The latest ransomware attacker tactic: Pay us to stay away

You’ve heard of ransomware-as-a-service and ransomware attacks through supply chains. Now there’s a new tactic of gangs: Pay us before the attack starts.

”We’re seeing attackers bold enough to launch ‘pay to stay away’ attacks,” Sumit Bhatia, director of innovation and policy at Ryerson University’s Rogers Cybersecure Catalyst, told a ransomware webinar Wednesday.

“They demonstrate [to an organization] their ability to attack but do not actually do so. Instead they warn the organization to pay them before they launch a full-scale attack. This is usually made against organizations that do not have the resources or expertise to modify or adjust their [IT] systems in time for a future attack.”

Bhatia was one of four experts on the panel, organized by The Globe and Mail. The others were Brad Stocking, associate partner for cloud and infrastructure security at IBM; Suzie Suliman, an associate at the Norton Rose Fulbright law firm; and Randy Walinga, director of IT, teaching and learning services at McMaster University’s DeGroote School of Business.

Coincidentally the webinar was held the same day the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and its partners in Australia and the U.K. issued an alert because of an increase in “sophisticated, high impact ransomware incidents against critical infrastructure” around the world (see below).

Suliman pointed out what most organizations know: Ransomware encrypts data, which causes operational disruption and raises the possibility of serious business interruptions and financial loss – and legal and regulatory obligations. Partners and customers know ransomware attacks happen, she said. As a result, “you’re not going to be judged on the fact that you had a ransomware attack most of the time. You will be judged on how you manage and respond to the incident.”

To prepare for a ransomware attack, an organization first has to understand its key lines of business, said Stocking, including how a breach could affect customers. Only then can the firm start discussing the potential protections it could put in place.

The goal, he said, is to not shut the company down after it realizes it’s been hit but to keep as much of the business running as possible.

“If you’re able to understand what is key to your business success, then turn it around and think about the motivation of attackers and how you would protect against a motivated attacker,” he said. “Then you can think about how you’d put a defence in place, and create an incident response plan.”

Small businesses shouldn’t think they won’t be targeted, Stocking added. In fact, he said, attackers may go after the small businesses who are partners of larger firms they hit, either because they may hold valuable customer data or intellectual property.

Small firms can have good cybersecurity, he added, if they focus on the basics. Attackers go after easily exploitable vulnerabilities, including misconfigured systems. “Just doing the fundamentals – a solid [application] patch program, knowing the assets you have, knowing where you will be targeted, employing vendors to support you where they can – you’ll be much further ahead of the game than a lot of companies who go to advanced technology and ignore the fundamentals.”

Walinga emphasized the importance of having a good data backup strategy to blunt ransomware attacks. Awareness training needs to cover everyone in the firm, including executives, he added. Training has to be continuous, with positive feedback for staff who ask, ‘Is this a lure?’

US/UK/Australia ransomware alert

In the US/UK/Australia ransomware alert, the agencies noted that last year they saw attacks against major critical infrastructure sectors including defence, food, government, IT, healthcare, financial services, energy and higher education.

“If the ransomware criminal business model continues to yield financial returns for ransomware actors,” the report predicts, “ransomware incidents will become more frequent.”

The alert outlines behaviours and trends of attackers, as well as recommended mitigations.

Those mitigations include:

  • patching operating systems and corporate applications;
  • securing and monitoring remote access services used by employees and partners;
  • requiring multifactor authentication for as many services as possible;
  • requiring the use of strong passwords, especially service, admin and domain admin accounts;
  • using Linux security modules on systems running that OS;
  • segmenting networks;
  • using end-to-end encryption on online communications;
  • ensuring all backup data is encrypted;
  • and more.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now