Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/31/2020
09:15 AM
50%
50%

Rising Ransomware Breaches Underscore Cybersecurity Failures

Ransomware's continued success speaks volumes about what's at stake for businesses and people, and, perhaps, the cybersecurity industry's inability to adapt quickly enough to protect everyone.

Healthcare organizations are once again under attack by ransomware syndicates: Medical facilities in at least three states were hit in the past week, spurring a warning by US cyber-response organizations and underscoring the success of cybercriminals in attacking critical infrastructure for profit with impunity.

Yet, while those attacks make the headlines, they represent only a small share of the successes. Healthcare is not even in the top 10 of the most attacked industries, according to a May survey conducted by cybersecurity firm Sophos. Instead, entertainment, IT, and energy are the top 3 targets, with at least 55% of companies in those industries suffering a ransomware attack in the last year and almost three-quarters of all attacks successfully encrypting data.

Related Content:

Ransomware Attacks Show Little Sign of Slowing in 2021

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Why Defense, Not Offense, Will Determine Global Cyber Powers

The continued success of ransomware highlights the heightened stakes for businesses — and, because healthcare, local government, and other critical infrastructures are targeted, the general public — in combatting cybercrime and bad actors on the Internet.  

"We are doing all the things that we have always done for malware, but they are just not sufficient," says Greg Conti, principal consultant and co-founder of cybersecurity consultancy Kopidion. "Often it comes down to, do we have backups? If you have a hardened cloud backup or an air-gapped backup system, then you can recover. And if you are not doing those things, then you have a major problem."

The continued success of ransomware also underscores the failures of multiple stakeholders to adapt quickly enough to the increasingly dire issues of cybersecurity — companies, vendors, and governments have all failed to reign in malicious cyberattacks. The lack of consequences for the perpetrators, the relatively easy profits for cybercriminals, and the continued vulnerability of corporate networks makes ransomware unlikely to go away.  

"The security industry is, or course, trying to build things that people will buy but also that solve real problems," Conti says. "The threat actors are agile and they are moving fast. The big companies might be keeping up, but the small companies are not. The root of the larger cybersecurity problem is, how do you defend those under-resourced defenders in a constant game of one upmanship?"

Worse, the cost of failure is increasingly high, with the average ransom topping $1.4 million and the average cost of recovery more than $700,000 for organizations that did not pay a ransom, according to Sophos' May survey. Local governments, small businesses, and school districts are hard-pressed to defend against the attacks, Conti says.

Ransomware is not the only cybercrime enjoying continued success. Business e-mail compromise and invoice scams continue to siphon off millions of dollars from US companies and organizations every year. Suffering from just such as scam, the Wisconsin Republican Party claims that cybercriminals modified invoices for direct mail and other services to steal $2.3 million from an account to re-elect President Donald Trump. Add to those crimes the continuing threat of nation-state espionage and disinformation attacks, and the scope of malicious online activity can easily overwhelm all but the largest companies. 

No wonder, then, that a bipartisan 184-page report released by the Cyberspace Solarium Commission that focused on how the United States could defend its interests in cyberspace opened with a warning: "Our country is at risk ... ."

Mitigating that risk is expensive for every business and hard to do right, says Jason Crabtree, CEO of risk management firm QOMPLX.

"Cybersecurity, clearly, is not something that every company is going to be successful in, even if it runs a great program and has the right people and does all the right things," he says. "You could still be targeted for a variety of economic or strategic reasons and have a problem."

Companies can take steps. A well-tested backup strategy combined with good visibility into network anomalies can head off massive ransomware attacks. While only 24% of companies detected and stopped ransomware before it could encrypt data, more than half of companies that did suffer a ransomware attack were able to restore the data from backup, according to the Sophos report. 

Because of the losses due to ransomware, however, more companies are taking notice. SEC filings are increasingly citing ransomware and data-destructive attacks as a potential business risk, says Greg Baker, senior associate with consultancy Booz Allen Hamilton (BAH).

"Back five or 10 years ago, there was no engagement nor understanding of cybersecurity at the executive level. That is changing," he says. "We are seeing a lot more requests from companies to help them become more resilient because they understand the risks associated with these events."

Yet much of the progress toward a secure Internet will rely on policy and government action. The Cyberspace Solarium Commission concluded that deterrence of attacks in cyberspace is possible, but to do so requires the private sector to secure their systems, government reform, and an economy that mitigates the impacts of attacks.  

Defenders have to be able to make responses to malicious attacks personal for the attackers, says Kopidion's Conti. 

"Increasing pain for attackers — that is a government and law enforcement problem — but the question is, how much can government do when the actors are being shielded by their governments?" he says. "Inherent to the problem of cybersecurity is what can you do when you cannot punish enough of the bad actors to dissuade them from coming back."

Overall, shifting defenders' mindset will require more time, while attackers are able to quickly adopt new ways of exploiting defensive weaknesses, says BAH's Baker. Yet companies and vendors are making environments more resilient with comprehensive security testing, creating playbooks for incident response, and gaining more visibility into their environments, he says.

The shift to a proactive strategy may be what tips the balance, he says. 

"It is not just on the incident response side, either," Baker says. "We are talking about the proactive services, which I think in time will prove to be very fruitful in perhaps not limiting the number of events, but limiting the effects of those events."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
milahartzler
50%
50%
milahartzler,
User Rank: Apprentice
11/7/2020 | 4:18:31 AM
Pending Review
This comment is waiting for review by our moderators.
DannyLebron
50%
50%
DannyLebron,
User Rank: Apprentice
11/2/2020 | 8:57:15 AM
Surprised
"Healthcare is not even in the top 10 of the most attacked industries" : I'm really surprised this isn't in the top 5. Any idea why ?
Zohar Buber
50%
50%
Zohar Buber,
User Rank: Author
11/2/2020 | 6:06:19 AM
Great article
Great article
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29367
PUBLISHED: 2020-11-27
blosc2.c in Blosc C-Blosc2 through 2.0.0.beta.5 has a heap-based buffer overflow when there is a lack of space to write compressed data.
CVE-2020-26245
PUBLISHED: 2020-11-27
npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be sure to check or sani...
CVE-2017-15682
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS in the admin panel.
CVE-2017-15683
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.
CVE-2017-15684
PUBLISHED: 2020-11-27
Crafter CMS Crafter Studio 3.0.1 has a directory traversal vulnerability which allows unauthenticated attackers to view files from the operating system.