Question: If we can mitigate file encryption ransomware with backup, can we mitigate double extortion by adding advanced PII protection through data encryption or tokenization?
Criminal extortion continuously evolves. Sensitive data exfiltration and threats to expose stolen data have been added to file encryption. The new term is ‘double extortion’ which is used to describe the combination of file encryption and data exfiltration. The purpose of both actions is to extort payment from the victim.
The addition of data exfiltration is the criminal response to improving backup. When encrypted files or systems can be recovered from backup, there is less or no need to pay the ransom. To counter this, ransomware gangs started to steal sensitive data before encrypting the victims’ files. Backup may recover encrypted files, but it cannot recover stolen data – which is then used to blackmail the victim.
The stolen data in double extortion is primarily personally identifiable information (PII). Exposure of this data threatens the victims with possible regulatory fines through failure to protect user information, and certain loss of brand reputation. Most victims choose to pay the ransom.
But if companies can fully protect their PII – through technologies such as encryption or tokenization – could they deal as significant a blow to data extortion as backups have done to file encrypting ransomware?
In short, could the combination of advanced backup with usable PII encryption or tokenization eliminate the threat of double extortion? If the criminals do not get a payout, they will move to some other activity.
This idea is what we shall explore. We have chosen three technology leaders to illustrate the concept: immutable backup, homomorphic encryption and cloud-based vaultless tokenization. They are not the only options.
Note that this discussion applies only to classic double extortion; that is, IT encryption and data blackmail. It doesn’t apply if the extortion attack gets into the OT.
Backup is an important part of any defense against ransomware – but backup is only part of this solution. The ability to restore from backup is just as important. Veeam is one backup specialist that believes it has the solution. The key points to Veeam’s backup and restore are immutability in backup and portability in restore.
“There are two different immutable copies of data that are inherently ready to drive absolute recovery,” said Rick Vanover, Veeam’s senior director of product strategy, “held on two different sites on two different control planes, and two different encryption planes.” The stored backup is encrypted, and consequently safe from hackers and data protection regulators, and there is no persistent connection to the storage, so the backup is safe from attacker interference. Recovery is ensured through a combination of data portability and customer selectable destinations.
If a victim decides to pay a ransom, and the decryption tool either fails or is withheld, then the victim has lost both the ransom fee and its systems. Even when decryption goes to plan, it can be weeks before the files are restored, and the systems released from forensic investigation. If the victim refuses to pay the ransom, he may be faced with rebuilding the entire infrastructure from whatever backup is available. Each one of these scenarios can cause long term damage to a victim’s profitability.
There are many reasons a victim may be unable to trust anything the backup came from. He could go to his hardware provider for new systems, but this would be costly and could be difficult in some supply chain conditions. “This is where Veeam’s absolute portability comes into play,” explained Vanover. “Veeam can take the backups and restore them to a service provider.”
Technically, there need be hardly a pause in operation between ransomware loss and service provider recovery. An alternative would be recovery to the public cloud. The victim then has the option of staying with the service provider or in the cloud or returning to his previously rebuilt infrastructure in the future.
Scalability is not a problem for Veeam. And since the solution is software defined, the cost is predictable irrespective of the restore location. The biggest remaining issue is the potential loss of data between state of backup and loss of operations – known as the recovery point objective (RPO). With Veeam, the RPO is user-defined (as is the recovery time objective, or RTO). It becomes an individual company’s risk management decision, but the RPO (that is, the potential irretrievable data) could be as low as minutes.
Companies store customer data for good commercial reasons. Sometimes it is for immediate use in transactions, sometimes for repeat transactions, and sometimes for market analysis. That customer information inevitably contains personally identifiable information (PII); and that PII is regulated by various industry, state and international data protection and privacy regulations – strictly speaking, if stored, it should be stored in encrypted (or tokenized) format.
But traditional encryption suffers from one major weakness: the result bears no relationship in either content or format with the source. Encrypted data cannot be processed – it needs to be decrypted first. The result can be an administrative headache to such an extent that encryption which should be used, often simply isn’t. This partly explains why double extortion data exfiltration is so successful in obtaining PII that can be used to blackmail the victim.
There have been two developments in encryption technology over the last few years that attempt to solve this problem: format preserving encryption (FPE, which makes processing encrypted data easier without always requiring decryption), and more recently, homomorphic encryption (which allows processing without decryption).
SecurityWeek talked to Arti Raman, founder and CEO of homomorphic encryption startup Titaniam. “We have learned,” she said, “how to construct search indexes without decryption.”
If you think about double extortion, she continued, “When the bad actors get in, they look around and see where your valuable data is. And then they’ll query a really large database and dump it and exfiltrate it.”
With traditional encryption, an encrypted database will be of no value to the attackers, but will also be of limited value to the defender. But Titaniam’s homomorphic encryption has learned how to search the database without decrypting it – meaning the database itself is never decrypted and there is no data of any value to steal.
“The trick here,” she said, “is that Titaniam must know what the company wants to do with the data in advance., and we construct the index accordingly. The customer may say, this is a text field, and I want to be able to search including fragments of the word, and do things like prefix searches. It’s not magic – it’s knowledge ahead of time of what the database is going to try to do with that field.”
