Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/19/2021
10:00 AM
Charles Herring
Charles Herring
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

How Ransomware Encourages Opportunists to Become Criminals

And what's needed to stop it: Better information sharing among private organizations and with law enforcement agencies.

"I don't have to be faster than the bear, I just have to be faster than the slowest runners," commented a cybersecurity executive to me over lunch last month. This philosophy of not being an easy target has been the cornerstone of many successful cybersecurity practices over the last two decades. It has been highly effective for organizations that have the skill and funding to outpace their peer organizations and has delayed inevitable consequences to their organizations.

Cybercriminals have historically been opportunists playing a numbers game. Mass attacks with low success rates have long provided sustainable streams of ill gotten revenue. While opportunistic crimes are very common, there is an uptick in targeted, thoughtful attacks that read like the plot to Ocean's 11

Related Content:

Look to Banking as a Model for Stopping Crime-as-a-Service

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: 11 Reasons Why You Sorta Love Passwords

In March, The Record interviewed Unknown from the REvil/Sodinokibi group, which offers ransomware-as-a-service to criminals to carry out extortion, data theft, and system destruction attacks to gain money from victims and/or buyers. In response to the question of whether it targets those carrying cybersecurity insurance policies, Unknown responded, "Yes, this is one of the tastiest morsels. Especially to hack the insurers first — to get their customer base and work in a targeted way from there. And after you go through the list, then hit the insurer themselves."

Not long after, Chicago-based commercial insurer CNA got hit with a ransomware attack. The latest update from CNA in April confirms a "sophisticated ransomware" attack occurred. It has also committed that "once our investigation is complete, we will notify any impacted parties as appropriate."

What we know at this point is criminals have developed sophisticated tactics (the ransomware), distribution mechanism (like REvil), and patience for bringing down bigger prey (like CNA.) The ability to breach one of the largest organizations that exist to underwrite cybersecurity risk is compelling evidence that the bear is now chasing the faster, tastier runners. If the criminal networks possess a listing of companies insured and the amount that they are insured for, they have created a menu of the tastiest morsels to target.

With criminals developing appetites for the fast runners of the past, the individualism of private organizations must transform into a collaborative herd community to survive this evolutionary change in the predators. The well-funded and less-funded organizations need to develop sustainable methods for sharing information with each other and collaborating with law enforcement to increase painful deterrence for the criminals.

In the past, well-funded organizations in most industries have had little motivation to help less-funded peer organizations. An exception to this has been between financial institutions. In the "2020 FBI Internet Crime Report," the agency recovered more than 82% of the $462 million in losses from financial institutions. This industry invested early in collaboration mechanisms and protocols between one another and law enforcement and serves as a prototype as an effective collaborative herd. 

Cybercrime is a subtype of crime, and lessons we have learned in reducing crime rates in the physical world apply in the cyber world. Private organizations need to work with law enforcement agencies to establish workflows and communication tactics akin to neighborhood watches. Establishing sustainable methods for private organizations to communicate with each other and with law enforcement agencies is critical to improving arrest and conviction rates.

In the case of the CNA breach, it is my hope that CNA, its insured, and law enforcement already have vigilant safeguards and surveillance in place to produce the evidence needed to prosecute these crimes and make future crimes less attractive. 

As cybercriminals evolve, corporate and private citizenry must also change. We must be ready and able to look beyond our singular interests and invest in the protection of our entire community. As we work to protect the common good, the fast and the slow both become safer.

Charles' dedication to maturing the craft of InfoSec is built on a diverse career path across the industry. He started his career in InfoSec in the US Navy in 2002 serving as the Network Security Officer at the US Naval Postgraduate School. After leaving active duty, he was a ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21742
PUBLISHED: 2021-09-25
There is an information leak vulnerability in the message service app of a ZTE mobile phone. Due to improper parameter settings, attackers could use this vulnerability to obtain some sensitive information of users by accessing specific pages.
CVE-2020-20508
PUBLISHED: 2021-09-24
Shopkit v2.7 contains a reflective cross-site scripting (XSS) vulnerability in the /account/register component, which allows attackers to hijack user credentials via a crafted payload in the E-Mail text field.
CVE-2020-20514
PUBLISHED: 2021-09-24
A Cross-Site Request Forgery (CSRF) in Maccms v10 via admin.php/admin/admin/del/ids/<id>.html allows authenticated attackers to delete all users.
CVE-2016-6555
PUBLISHED: 2021-09-24
OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP trap supplied data. By creating a malicious SNMP trap, an attacker can store an XSS payload which will trigger when a user of the web UI views the events list page. This issue was fixed in ver...
CVE-2016-6556
PUBLISHED: 2021-09-24
OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP agent supplied data. By creating a malicious SNMP 'sysName' or 'sysContact' response, an attacker can store an XSS payload which will trigger when a user of the web UI views the data. This iss...