Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
10:00 AM
Charles Herring
Charles Herring
Connect Directly
E-Mail vvv

How Ransomware Encourages Opportunists to Become Criminals

And what's needed to stop it: Better information sharing among private organizations and with law enforcement agencies.

"I don't have to be faster than the bear, I just have to be faster than the slowest runners," commented a cybersecurity executive to me over lunch last month. This philosophy of not being an easy target has been the cornerstone of many successful cybersecurity practices over the last two decades. It has been highly effective for organizations that have the skill and funding to outpace their peer organizations and has delayed inevitable consequences to their organizations.

Cybercriminals have historically been opportunists playing a numbers game. Mass attacks with low success rates have long provided sustainable streams of ill gotten revenue. While opportunistic crimes are very common, there is an uptick in targeted, thoughtful attacks that read like the plot to Ocean's 11

Related Content:

Look to Banking as a Model for Stopping Crime-as-a-Service

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: 11 Reasons Why You Sorta Love Passwords

In March, The Record interviewed Unknown from the REvil/Sodinokibi group, which offers ransomware-as-a-service to criminals to carry out extortion, data theft, and system destruction attacks to gain money from victims and/or buyers. In response to the question of whether it targets those carrying cybersecurity insurance policies, Unknown responded, "Yes, this is one of the tastiest morsels. Especially to hack the insurers first — to get their customer base and work in a targeted way from there. And after you go through the list, then hit the insurer themselves."

Not long after, Chicago-based commercial insurer CNA got hit with a ransomware attack. The latest update from CNA in April confirms a "sophisticated ransomware" attack occurred. It has also committed that "once our investigation is complete, we will notify any impacted parties as appropriate."

What we know at this point is criminals have developed sophisticated tactics (the ransomware), distribution mechanism (like REvil), and patience for bringing down bigger prey (like CNA.) The ability to breach one of the largest organizations that exist to underwrite cybersecurity risk is compelling evidence that the bear is now chasing the faster, tastier runners. If the criminal networks possess a listing of companies insured and the amount that they are insured for, they have created a menu of the tastiest morsels to target.

With criminals developing appetites for the fast runners of the past, the individualism of private organizations must transform into a collaborative herd community to survive this evolutionary change in the predators. The well-funded and less-funded organizations need to develop sustainable methods for sharing information with each other and collaborating with law enforcement to increase painful deterrence for the criminals.

In the past, well-funded organizations in most industries have had little motivation to help less-funded peer organizations. An exception to this has been between financial institutions. In the "2020 FBI Internet Crime Report," the agency recovered more than 82% of the $462 million in losses from financial institutions. This industry invested early in collaboration mechanisms and protocols between one another and law enforcement and serves as a prototype as an effective collaborative herd. 

Cybercrime is a subtype of crime, and lessons we have learned in reducing crime rates in the physical world apply in the cyber world. Private organizations need to work with law enforcement agencies to establish workflows and communication tactics akin to neighborhood watches. Establishing sustainable methods for private organizations to communicate with each other and with law enforcement agencies is critical to improving arrest and conviction rates.

In the case of the CNA breach, it is my hope that CNA, its insured, and law enforcement already have vigilant safeguards and surveillance in place to produce the evidence needed to prosecute these crimes and make future crimes less attractive. 

As cybercriminals evolve, corporate and private citizenry must also change. We must be ready and able to look beyond our singular interests and invest in the protection of our entire community. As we work to protect the common good, the fast and the slow both become safer.

Charles' dedication to maturing the craft of InfoSec is built on a diverse career path across the industry. He started his career in InfoSec in the US Navy in 2002 serving as the Network Security Officer at the US Naval Postgraduate School. After leaving active duty, he was a ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Incorporating a Prevention Mindset into Threat Detection and Response
Threat detection and response systems, by definition, are reactive because they have to wait for damage to be done before finding the attack. With a prevention-mindset, security teams can proactively anticipate the attacker's next move, rather than reacting to specific threats or trying to detect the latest techniques in real-time. The report covers areas enterprises should focus on: What positive response looks like. Improving security hygiene. Combining preventive actions with red team efforts.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-05-23
Xampp for Windows v8.1.4 and below was discovered to contain insecure permissions for its install directory, allowing attackers to execute arbitrary code via overwriting binaries located in the directory.
PUBLISHED: 2022-05-23
In Simple Food Website 1.0, a moderation can put the Cross Site Scripting Payload in any of the fields on like Full Username, etc .This causes stored xss.
PUBLISHED: 2022-05-23
Insecure permissions in the install directories and binaries of Dev-CPP v4.9.9.2 allows attackers to execute arbitrary code via overwriting the binary devcpp.exe.
PUBLISHED: 2022-05-23
A Cross-Site Request Forgery (CSRF) in XXL-Job v2.3.0 allows attackers to arbitrarily create administrator accounts via the component /gaia-job-admin/user/add.
PUBLISHED: 2022-05-23
Inout Blockchain AltExchanger 1.2.1 allows index.php/home/about inoutio_language cookie SQL injection.