The pace at which ransomware has caught corporate and media attention has increased rapidly over the past year. Ransomware attacks are nothing new – the last high point of attention on the subject was in 2017, when the infamous WannaCry ransomware devastated companies. However, WannaCry was a small ransom aimed at collecting hundreds of dollars worth of Bitcoin from any company. In contrast, ransomware has recently shifted towards high quality targets from well-funded threat actors aiming to steal up to millions of dollars from each victim.
Another shift in the ransomware attack includes a surge in operating technology (OT) attacks over the past year. For many of these companies, the rapid convergence of IT and OT environments has exposed both a technology and a skills gap that they needed to quickly address to protect themselves from an increasingly large threat landscape.
In dealing with this lingering threat, it is important that governments move beyond training and providing resources to organizations with disrupting the criminal activity and economic drivers that enable this threat vector to grow. For a private organization, the focus should instead be on reducing the attack surface and creating the right foundations for a comprehensive security program.
Because of coordinated global government action, we can argue that the era of the ransomware spike is now and that this threat may begin to decline. As the rise of cryptocurrency ushered in a new era of ransomware, the good news is that these transactions are something like a digital paper trail, and law enforcement is becoming more and more effective at finding ways to track down ransom payments. As pressure rises around the world to regulate cryptocurrency, anything that can be done to limit the anonymity of transactions will make criminal activity more difficult. Unfortunately, when criminal activity is supported by nation states, there is little any individual can do about it and it must be the role of an international coalition of governments to address it.
In addition to tackling the ransom payment trail, we’ve seen a tremendous shift in focus by the government to directly address the underlying problem of poorly secured critical infrastructure. From executive regulations to information requests (RFIs) from federal agencies like the Department of Energy, securing our critical infrastructures has never been a higher priority. Guidance and advice is an easy approach to helping organizations, but strengthened government regulations and mandates are often the measures required to motivate the level of investment required in highly regulated industries to bring security programs to levels sufficient to serve many from these attacks.
A pressing matter for discussion is whether the government can or should make ransom payments illegal. If organizations do not pay and pay the ransom, the economic drive behind these attacks simply ceases to exist. In many cases, ransom payments can be partially covered by cyber insurance. Even though cyber insurance providers prefer not to pay ransom, they operate in a competitive market in which any individual insurance company would disadvantage itself by refusing these payments. Again, the responsibility rests with government action to change market dynamics.
No payment, no point … or not?
With limited or no economic outcome, ransomware will lose its appeal as a worthy attack vector. This begs the obvious question, “What’s next?” on. Without a ransom, alternative approaches to monetizing attacks by criminals are in high demand. Shifting focus back to selling companies’ private data and intellectual property to dark web marketplaces could result in a significant increase. Companies that have the most valuable and easiest to monetize data will be the bigger target when ransom payments are successfully interrupted.
As companies try to protect themselves from future attacks, the answer is less demanding than you might think. Taking advantage of misconfigurations, known security gaps and working methodically from the first entry points with phishing and malware to gain access to sensitive systems will still be the hallmark of most of these attacks, regardless of how or whether the breach was for economic reasons is monetized.
Focusing on basic security controls and properly executing them is the best way to secure your systems against attack. This includes making sure you know what is in your environment, making sure everything is configured correctly, fixing vulnerabilities, restricting administrator access, and having a plan for responding to incidents. Ransomware is in the spotlight now and may never go away, but credit card number theft and hacktivism have been in the spotlight before and it will be something new in the future. Let’s keep pressure on the government to do their part and focus on what we can do within our own organizations to do ours.