Today’s Ransomware Threat: Why It’s So Severe… And Only Getting Worse

Today’s Ransomware Threat: Why It’s So Severe… And Only Getting Worse

The ransomware threat is nothing new. Though it really got going around the mid-2010s, cyberattacks in which malicious actors encrypt files and demand payment to render them accessible again have been launched for over thirty years.

Recently, however, the nature of the battle against ransomware has changed: defenders must contend with greater attack volumes, higher ransom demands, and more sophisticated strategies for disseminating malware across IT environments — as well as more widespread activity. Because ransomware attacks continue to be highly lucrative for criminals, it’s unlikely that this trend will reverse itself anytime soon.

The Evolution of the Current Ransomware Threat

The first known ransomware attack took place in December 1989. Delegates who attended the World Health Organization’s AIDS conference that year were sent floppy disks containing malicious code that installed itself onto MS-DOS systems and eventually encrypted filenames, rendering the affected systems basically unusable. Victims were instructed to mail payment to the “PC Cyborg Corporation” at an address in Panama in order to regain access to their files.

As you might imagine, this early attack wasn’t enormously successful. Not only was postal mail an inefficient means of collecting payment, but the encryption methods used by the trojan were weak, so security researchers were able to develop a decryption tool, which they quickly released to the public.

For all its failures, the AIDS Trojan/PC Cyborg attack did unwittingly provide a blueprint for the next generation of attackers of what to avoid and what to do better, in order to achieve their objectives.

Newer generations of ransomware included public-key cryptography (ensuring that decryption keys didn’t have to be embedded in the malware), effective means of gaining initial access to victim environments, and easily disseminating ransomware across an organization’s I.T systems, and a solid strategy for collecting anonymous cross-border payments.

With the rise of Bitcoin and other cryptocurrencies in the early 2010s, the stage was set for ransomware to become the constant and growing threat that it is today. CryptoLocker, which propagated via spam and phishing attachments, targeted home computer users, used strong public-key cryptography and demanded payments in Bitcoin, began to propagate in 2013. By 2015, the FBI reported that there had been more than 1,000 victims of CyptoLocker, with collective total losses that exceeded $18 million.

The modern ransomware era — in which malware spreads widely, attacks are high-profile, ransoms are often in the millions of dollars, and victims are pressured to pay up right away — arguably began with the WannaCry ransomware attack in 2017. Exploiting a Microsoft Windows vulnerability for which a patch was already available, WannaCry eventually infected more than 230,000 computers in over 150 countries, making Bitcoin payment demands in 20 different languages. WannaCry’s perpetrators demanded only $300 per infected machine. We’ll likely never know if WannaCry was truly intended to collect ransoms from all infected victims, if the malware was released prematurely, or if it was simply intended to cause mass disruption. However, Wannacry was clearly designed by nation-state-level attackers attempting to do damage on a massive scale. Wannacry’s authors incorporate extremely effective and stable remote code execution exploits and wrote the ransomware to spread across networks automatically. Since then, we’ve seen many ransomware actors build these “worm” like functionalities into their malware to effectively infect an entire organization quickly.

Scaling Up: Ransomware-as-a-Service Emerges

Over the last few years, ransomware operators have looked to legitimate software developers for a new business model. As Software-as-a-Service (SaaS) became popular, criminals began supplying access to ransomware toolkits to anyone who wanted to build their own ransomware extortion “business”. These Ransomware-as-a-Service (RaaS) kits made it possible for would-be criminals with little technical skill or expertise to launch ransomware attacks, as long as the RaaS operators get a cut of the ransom. The kits are widely advertised and marketed on the dark web, where everyone from organized cybercriminal groups to individuals can purchase them. Just like regular SaaS, RaaS can include 24×7 user support, additional bundled offers, and access to user reviews and community forums. And the prices for access are relatively low, ranging from $40 to several thousand dollars a month or simply a percentage commission on any ransomware payments received.

With the average ransom demand in late 2020 reaching a new high of $847,344 — and continuing to trend upwards — it’s easy to see how this cost model would be advantageous for criminals. After all, only a small portion of the attacks need to succeed in order for the attacker to generate significant revenue.

