Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/31/2020
09:15 AM
50%
50%

Rising Ransomware Breaches Underscore Cybersecurity Failures

Ransomware's continued success speaks volumes about what's at stake for businesses and people, and, perhaps, the cybersecurity industry's inability to adapt quickly enough to protect everyone.

Healthcare organizations are once again under attack by ransomware syndicates: Medical facilities in at least three states were hit in the past week, spurring a warning by US cyber-response organizations and underscoring the success of cybercriminals in attacking critical infrastructure for profit with impunity.

Yet, while those attacks make the headlines, they represent only a small share of the successes. Healthcare is not even in the top 10 of the most attacked industries, according to a May survey conducted by cybersecurity firm Sophos. Instead, entertainment, IT, and energy are the top 3 targets, with at least 55% of companies in those industries suffering a ransomware attack in the last year and almost three-quarters of all attacks successfully encrypting data.

Related Content:

Ransomware Attacks Show Little Sign of Slowing in 2021

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Why Defense, Not Offense, Will Determine Global Cyber Powers

The continued success of ransomware highlights the heightened stakes for businesses — and, because healthcare, local government, and other critical infrastructures are targeted, the general public — in combatting cybercrime and bad actors on the Internet.  

"We are doing all the things that we have always done for malware, but they are just not sufficient," says Greg Conti, principal consultant and co-founder of cybersecurity consultancy Kopidion. "Often it comes down to, do we have backups? If you have a hardened cloud backup or an air-gapped backup system, then you can recover. And if you are not doing those things, then you have a major problem."

The continued success of ransomware also underscores the failures of multiple stakeholders to adapt quickly enough to the increasingly dire issues of cybersecurity — companies, vendors, and governments have all failed to reign in malicious cyberattacks. The lack of consequences for the perpetrators, the relatively easy profits for cybercriminals, and the continued vulnerability of corporate networks makes ransomware unlikely to go away.  

"The security industry is, or course, trying to build things that people will buy but also that solve real problems," Conti says. "The threat actors are agile and they are moving fast. The big companies might be keeping up, but the small companies are not. The root of the larger cybersecurity problem is, how do you defend those under-resourced defenders in a constant game of one upmanship?"

Worse, the cost of failure is increasingly high, with the average ransom topping $1.4 million and the average cost of recovery more than $700,000 for organizations that did not pay a ransom, according to Sophos' May survey. Local governments, small businesses, and school districts are hard-pressed to defend against the attacks, Conti says.

Ransomware is not the only cybercrime enjoying continued success. Business e-mail compromise and invoice scams continue to siphon off millions of dollars from US companies and organizations every year. Suffering from just such as scam, the Wisconsin Republican Party claims that cybercriminals modified invoices for direct mail and other services to steal $2.3 million from an account to re-elect President Donald Trump. Add to those crimes the continuing threat of nation-state espionage and disinformation attacks, and the scope of malicious online activity can easily overwhelm all but the largest companies. 

No wonder, then, that a bipartisan 184-page report released by the Cyberspace Solarium Commission that focused on how the United States could defend its interests in cyberspace opened with a warning: "Our country is at risk ... ."

Mitigating that risk is expensive for every business and hard to do right, says Jason Crabtree, CEO of risk management firm QOMPLX.

"Cybersecurity, clearly, is not something that every company is going to be successful in, even if it runs a great program and has the right people and does all the right things," he says. "You could still be targeted for a variety of economic or strategic reasons and have a problem."

Companies can take steps. A well-tested backup strategy combined with good visibility into network anomalies can head off massive ransomware attacks. While only 24% of companies detected and stopped ransomware before it could encrypt data, more than half of companies that did suffer a ransomware attack were able to restore the data from backup, according to the Sophos report. 

Because of the losses due to ransomware, however, more companies are taking notice. SEC filings are increasingly citing ransomware and data-destructive attacks as a potential business risk, says Greg Baker, senior associate with consultancy Booz Allen Hamilton (BAH).

"Back five or 10 years ago, there was no engagement nor understanding of cybersecurity at the executive level. That is changing," he says. "We are seeing a lot more requests from companies to help them become more resilient because they understand the risks associated with these events."

Yet much of the progress toward a secure Internet will rely on policy and government action. The Cyberspace Solarium Commission concluded that deterrence of attacks in cyberspace is possible, but to do so requires the private sector to secure their systems, government reform, and an economy that mitigates the impacts of attacks.  

Defenders have to be able to make responses to malicious attacks personal for the attackers, says Kopidion's Conti. 

"Increasing pain for attackers — that is a government and law enforcement problem — but the question is, how much can government do when the actors are being shielded by their governments?" he says. "Inherent to the problem of cybersecurity is what can you do when you cannot punish enough of the bad actors to dissuade them from coming back."

Overall, shifting defenders' mindset will require more time, while attackers are able to quickly adopt new ways of exploiting defensive weaknesses, says BAH's Baker. Yet companies and vendors are making environments more resilient with comprehensive security testing, creating playbooks for incident response, and gaining more visibility into their environments, he says.

The shift to a proactive strategy may be what tips the balance, he says. 

"It is not just on the incident response side, either," Baker says. "We are talking about the proactive services, which I think in time will prove to be very fruitful in perhaps not limiting the number of events, but limiting the effects of those events."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DannyLebron
50%
50%
DannyLebron,
User Rank: Apprentice
11/2/2020 | 8:57:15 AM
Surprised
"Healthcare is not even in the top 10 of the most attacked industries" : I'm really surprised this isn't in the top 5. Any idea why ?
Zohar Buber
50%
50%
Zohar Buber,
User Rank: Author
11/2/2020 | 6:06:19 AM
Great article
Great article
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29458
PUBLISHED: 2020-12-02
Textpattern CMS 4.6.2 allows CSRF via the prefs subsystem.
CVE-2020-29456
PUBLISHED: 2020-12-02
Multiple cross-site scripting (XSS) vulnerabilities in Papermerge before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the rename, tag, upload, or create folder function. The payload can be in a folder, a tag, or a document's filename. If email consumption is configured in ...
CVE-2020-5423
PUBLISHED: 2020-12-02
CAPI (Cloud Controller) versions prior to 1.101.0 are vulnerable to a denial-of-service attack in which an unauthenticated malicious attacker can send specially-crafted YAML files to certain endpoints, causing the YAML parser to consume excessive CPU and RAM.
CVE-2020-29454
PUBLISHED: 2020-12-02
Editors/LogViewerController.cs in Umbraco through 8.9.1 allows a user to visit a logviewer endpoint even if they lack Applications.Settings access.
CVE-2020-7199
PUBLISHED: 2020-12-02
A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gaining privileged access,...