Healthcare organizations are once again under attack by ransomware syndicates: Medical facilities in at least three states were hit in the past week, spurring a warning by US cyber-response organizations and underscoring the success of cybercriminals in attacking critical infrastructure for profit with impunity.
Yet, while those attacks make the headlines, they represent only a small share of the successes. Healthcare is not even in the top 10 of the most attacked industries, according to a May survey conducted by cybersecurity firm Sophos. Instead, entertainment, IT, and energy are the top 3 targets, with at least 55% of companies in those industries suffering a ransomware attack in the last year and almost three-quarters of all attacks successfully encrypting data.
The continued success of ransomware highlights the heightened stakes for businesses — and, because healthcare, local government, and other critical infrastructures are targeted, the general public — in combatting cybercrime and bad actors on the Internet.
"We are doing all the things that we have always done for malware, but they are just not sufficient," says Greg Conti, principal consultant and co-founder of cybersecurity consultancy Kopidion. "Often it comes down to, do we have backups? If you have a hardened cloud backup or an air-gapped backup system, then you can recover. And if you are not doing those things, then you have a major problem."
The continued success of ransomware also underscores the failures of multiple stakeholders to adapt quickly enough to the increasingly dire issues of cybersecurity — companies, vendors, and governments have all failed to reign in malicious cyberattacks. The lack of consequences for the perpetrators, the relatively easy profits for cybercriminals, and the continued vulnerability of corporate networks makes ransomware unlikely to go away.
"The security industry is, or course, trying to build things that people will buy but also that solve real problems," Conti says. "The threat actors are agile and they are moving fast. The big companies might be keeping up, but the small companies are not. The root of the larger cybersecurity problem is, how do you defend those under-resourced defenders in a constant game of one upmanship?"
Worse, the cost of failure is increasingly high, with the average ransom topping $1.4 million and the average cost of recovery more than $700,000 for organizations that did not pay a ransom, according to Sophos' May survey. Local governments, small businesses, and school districts are hard-pressed to defend against the attacks, Conti says.
Ransomware is not the only cybercrime enjoying continued success. Business e-mail compromise and invoice scams continue to siphon off millions of dollars from US companies and organizations every year. Suffering from just such as scam, the Wisconsin Republican Party claims that cybercriminals modified invoices for direct mail and other services to steal $2.3 million from an account to re-elect President Donald Trump. Add to those crimes the continuing threat of nation-state espionage and disinformation attacks, and the scope of malicious online activity can easily overwhelm all but the largest companies.
No wonder, then, that a bipartisan 184-page report released by the Cyberspace Solarium Commission that focused on how the United States could defend its interests in cyberspace opened with a warning: "Our country is at risk ... ."
Mitigating that risk is expensive for every business and hard to do right, says Jason Crabtree, CEO of risk management firm QOMPLX.
"Cybersecurity, clearly, is not something that every company is going to be successful in, even if it runs a great program and has the right people and does all the right things," he says. "You could still be targeted for a variety of economic or strategic reasons and have a problem."
Companies can take steps. A well-tested backup strategy combined with good visibility into network anomalies can head off massive ransomware attacks. While only 24% of companies detected and stopped ransomware before it could encrypt data, more than half of companies that did suffer a ransomware attack were able to restore the data from backup, according to the Sophos report.
Because of the losses due to ransomware, however, more companies are taking notice. SEC filings are increasingly citing ransomware and data-destructive attacks as a potential business risk, says Greg Baker, senior associate with consultancy Booz Allen Hamilton (BAH).
"Back five or 10 years ago, there was no engagement nor understanding of cybersecurity at the executive level. That is changing," he says. "We are seeing a lot more requests from companies to help them become more resilient because they understand the risks associated with these events."
Yet much of the progress toward a secure Internet will rely on policy and government action. The Cyberspace Solarium Commission concluded that deterrence of attacks in cyberspace is possible, but to do so requires the private sector to secure their systems, government reform, and an economy that mitigates the impacts of attacks.
Defenders have to be able to make responses to malicious attacks personal for the attackers, says Kopidion's Conti.
"Increasing pain for attackers — that is a government and law enforcement problem — but the question is, how much can government do when the actors are being shielded by their governments?" he says. "Inherent to the problem of cybersecurity is what can you do when you cannot punish enough of the bad actors to dissuade them from coming back."
Overall, shifting defenders' mindset will require more time, while attackers are able to quickly adopt new ways of exploiting defensive weaknesses, says BAH's Baker. Yet companies and vendors are making environments more resilient with comprehensive security testing, creating playbooks for incident response, and gaining more visibility into their environments, he says.
The shift to a proactive strategy may be what tips the balance, he says.
"It is not just on the incident response side, either," Baker says. "We are talking about the proactive services, which I think in time will prove to be very fruitful in perhaps not limiting the number of events, but limiting the effects of those events."