The Power of Fully Homomorphic Encryption in the Fight Against Ransomware

Full disclosure: I am a part-time advisor to, and (unfortunately small scale) investor in, Vaultree. CyAN is a non-commercial, nonprofit entity and in no way endorses or evaluates any of the commercial firms that our members work with, nor gives any preferential treatment to any such organisations. I’ve removed any commercial blurbs from the text below.

This is a repost of an guest blog entry I recently wrote for Vaultree, a provider of fully homomorphic encryption (FHE) solutions. Homomorphic encryption is essentially a way to manipulate or analyse information without decrypting it. Fully homomorphic encryption takes this a step further by expanding the protection of inputs into a cryptosystem, as well as who can operate on encrypted data without exposing it in cleartext.

A great number of especially smaller firms do not understand either the value of some of their information assets, nor potential points where it is vulnerable to attack and theft – whether in storage, in transit, or during processing. Even when they do, classic encryption solutions are often clumsy, slow, or otherwise subject to a wider range of technical and operational weaknesses. Meanwhile, there is a lot of noise in the FHE market, but unfortunately not nearly enough concrete use cases.

I wrote the piece in response to what I saw as an often-overlooked aspect of deploying FHE in environments with critically confidential data – that of protecting it from the very concrete threat of theft and publication. In a recent conversation on the CyAN Secure-in-Mind series, we discussed a ransomware gang notorious for its threats to release sensitive data exfiltrated from its victims – it doesn’t matter whether this level of sensitivity is due to regulatory requirements, customer or market perceptions, commercial secrecy of intellectual property, or even national defence considerations. Thus, anything that can help customers avoid exposing data in as much as possible of its lifecycle, and can do so easily, will be a major step in the right direction.

Ransomware is one of the most widespread and damaging cyber threats facing institutions today.  Prominently featured in most top 10 lists of significant threats, ransomware incidents have seen significant growth in 2023. Factors contributing to this rise include the ease of access to ransomware tools, over-stressed and under-resourced security teams, and a high return on investment for attackers.

Historically, ransomware focused “merely” on encrypting data, extorting money from victims in return for decryption keys that supposedly allow them to recover their information. Often, this comes with a threat of permanently destroying the key if payment is not made within a certain time. Other times, the decryption keys do not work or never existed, resulting in permanent loss of information. This lost data ranges from precious family photos to business-critical assets.  Alongside good cybersecurity hygiene and employee awareness, safe backups are one of the best ways to prevent data loss from such ransomware.

In recent years, ransomware actors have expanded their techniques to include double, triple, and quadruple extortion.

Double Extortion

In double extortion, information is not only encrypted; cybercriminals first steal sensitive files and threaten to publish them if not paid. Furthermore, groups like Snatch embarrass victim companies by acknowledging and sarcastically “thanking” employees who inadvertently granted network access by clicking on malicious links or opening malware attachments. 

Triple Extortion

Triple extortion introduces the element of using stolen data to call out and embarrass third parties, such as customers, suppliers, employees, or other stakeholders. For example, a criminal may threaten to leak private medical or HR files, potentially violating the privacy of a patient or employee, or to publish secret weapons research data with national security implications.

Quadruple Extortion

Quadruple extortion involves using stolen data to actively attack third parties, their networks and data. Attackers might use stolen API documentation and third-party risk management questionnaires, among other confidential materials, to gain entrance into their systems and continue the chain of ransomware attacks.

In an additional novel twist, in November 2023, the ALPHV/BlackCat gang filed a complaint with a US financial regulator over a victim’s failure to report a data breach. This well-publicized incident illustrates the evolving nature of ransomware threats, opening up the possibility of ever more diverse, frustrating and expensive problems for victims who do not pay. While it is unlikely that a regulator would punish a firm that has suffered exposure of medical, financial, military, or other sensitive data if it can prove adherence to good cybersecurity practices, managing the legal and public relations fallout from such a leak is an unnecessary complication for any company.

Fully homomorphic encryption (FHE) can protect against ransomware in two main ways:

  1. Against classic ransomware: By encrypting data at rest and in use, and even during processing, FHE makes it impossible for cybercriminals to identify information of particular value that they can threaten to lock away or destroy.
  2. Against double/triple/quadruple extortion: Encrypted data cannot be leaked, nor can it be misused to attack or otherwise disadvantage third parties. This means that victims do not suffer negative consequences from a data leak when there is no data to leak.

In conclusion, being able to work with valuable, sensitive information without exposing it to malware, either at rest, in transit, and even during processing, is akin to owning a very good safe. Even if bad actors can steal the safe, they cannot access the valuable contents inside, thus protecting you from blackmail. Fully Homomorphic Encryption stands as a crucial technological advancement in the industry and the fight against the evolving threat of ransomware.