Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
10:00 AM
Charles Herring
Charles Herring
Connect Directly
E-Mail vvv

How Ransomware Encourages Opportunists to Become Criminals

And what's needed to stop it: Better information sharing among private organizations and with law enforcement agencies.

"I don't have to be faster than the bear, I just have to be faster than the slowest runners," commented a cybersecurity executive to me over lunch last month. This philosophy of not being an easy target has been the cornerstone of many successful cybersecurity practices over the last two decades. It has been highly effective for organizations that have the skill and funding to outpace their peer organizations and has delayed inevitable consequences to their organizations.

Cybercriminals have historically been opportunists playing a numbers game. Mass attacks with low success rates have long provided sustainable streams of ill gotten revenue. While opportunistic crimes are very common, there is an uptick in targeted, thoughtful attacks that read like the plot to Ocean's 11

Related Content:

Look to Banking as a Model for Stopping Crime-as-a-Service

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: 11 Reasons Why You Sorta Love Passwords

In March, The Record interviewed Unknown from the REvil/Sodinokibi group, which offers ransomware-as-a-service to criminals to carry out extortion, data theft, and system destruction attacks to gain money from victims and/or buyers. In response to the question of whether it targets those carrying cybersecurity insurance policies, Unknown responded, "Yes, this is one of the tastiest morsels. Especially to hack the insurers first — to get their customer base and work in a targeted way from there. And after you go through the list, then hit the insurer themselves."

Not long after, Chicago-based commercial insurer CNA got hit with a ransomware attack. The latest update from CNA in April confirms a "sophisticated ransomware" attack occurred. It has also committed that "once our investigation is complete, we will notify any impacted parties as appropriate."

What we know at this point is criminals have developed sophisticated tactics (the ransomware), distribution mechanism (like REvil), and patience for bringing down bigger prey (like CNA.) The ability to breach one of the largest organizations that exist to underwrite cybersecurity risk is compelling evidence that the bear is now chasing the faster, tastier runners. If the criminal networks possess a listing of companies insured and the amount that they are insured for, they have created a menu of the tastiest morsels to target.

With criminals developing appetites for the fast runners of the past, the individualism of private organizations must transform into a collaborative herd community to survive this evolutionary change in the predators. The well-funded and less-funded organizations need to develop sustainable methods for sharing information with each other and collaborating with law enforcement to increase painful deterrence for the criminals.

In the past, well-funded organizations in most industries have had little motivation to help less-funded peer organizations. An exception to this has been between financial institutions. In the "2020 FBI Internet Crime Report," the agency recovered more than 82% of the $462 million in losses from financial institutions. This industry invested early in collaboration mechanisms and protocols between one another and law enforcement and serves as a prototype as an effective collaborative herd. 

Cybercrime is a subtype of crime, and lessons we have learned in reducing crime rates in the physical world apply in the cyber world. Private organizations need to work with law enforcement agencies to establish workflows and communication tactics akin to neighborhood watches. Establishing sustainable methods for private organizations to communicate with each other and with law enforcement agencies is critical to improving arrest and conviction rates.

In the case of the CNA breach, it is my hope that CNA, its insured, and law enforcement already have vigilant safeguards and surveillance in place to produce the evidence needed to prosecute these crimes and make future crimes less attractive. 

As cybercriminals evolve, corporate and private citizenry must also change. We must be ready and able to look beyond our singular interests and invest in the protection of our entire community. As we work to protect the common good, the fast and the slow both become safer.

Charles' dedication to maturing the craft of InfoSec is built on a diverse career path across the industry. He started his career in InfoSec in the US Navy in 2002 serving as the Network Security Officer at the US Naval Postgraduate School. After leaving active duty, he was a ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-02-08
The Yellow Yard Searchbar WordPress plugin before 2.8.2 does not escape some URL parameters before outputting them back to the user, leading to Reflected Cross-Site Scripting
PUBLISHED: 2023-02-08
Missing authentication when creating and managing the B&R APROL database in versions < R 4.2-07 allows reading and changing the system configuration.
PUBLISHED: 2023-02-08
Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.4.
PUBLISHED: 2023-02-08
Cross-site Scripting (XSS) - DOM in GitHub repository answerdev/answer prior to 1.0.4.
PUBLISHED: 2023-02-08
Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.4.