Ransomware gangs are doing their homework before encrypting corporate data

"They’re snooping around” for balance sheets and other financial data, a DHS official says.

The lengthy amount of time that criminal hackers are sitting undetected on the networks of U.S. businesses is giving them powerful leverage to extort their victims, according to a Department of Homeland Security cybersecurity official.

Going unnoticed on corporate networks allows ransomware gangs to size up their victims and funnel out data before ransom negotiations even begin, said Matt Travis, deputy director of DHS’s Cybersecurity and Infrastructure Security Agency.

“They’re not just going into networks and seizing data,” Travis said Wednesday at IBM’s Think Gov Digital event, produced by FedScoop. “They’re snooping around” for balance sheets and other financial data to “gain intelligence on how much of a ransom they think they can get.”

In the last three months, the criminal hackers behind the Maze ransomware have attacked two big IT service providers, one of which is a Fortune 500 company. Other ransomware gangs have hit big corporate targets, and in so doing are first locking computer systems and then publicly shaming companies that don’t pay up by dumping their data.


For corporations that do pay the ransom, the pain sometimes isn’t over. There is no guarantee that the decryption key handed over by the attacker works, said Wendi Whitmore, global lead at IBM Security X-Force.

“There’s often this common misconception with ransomware that your decision is either you pay the ransom or you deal with the event,” Whitmore added. In reality, paying the ransom might be “just the beginning of the recovery process.”

Travis said the scourge of ransomware was “frustrating” because a lot of the attacks are preventable, but small businesses and state and local agencies often lack the resources to protect themselves. Those organizations may be up against the same reconnaissance techniques the ransomware gangs apply to multibillion-dollar corporations with big cybersecurity teams.

Ahead of the 2020 election, Travis’s agency has been training state and local officials in defending against ransomware, with an emphasis on protecting voter registration databases.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts