You’ve Been Warned Big Business. Ransomware is Coming for You!
Ransomware is growing and adapting faster than you think. Big businesses, you are not as secure as you think. The delta between perception and reality will be a costly lesson for organizations, impactful for customers, and a financial windfall for criminals.
My message to CISO’s, CSO’s, CEO’s and board members:
It will get far worse and Ransomware is just one aspect. Act now in a strategic way where security becomes effective and affordable in a sustainable way. Proper cybersecurity is now the cost of doing business in the digital world.
The latest variants such as WannaCry and more recently Petya are just stepping stones on a long journey ahead. Ransomware was originally focused largely on consumers, but took the jump and expanded to businesses well over a year ago. It will never step back. The reason is simple: money. Businesses are heavily reliant on data, connectivity, and digital assets. They also have the financial resources to pay very large ransoms. Recently a company paid $1 million to ransomware cybercriminals.
Consumers were originally targeted as they were easier to victimize. Ransomware code was rudimentary and sufficient to dumbfound most non-savvy consumers. Ransom demands started in the low hundreds of dollars, usually paid via gift cards or Bitcoin cryptocurrency. Businesses were a tier higher and most employed basic anti-malware and network filters sufficient to be a barrier to immature attack code.
In the past year, the economics and scale have changed. As ransomware code became more professional and authors more responsive to incorporate new vulnerabilities, businesses were well within reach of these tools. Ransomware adapted beyond just encrypting documents and photos. Entire databases, webpages, backup files, and intellectual property could be held for ransom. The financial demands began climbing for consumers, with the price to recover files exceeding over a thousand dollars in some instances. But the revelation for professional crews was that businesses have the really deep pockets and they too would pay if the right data was held.
Logic tells the story. Why infect grandma and hold her family pictures hostage for a few hundred dollars, when you can target a company and score tens of thousands or even a million dollars?
Criminals are extremely predictable in one way, they are greedy. Applying the Greed Principle, which basically states if a thief can steal $10 from you today, they will attempt to steal $15 from you tomorrow. Businesses are now squarely in the danger zone and savvy criminals will pursue these targets with relentless feroicity, even competing with each other to score the best targets. Not that they have to compete anytime soon. It is a target rich environment right now. They even have the luxury in helping each other by sharing code, victim lists, best-known-methods, providing mentorship, and selling vulnerabilities.
Businesses simply have no idea what they are up against and ransomware is just part of the problem.
Crying Wolf
Security professionals have been ringing this warning bell for close to three years. Some actions have been taken, but largely it is an apathetic race to find the minimum acceptable commitment that satisfies regulations and executives, without consideration of how the threat will maneuver and evolve.
Ironically, the security industry is also to blame. Many times, it is the security vendors who fuel the flames of fear to drive sales. Often I see small companies trying to break into a market or sell a niche product, use this tactic. I think the worst offenders are the research-for-hire companies that will always generate reports to the benefits of those who they are contracted with, that are creative with statistics and surveys to propagate obscure risks or overestimate impacts.
Promoting Fear, Uncertainty and Doubt
Fear only sells to the fearful. The well informed don’t need to be sold, rather they are actively pursuing the best capabilities to manage the complex risks they face. I am no salesman, just a strategist who knows the opposing forces and the battleground. When I say ransomware is a serious risk, I have no secret agenda. I believe we must collaborate to share information and insights. As a community, we are stronger when we all work together. My blogs and topics are neither a threat nor an attempt at fear mongering. It is a reaffirmation that common sense and good advice is out there, to help organizations optimize their security posture to achieve the right balance of spending, risk management, and usability. We are all on the same side, trying to protect the digital world that encompasses security, privacy, and now intersecting with our physical safety.
Two Camps of Failure
Many, if not most, businesses have invested some resources and attention to cybersecurity. Many times it is to satiate regulations or put up a façade of basic controls to be considered on par with their peers. The real test is not what you spend, but how effective it will be against future attacks.
Far too often we prepare for past battles. The Maginot Line bankrupted France after WWI. It was a defensive monolith that protected the eastern front of France from aggressors. Formidable against tactics seen in the Great War, it became laughable as WWII started and Axis powers easily bypassed it to take Paris. It is not about how defenses fare against old tactics that matters. France was vulnerable behind the greatest fortifications ever built, but didn’t know it until it was too late.
Cyber threat are rapidly evolving tactics and capabilities. They are at the forefront of using new technology to their advantage in almost all cases. The modern equivalent of vulnerable businesses falls into two basic camps.
First, there are those hiding. They have largely ignored the warnings and have not taken cyber risks seriously. They know their defenses are not strong, hope every day that they are not attacked. Although they may have basic defenses, they would not repel a directed attack against any type of persistent threat. Hope is their strategy. These are the executives who worry at night that their systems, products, and services might be brought to their knees at any moment. They too are the ones who quietly plan their exit strategy if the situation quickly goes south, as many executives have been losing their jobs after successful attacks.
The second group, is in a better place, but overconfidence and complacency will be their undoing. Over the years they have invested in technology and staff to put a number of controls in place. They have a few crown jewels they rely upon, and seem confident. They have basic metrics and pretty charts to show boards, partners, and staff. They feel good. So much so, they may even be looking to scale back. These are the ones who will be truly surprised when they are compromised. Their defenses seemed strong in the past, which led them to coast and be lackadaisical. Vigilance against intelligent opponents is not about remaining static, but rather maintaining an understanding of what the enemy can and will do in the future.
The end result for both of these camps is the same. They will be compromised in a significant way and have difficulty coping with the aftermath. It is just a matter of time.
What Enterprises Need
Businesses must apply best known practices, which are constantly evolving, to maintain a strong cyber defense capability. Here are the 5 recommendations I have for large organizations (small ones too if they deem relevant).
- Look Ahead. In most complex direct attacks, the organization did not see the attack coming because they weren’t looking. Sun Tsu professed to know your Enemy, Yourself, and the Battlefield. Great lessons. Gain forward insights to those who are likely to attack you, their preferred methods, and how early indicators of an attack will appear. Be in tune with your critical assets, networks, users, and data. You have home-field advantage, so use it. Lastly, know your systems and their vulnerabilities. Those armed with knowledge of what is coming and how it will affect them, will have an advantage.
- Leverage Technology. Strong technical security solutions enable vital elements of system protection at speed and scale. Leverage the best technology for your organization and market. At the very minimum tools to protect network connections, email and web gateways, data at rest, authentication, client end-points, and server/cloud environments is needed as a foundation. Depending upon your business and the class of attackers you face, it is likely you will need to supplement with other solutions as well.
- Behavioral Controls. For anyone who has heard me speak at a security conference, I always make a point of talking about what is invariably the weakest point in any system: the people. I would rather have a well-informed, motivated and security savvy workforce instead of a stack of firewalls. Persistent and reinforced behavioral controls is crucial to not only prevent compromises but also detect and respond to them. People are the greatest variable and they can be the biggest weakness or the most important security asset. Start with clear policies, training, and support originating from the C-suite to make effective changes. If employees can’t describe the security expectations of their CEO, then you have a problem.
- Processes are Required. Solid business processes for strategic planning and operational capabilities is the glue that pulls and binds everything together. The overall design and operation of a top-tier security organization revolves around an interlinked and repeating process of Prediction, Prevention, Detection, and Response to threats.
Such processes continually make the organization more effective, resilient, and reinforce adaptation to the threats to align with desirable risk goals. Proper processes make security sustainable, even in a chaotic world. - Executive Teamwork. Security is a team sport and cannot be achieved alone, even with a star player. Collaboration across the executive table (CIO, CTO, CEO, CFO, Legal, CHRO, etc.) gains in importance every day. All management branches are key to business therefore are valuable. As such, keeping the confidentiality, availability, and integrity of that value is also important to the organization and stockholders.
This roundtable must achieve 3 goals. First, be savvy with regards to the threats their group faces, the likelihood of being attacked, and the impacts of those incursions. Second, understand they must play an active role in defining acceptable risk and then being responsible for it. Third, through collaboration they must realize they can positively improve the defensive position and trust of the entire company.
A Chief Human Resources Officer (CHRO) for example must protect the confidentiality of their records, but can also play a pivotal role in vetting new hires, training security standards, promoting good practices, and enforcing security policy to all employees and contractors. This has an amplified affect across the entire organization. Each C-level office has similarly unique opportunities to contribute to a more secure business.
Maneuvering strategically to permanently incorporate security into the fabric of a business is required in the future digital age. It takes planning, technology, good behaviors, process, and teamwork. Failure will be painful and likely public, facing greater scrutiny as expectations from regulators, customers, and partners continue to rise.
Take Action
Apathy is the killer of success. Regardless of your confidence, you are already behind, and attackers are outpacing defenses even as we speak. Advances in technology continue to be exploited by attackers before defenders. Time is on their side.
For those responsible for the success of their organization, division, or group, action must be taken. Complacency, hope, and ignorance are no longer viable paths. Find the courage to identify the best path forward to actively manage your cyber risks and achieve the optimal balance of security moving forward.
Interested in more? Follow me on LinkedIn, Twitter (@Matt_Rosenquist), Information Security Strategy, and Steemit to hear insights and what is going on in cybersecurity.
The problem is that I can see it coming, and like you I've blogged about it, and yet I feel there is nothing either of us can do to stop it. The attacks have a dramatic lead on technology in this area and the fact is Randomware is becoming decentralized, autonomous, and I'm not entirely certain that governments aren't behind some of this.
How do we stop it? I'm in communication with other information security professionals. Perhaps more accurate would be, how do we reduce the impact of it for our businesses and for the customer? Even if businesses spend more on cybersecurity and hire me for dealing with this, I am not aware of a best practice for dealing with future threats based on the projected evolution of a current threat.
So true! It can be disheartening and frustrating, seeing the iceberg coming but nobody is listening. I think the key point for any one of us is to continue trying to raise awareness. Collectively, our voices should get more attention. We just cannot give up. This is partly why I blog. It is a catharsis for the frustration. :)
When I am on the speaking circuit, I am passionate in these kinds of messages. I am not trying to fuel unwarranted fear, but rather working to educate audiences to understand how the dominoes are setup and how they will fall. If they get a glimpse of the future, they are open to doing something to avoid risks or take advantage of opportunities.
does it take special software to be able to defend against ransom ware or could anybody defend just with a regular PC?
Ransomware is more of the outcome of a piece of malware. It encrypts your files and demands a ransom for you to decrypt them (so you can use them again). There are many methods that malware can infect a system, like trojans, malicious email attachments, bad websites, etc.
To defend yourself, at a minimum have a quality anti-malware software installed, make sure your OS and applications are patched, use a firewall filter, make off-line backups of critical files, and simply apply common sense (with a bit of paranoia) when clicking, installing, and surfing the Internet. That would be a good start.
Seems like a cyber war to me.
As threats continue to mount, how can businesses ignore what is coming? Seriously, the Petya and WannaCry malware impacted large organizations and important public services (like hospitals). Cybercriminals are becoming very bold. I see no end in sight to this trend.
It's the automation threat that I fear most. It's not impossible to imagine that some computer genius or perhaps a state sponsored entity could create a completely autonomous Ransomware threat. Even if all the money gathered were given away to random people in a lottery it would be just as threatening to businesses.
So it's not so much that the focus has to be on "cybercriminals" in the traditional sense because the criminal could be the AI itself and the writers of the software could be anonymous or worse could be an intelligence agency deliberately creating an unstoppable weapon.
Governments are going to continue funding these unstoppable weapons and if there is a leak then those techniques can be used for any purpose by any entity. While decentralization is great in some ways, it also introduces risk in other ways. It makes attribution nearly impossible, and automation removes the human element. The humans might only exist on the edges and the profit from Ransom networks might be funneled into legitimate areas in entirely automated fashion as well, and how would we stop that?
Yes, AI is coming to the world of cybersecurity. We are already seeing it being used on both sides to a limited extent. It is what we will all be talking about in the next few years. It holds unimaginable risks and opportunities!
Attribution has and will always be a problem, unless you are meeting someone you know face-to-face. It is especially difficult when trading bits/bytes over networks never designed for security (everything has been bolted on to the Internet). But that does not mean all is lost. This is chess game. There are limitations and each side can maneuver. Don't discount what will be possible in the future. I don't ever expect a total 'win' by either side, but the game will get more intense and there are so many surprises ahead. It will be a bumpy and exciting ride!
Business learn when it hits their bottom line or customers shift to competitors. It is coming. People's expectations around security, privacy, and safety are evolving and becoming less tolerant of insecure service and product providers. Change is in the wind. Those businesses who adapt early will have an advantage.
Adapting is going to be very hard because the rate of change is increasing beyond where the human brain can keep up. Yes we can use simulations, we can model, but the defense is centralized while the offensive decentralized, and the knowledge on the defense is locked up in silos and not shared.
Yet the offensive is sharing the knowledge almost immediately. So once one group invents a new kind of Ransomware the code is almost always shared or it's reverse engineered. The defenses against it also aren't so easy to automate compared to the offense. From what I can see it's easy to automate the attacks, the weapons, and the weapons themselves can learn and evolve. The defense I suppose we can assume is not going to be able to keep up and so how can disaster recovery be robust enough so that when a company is successfully attacked it isn't completely bankrupted?
If absolute security is assumed impossible and companies admit the defensive capabilities are limited then companies can figure out ways to reduce the costs of defense and recovery. Lower cost defense and recovery I think is the best case win because I don't see the defense completely stopping Ransomware or rendering it completely ineffective for similar reasons social engineering cannot be rendered completely ineffective.
Outstanding insights (you have spent some time understanding the landscape, I am impressed!)
So a few thoughts to build on what you are saying....
Yes, the offense (attackers) are traditionally much better at sharing and collaborating. But two factors are shifting the equation a little bit. First, defenders are starting (yes, just starting) to share and collaborate more. For example look at nomoreransom.com where top security competitors are working together to publish free anti-ransomware recovery tools. Second, we will see the emerging top tier threats, nation-state players, have more of a role in cyber attacks and they traditionally DON'T like to share their toys. That puts downward pressure on collaboration by the most well funded offensive attackers.
Offense and Defense are becoming more automated. That is just the nature of cyber. We will all be talking about AI attacks/defense in the next few years as it will be the pivotal area of research. Tech is just the tool. Those who find a way to use the tools first and to the greatest effect, gain a significant advantage.
Skip the notion of absolute security. It is a marketing dream, not reality. In the real world we don't want to be impervious to attack (zero risk) as that would be far too expensive, unacceptably encumbering, and likely technically impossible anyways. That is not the goal. The real objective is to understand, attain, and sustain an 'optimal' level of security. This is where the costs, risks, and usability impacts are in the right balance for the organization. Risk is okay if it is understood, managed to the right level, and accepted by those responsible.
I'm glad you mentioned procedures will be needed. Training is the biggest factor that can prevent a hack/system intrusion (in my opinion). I've heard of hackers who have gained access to a billing department through a supervisors calendar/email invite. It's crazy when you understand how many vulnerabilities there are in a company, but when the correct procedures are in place, you can greatly reduce vulnerabilities. Smaller businesses should also utilize sweep accounts and check approval features that some banks offer. Keep your head on a swivel, everybody!
Our digital worlds are so complex. Criminals are finding not only cracks, but gaping holes to exploit. Behavioral aspects are just as important as Technical ones. They are two sides of the same coin. Both must be addressed.
There is one positive side about this though, they only ask $300 USD atm to transfer in bitcoin which means they don't do this for the money they merely do this to show the government and big companies out there that both of them are not in power, but the masses are in power and just people like you and me could disrupt them. I hope this wakes up the governments and big businesses out there.
There was a $4 million ransomware ask of a web hosting company, which was negotiated to $1 million, and paid just a few weeks ago. With that kind of money to be made, don't underestimate the greed of cybercriminals.
Hello @mrosenquist I found one of your articles through a google search and I am impressed. Following you now to read and learn more for you. Definitely wanted to take the time to let you know that you are adding great value to the platform and community.
We all need to be more proactive about our security instead of after being hacked or attacked but take measures to avoid that.
Including our steemit keys! Be safe and secure and thanks again.
Thank you for the kind words @jordanlindsey
As part of the community we all add in different ways. I am happy to share my insights to the world of cybersecurity as we all need to be more cautious and protect our digital identity, reputation, and assets (including Steemit keys). Hope to hear more from you in the future.
Cheers!
Always be watchful.
Great advis, thanks for the information !! you got my follow :) STEEM ON!