only — also it is big money and social manipulation, mud lurking behind the scenes and sexual scandals, drugs and treachery. […] Mr. Grubman, you have a chance to stop that, and you know what to do.

The company famously likened the blackmailers to terrorists and refused to pay up. (The threatened auctions haven’t yet happened – though no one knows whether that’s because the crooks felt they couldn’t trust their own or because the data stolen simply wasn’t up to what the crooks claimed.)

To reward companies that are willing to say, “We won’t pay,” and who help to break the feedback that keeps the ransomware cycle turning, we suggest that you repay them by making sure that if their data does get dumped by crooks…

…that you simply do not look at it.

No matter how useful it might seem; no matter what items that you feel are now both “in the public domain” and in the public interest; no matter how much you might argue that companies like Brown-Forman were themselves remiss in the first place for not protecting data that they ought to have; even if you’re “just interested”, please don’t look.

We urge you, “Just say no.”

Brown-Forman’s breach is now a matter of public record and we assume it will be carefully investigated by law enforcement and the relevant regulators, so let’s leave them to it.

As Sophos Cybersecurity Educator Sally Adam put it:

There is no ‘end justifies the means’ discussion to be had here because this is nothing like the cases of whistleblowers like Edward Snowden or Chelsea Manning, where – no matter what you think of their ultimate actions – an insider identified something they perceived to be wrong. This is purely about extortion.”

What to do?

Clearly, prevention is way better than cure.

It’s important to have protection in place to stop stage 3 above (after all, not all ransomware attacks do follow this three-step process, and one-off scrambling attacks are still an ever present risk.)

We’ve got plenty of advice on how to do just that, including our popular report:

But the earlier you block or spot the crooks, the better for everyone, including yourself.

So we recommend you review the following handy resources too, to keep ransomware crooks out right from the very start: