Ransomware attacks are skyrocketing – in number, cost, and severity. This variety of malware cost its victims an estimated $20 billion in 2020, when the coronavirus pandemic sent millions of workers home to log into corporate and government networks – which they did mostly on porous home networks, massively expanding the attack surface. This is causing devastation of organizations that mistakenly believed that they had the matter in hand.
Many corporate leaders are now aggressively tackling the ransomware learning curve. They are empowering their security professionals who recognize the ballooning size, frequency and cost of those attacks. As they do so, they are gaining new appreciation for the perseverance of the attackers, the vulnerabilities of their own cybersecurity measures and the true cost of recovering from an attack.
Digital Journal caught up with Sally Eaves is a senior policy advisor for Cyber Studies and Research, an independent, non-profit and non-partisan think tank that engages with global cybersecurity experts; and with Mat Newfield is Chief Security and Infrastructure Officer for Blue Bell-based Unisys Corporation.
Digital Journal: Do companies need to better understand that ransomware is a ‘Big Business’?
Sally Eaves: The fastest growing of all malware, ransomware is increasingly lucrative, difficult to prosecute and easy to do. In fact, cybercriminals now provide hackers with ransomware as a service to make it simple for even people with basic technical skills to launch attacks.
Mat Newfield: Ransomware attackers choose their targets strategically. That includes medical facilities where lives hang in the balance and can thus be pressured to pay for faster recovery. Managed service providers that are hyperconnected to huge client organizations with vast stores of valuable data are another favorite target of ransomware attackers. Government agencies are also appealing because they often have old, penetrable systems and minimal IT staff. Attackers also see financial institutions as a treasure trove in light of their valuable assets and the bank account, Social Security, and routing numbers they keep. But no sector is immune.
Attackers operate efficiently, deploying software after normal business hours and on weekends, when staff is shorthanded and possibly less vigilant. Ransomware attackers have increased their average “dwell time” – the amount of time between the intrusion and the deployment of the ransomware – to roam the network undetected, corrupting additional devices and discovering and perhaps exfiltrating data. And they have reduced their “break time” – the time between the intrusion and when they can move laterally across the network.
DJ: Would you advise to look beyond perimeter security?
Eaves: Executives tend to have confidence in their protection against ransomware because of their past investments in cybersecurity. For years, they have spent heavily hardening the perimeter in an effort to keep the wrong people out of their networks and away from their data.
That is no longer sufficient. After all, 34 percent of data breaches involved internal actors. Almost two-thirds (65 percent) of U.S. organizations “experienced a successful phishing attack in 2019, where an employee or other insider was duped into providing credentials. The pandemic added a new category of phishing targets – unwary work-from-home employees sharing their network with corporate devices. This is problematic, especially considering the cost of a successful phish – which reached billions of dollars even in 2018.
Newfield: Hardened perimeters must be augmented by crucial measures that limit damage in the not-unlikely event of an intrusion. For example, you can:
Cloak your endpoints on premises and in the cloud to make your assets undiscoverable by malicious actors. This will hide those assets from hackers, who scan the cybersphere incessantly seeking vulnerable targets.
Leverage end-to-end encryption as data moves through your network. This ensures the integrity and confidentiality of data and reduces the attack surface.
Quickly detect malicious actors that gain entrance to your network, and take fast action to corral them before ransomware is planted and compromises more endpoints. Micro-perimeters can isolate critical workloads of data, protect them when they are in motion, and prevent intruders from moving laterally if they penetrate your outer perimeter.
DJ: What are the costs and risks associated with a cyberattack?
Eaves: Ransomware attacks can bring your systems down, upset your customers, hurt your reputation, open you to the risk of a data leak and put you in the position of having to decide whether or not to pay the ransom — a harrowing decision for most organizations.
Sometimes the pressure to pay is immense, yet most experts discourage organizations from paying ransoms. Paying the ransom only emboldens the criminals, making organizations more vulnerable to them. Your attacker may associated with terrorist organizations, in which case paying the ransom, the U.S. Treasury has warned, could subject you to a fine. Finally, there is no guarantee that paying the ransom will give you access to your data.
Newfield: Even if you do pay, your IT team may not be able to simply reimage your devices. With newer ransomware, malware may remain at the hardware level, along with its ability to corrupt again. This means you will need to have additional servers and hardware available.
What if you don’t pay? Do you have the backup files and the resources to perform a painstaking and time-consuming recovery? Do you have a way of acquiring the servers, laptops, tablets and other endpoints to enable your workforce to get back online quickly?
Are your security team, incident response team and security vendors up to the ongoing challenge of making your network more resilient before the next attack? Will you lose customers who no longer have confidence in your ability to protect their information? Will your brand in the marketplace suffer from the undesirable publicity that these major attacks attract?
These are the terrible uncertainties and costs organizations like yours face as ransomware rages around the cybersphere. As you deliberate on the best strategy and tactics for defending your organization from ransomware, understand that the total cost of recovering from such an attack more than outweighs the cost of being prepared to defend against it.