The pace at which ransomware has gained the attention of organizations and the media has been rapidly growing over the past year. Ransomware attacks are nothing new — the last peak of attention on this issue was back in 2017 when the infamous WannaCry ransomware ravaged companies. However, WannaCry was a small-dollar ransom, aiming to collect hundreds of dollars' worth of Bitcoin from each company. In contrast, the ransomware of recent times has shifted toward high-value targets from well-funded threat actors aimed at extracting up to millions of dollars from each victim.
Another shift in the targeting of ransomware includes a major uptick in attacks on operational technology (OT) over the past year. For many of these organizations, the rapid convergence of IT and OT environments has exposed both a technology and a skills gap that they've had to solve quickly to protect themselves from an increasingly vast threat landscape.
When it comes to addressing this persistent threat, it's important that the focus of government, beyond educating and providing resources to guide organizations, be on disrupting the criminal activities and economic drivers that allow this threat vector to grow. Meanwhile, for a private organization, the focus should instead be on reducing the attack surface and building the right fundamentals of a comprehensive security program.
Because of coordinated global government action, we can argue that the era of peak ransomware is right now, and that this threat may start its decline. While the rise of cryptocurrency ushered in a new era of ransomware, the good news is that there is something of a digital paper trail to these transactions, and law enforcement has been increasingly effective at finding ways to track the path of ransom payments. As there is increased pressure around the world to regulate cryptocurrency, anything that can be done to limit the anonymity of transactions will make criminal activity more difficult. Unfortunately, when criminal activity is supported by nation-states, there is little any individual can do to address this, and it must be the role of an international coalition of governments to address.
In addition to addressing the trail of the ransom payments, we've seen a huge shift in focus from the government to tackle the underlying problem of poorly secured critical infrastructure head-on. Ranging from executive orders to requests for information (RFIs) from federal agencies like the Department of Energy, securing our critical infrastructure has never been a higher priority. Guidance and advice are a light-touch approach to helping organizations, but increased government regulation and mandates are often the action that is needed to motivate the level of investment required in highly regulated industries to bring security programs up to a sufficient level to repel many of these attacks.
One pressing topic of discussion is whether or not the government can or should make it illegal to pay ransom. If organizations will not and do not pay ransoms, the economic driver behind these attacks simply ceases to exist. In many cases, ransom payments may in part be covered by cyber-insurance policies. While the cyber-insurance providers may also prefer not to pay ransoms, they operate in a competitive market where any single insurance company would put itself at a disadvantage by refusing these payments. Again, the onus is on government action to change the market dynamics.
No Payment, No Point… or Not?
With limited or no economic outcome, ransomware will lose its appeal as a worthy attack vector. This raises the obvious question of "What's next?" Without a ransom payment, alternative approaches to monetize attacks will be highly sought after by criminals. Shifting the focus back toward selling companies' private data and intellectual property on Dark Web marketplaces could see a major increase. Organizations that have the most valuable and easily monetizable data will be the bigger target if ransom payments are successfully disrupted.
As organizations look to protect themselves against future attacks, the answer is less sophisticated than you might think. Exploiting misconfigurations, known vulnerabilities, and methodically working from initial entry points with phishing and malware to gain access to sensitive systems will still be the hallmark of most of these attacks, regardless of how or if the breach will be monetized for economic gain.
Focusing on basic security controls and executing them well is the best way to harden your systems against an attack. This includes making sure you know what's in your environment, making sure everything is configured correctly, addressing vulnerabilities, limiting administrator access, and having an incident response plan. Ransomware is in the limelight now, and may never go away, but stealing credit card numbers and hacktivism were in the spotlight before, and it will be something new in the future. Let's keep the pressure on the government to do its part and focus on what we can do within our own organizations to do ours.