It’s a bit like applying a usage schema on top of the traditional database schema and building an index from that. Only the index has contact with the encrypted database, and the index itself is kept encrypted. Even if an attacker were able to steal both the database and the index, they would only get encrypted and worthless data – they would also need the encryption keys to extract anything. “We insist,” said Ramen, “that the keys are kept in an entirely separate key vault – something like Hashicorp Vault, or CyberArk Vault, or Amazon Secrets. We insist they are kept over there, and not with us.”
Tokenization is a powerful form of cryptography. It is a version of the One-Time Pad (OPD) which is the only form of cryptography that is provably secure against any mathematically forced decryption. This makes it intrinsically future proof against the expected decryption power of up-coming quantum computers.
Historically, tokenization’s primary problem has been cost and latency. Two factors are changing this: the evolution of the cloud, and the development of vaultless tokenization technology.
An advantage it holds over encryption is that there are no encryption keys that need to be managed and rotated – and protected or lost.
There are two basic tokenization methodologies – vaulted and vaultless. Vaulted is the secure storage of a mapping database between the original cleartext and the displayed token. If detokenization is required, the database needs to be queried and the cleartext returned. The vault can be maintained in-house or contracted to a tokenization operator. The larger the mapping database, the greater the latency in lookup. The location of the vault is also a potential target for adversaries.
Vaultless tokenization does not use a look-up table. Instead, it uses an algorithm to convert cleartext to token (and back). With no mapping database, no vault is required, and no additional infrastructure.
Rixon offers a ‘zero data’ application of vaultless tokenization. Using Rixon’s tokenization, there is never any data stored on the customer’s systems – in fact, there is never any cleartext stored anywhere. What follows is just one way the technology can be used.
PII is generally collected by service providers or product retailers through forms on a web page. Rixon customers have this data collected by an API and sent to an immutable cloud server containing the tokenization engine. The end-user’s PII does not at this stage touch the provider’s systems.
The tokenization involves a different token for each character. The process is described as similar to choosing a random character from a random number of books in a random number of libraries. It is the meaningless tokens that arrive on the provider’s systems.
However, back at the individual end-user’s web-based input form is a toggle switch that allows or disallows detokenization. If switched to allow, the tokenization engine will detokenize the data to allow for local processing only when it is necessary. This process is entirely controlled by the end user who can allow or disallow processing of his or her PII at any time. Under normal circumstances there is no data with the service provider – there is no PII that can be stolen.
Neither does the tokenization engine store any cleartext data – it merely ‘remembers’ each individual tokenization process so that it can be reversed on a valid demand.
Not every piece of data needs to be tokenized – just enough to make it impossible to determine the user’s identity or credit card number. Tokenization is inherently format-preserving, meaning that existing applications do not need any modification to continue working with the data.
Costs are kept down, and scalability maintained by using the cloud’s compute and storage capabilities. There is no additional infrastructure required. Performance is maintained by having multiple immutable tokenization servers around the world, with each customer using the geographically closest. These servers allow no access by anything other than the customer’s API – which means that no human, whether the customer, Rixon or a hacker can gain entry. If the server detects anything untoward, it burns itself down and resurrects itself in a different location.
“The second part of double extortion,” comments Rixon’s CTO and cofounder, Justin Hatcher, “is the threat of releasing the data if the victim doesn’t pay up. But if they cannot get the data, and the systems are backed up, the victim can ignore this threat because it can continue to do business after the restore, and the criminals have no data to expose. The tokenized data can still be detokenized, for processing, from the restored data.”
Side benefits from this technology include no personal data to audit, automatic compliance with data protection regulations, and a solution to GDPR’s ‘right to be forgotten’ issue.
Paying a ransom should not be an option. It just encourages the criminals. If criminals profit from a crime, they will continue with it. Once a company pays the ransom, that company has a target on its back for further attacks by the same or other gangs: ‘this company will pay’.
While encrypted files can be recovered from backup, stolen PII remains stolen – and there is nothing to guarantee a criminal’s promise to destroy it on payment. They can and likely will return for further extortion payments. This was a lesson learnt by the English more than 1,000 years ago when they paid the Vikings to leave the country. The process was immortalized by Kipling in 1911:
Though we know we should defeat you, we have not the time to meet you.
We will therefore pay you cash to go away.
And that is called paying the Dane-geld;
But we’ve proved it again and again,
That if once you have paid him the Dane-geld
You never get rid of the Dane.
Double extortion needs to be prevented, not paid. Backup can be used to restore encrypted files. Encryption or tokenization can prevent the theft of PII. Both technologies are already effectively required by most organizations: backup as part of a disaster recovery plan mitigating far more than ransomware; and encryption/tokenization of PII for regulatory compliance.
If these technologies are already required, companies should explore their combined use as part of a layered risk management defense against double extortion.
However, as already noted, this approach will not help if the attacker gets into the OT. Backup and restore is altogether more difficult, if not effectively impossible. The primary defense here remains the traditional defense: zero trust segmentation and visibility.