In the wake of COVID-19, ransomware attacks have exposed how increasingly vulnerable organizations are regardless of size, maturity, industry, or geography. The use of malicious software to encrypt and/or exfiltrate a target’s data, and then demand payment under the threat of sharing it publicly or making it permanently inaccessible, went up by almost 150% in March of last year, and more than 700 organizations experienced a ransomware attack in Q2 of 2021 alone.
There have been several headline-dominating attacks that not only impacted the target organization, but the physical security of people and critical U.S. infrastructure. Most notably was the May 2021 cyberattack on the largest pipeline system for refined oil products in the U.S. which led to swift federal emergency legislation to keep fuel supply lines open and curb mass panic buying.
That said, all is not lost. While most enterprise risks cannot be avoided, they can be more effectively mitigated with real-time, actionable information.
From prevention to detection, here’s what you need to know.
HOW DID WE GET HERE?
The first known ransomware incident occurred in 1989. It was executed offline via a floppy disk, years before widespread adoption of the Internet. The cost: $567. Today, the average ransomware payout is almost triple what it was last year, with organizations shelling out about $850,000, but the cost to an organization that’s been hit exceeds whatever it pays out—in reputation, rebuilding operations, assets, and trust.
The inception of Bitcoin and the emergence of other cryptocurrencies—that, by design, allow for sending and accepting payments without any government or financial institution interference—has fueled the rapid growth of this new decade’s ransomware attacks. Hackers almost exclusively demand payment in cryptocurrency due to the complexities involved in tracking these payments across borders and wallets.
Governing bodies in various countries have attempted to reel in unattributable cryptocurrency trading with things like KYC (know-your-customer) regulations, but the very nature of a decentralized currency makes these rules difficult to enforce. Since it seems unlikely that governments will ban the use of cryptocurrency altogether, it would appear that cryptocurrency’s role in enabling ransomware attacks is here to stay.
Additionally, attacks are not meted out by a lone, grudgeful black hat. They are highly orchestrated by groups with structured and adaptive business models, such as the now common Ransomware-as-a-Service (RaaS). As with Software-as-a-Service (SaaS), RaaS offers attackers the ability to leverage and scale proven tools.
This has opened the door for new players and increased the level of risk that business leaders must address. These RaaS customers are lured by the many “PR-styled” pages on the dark web which list the victims, share data samples to prove the validity of attacks, and serve as dumping grounds for stolen data from ransomed organizations that elected not to pay.
Ultimately, most organizations pay the ransom despite that strategy coming under increasing scrutiny as many experts argue that payments will only incentivize cybercriminals and fund future attacks.
WHAT ARE GOVERNMENTS DOING ABOUT IT?
Amid claims that companies hit by cybercriminals bear some responsibility for the attacks, there are growing calls across the globe for cybersecurity mandates and legislation. That said, governments are also prime targets for ransomware attacks.
In June, the Ransomware Payments Bill 2021—the Australian legislation that requires organizations to flag planned ransomware payments to cyber criminals to the Australian Cyber Security Centre (ACSC)—was introduced in Australia’s House of Representatives. In May, the U.S. Treasury Department announced its new requirement of any transfer worth $10,000 or more to be reported to the IRS. Additionally, the White House continues to push business leaders to assess their cyber-physical security posture, enhance their defenses against ransomware attacks, and ensure effective recovery plans.
Forward-thinking organizations have already gone down the path of integrating their cyber and physical security operations, greatly improving their ability to proactively identify and mitigate converged threats.
But, what else?
WHAT BUSINESS LEADERS NEED TO CONSIDER
Business targets face either paying ransoms and potentially fueling future attacks or dealing with fallout from data loss, especially if recovery plans are ineffective.
Before you find yourself at this point, measure your defenses, fill in the gaps, and equip your cyber-physical security teams with effective ransomware detection and prevention solutions. It’s crucial that these solutions benefit from a wide range of public data sources including, for example, the surface, deep and dark web as well as cyber threat intelligence feeds, global social media platforms, news sites, and IoT sensors. In turn, this will provide organizations with contextual awareness and serve as an effective early warning system. Additionally, solutions that ensure optimal communications and access to real-time, actionable information across the cyber-physical security and leadership operations teams will pay dividends in reducing the likelihood and harm of a ransomware attack.
As cyber-physical threats continue to evolve and diversify, no organization is immune to an attack. The best path forward is to increase your leadership and security organization’s awareness of and ability to address threats as they surface.
Enterprises that benefit from the earliest possible warnings of cyber-physical threats and vulnerabilities can, at a minimum, promptly position risk response plans designed to protect their organizations, external stakeholders, and bottom lines. It is key to invest in technology that reduces the noise so that critical threats can be actioned more swiftly, while also democratizing that information to ensure highly coordinated responses.
While ransomware isn’t going away, there are a series of business process improvements and technical solutions that enterprises can implement to effectively mitigate the risk of an attack and protect their valuable assets.
Dan Carmichael is the chief information security officer at Dataminr