The broad global adoption of cryptocurrencies facilitates both the sale of RaaS kits and the collection of payments from victims. Meanwhile, ransomware development is becoming more and more professionalized and is operating on an industrial scale. RaaS operators continue to reinvest their earnings into more reliable exploits, into software developers who are tasked with quickly integrating the latest attack tooling and methods.  This enables ransomware cybercriminals to gain initial access to victim environments by leveraging the latest exploits, improved techniques for orchestrating lateral movement, and better ransomware deployment capabilities overall. Criminal groups are also offering pre-established access to a victim’s network in exchange for a percentage of the final ransom payment. This gives less-skilled criminals access to greater numbers of potential victims, and better-resourced groups the advantage of scale.

How to Prevent Ransomware as It Continues to Rise.

Over the coming months and years, it’s all but certain that ransomware attacks will continue to increase in frequency, severity, impact, and economic cost. If the opportunity remains, criminals will take advantage of it. As long as companies continue to pay ransoms rather than face the catastrophic business and operational consequences of extended downtime, there’s no end in sight. Every time that a victim pays up, it feeds the criminals’ incentive to perpetrate further attacks.

Far too many organizations still fail to master the basics of cybersecurity hygiene, including maintaining ongoing visibility into their asset inventory, managing vulnerabilities, and reducing the attack surface. Particularly because RaaS makes it possible for less-sophisticated threat actors to perpetrate large volumes of attacks, it’s very common for attackers to exploit relatively simple mechanisms to gain initial access to the environment where they’ll deploy the ransomware.

What’s more, in today’s world criminal-friendly payment methods are readily available. It’s possible to collect anonymous payments in multi-million-dollar amounts, and cybercriminal groups based in Eastern European countries do so on a regular basis. Though attribution is always a challenge, it appears that some nation-state actors are affiliating themselves with these organized criminal groups as ransomware attacks become part of the global geopolitical cyber battlefront.

Despite the best efforts of law enforcement and government agencies, these criminal groups continue to operate with impunity. Because they’re located in jurisdictions where they have tacit or explicit protection from governments and local authorities, it’s extremely difficult to stop them.

And as growing numbers of high-profile attacks attract media attention, they continue to invite copycats to imitate them. The Colonial Pipeline attack, for instance, drew the entire world’s notice when it successfully brought the fuel supply to the eastern United States to a halt. Soon afterward, the Kaseya supply chain attack demonstrated the enormous scale of the impact that such attacks can have.

In the wake of these events, it’s likely that we’ll see increasing government intervention, including new regulations and disclosure requirements. Meanwhile, insurers are increasingly opting out of covering this risk or demanding high premiums.

It’s incumbent upon all organizations to limit their risk exposure by developing and implementing a cyber risk management program that’s rigorous and quantitative in nature. Without this — and a strong foundation of security hygiene, incident response planning, and putting appropriate controls in place — the financial consequences will eventually become too grave to bear.

 

Building a Vendor Risk Management Program

Building a Vendor Risk Management Program

Time to update your vendor risk management program? In this article, Graeme Payne, Kudelski Security’s practice leader for strategy, risk, and compliance, covers the four essential areas for consideration in building a robust VRM. 

You may have a grasp on your own organization’s security and have good data and threat visibility, but beyond your environment, you are blind.  You have limited control over the security measures taken by external service providers, IT vendors, and related third parties. Their vulnerabilities become your vulnerabilities. Any breach they experience becomes a potential breach of your environment, too.

In short, their risk is yours.

You may be able to surface, assess, and mitigate their risks, if it’s just a question of a few vendors, but most businesses have a vendor list that can reach thousands — from parts suppliers, cloud solutions providers, law firms, to call centers, consultants, and human resource benefit providers. The list of data they potentially have access to is equally long — from trade secrets and IP, to personal data and company policies. All this is at risk if your vendors do not have adequate security and privacy protections in place.

So, how, as a security leader, should you design, establish, and maintain a vendor risk management program that will help you sleep better at night?  You start with the following objectives:

  • Identify the cybersecurity risks within the supply chain and business vendor landscape
  • Continuously evaluate and monitor the effectiveness of vendors in managing cybersecurity risk to an acceptable level
  • Provide a mechanism to respond to a vendor’s security failures that impact your business
  • Provide awareness to senior management and Board regarding vendor risks

As you consider these objectives, build out your vendor risk management program based on industry best practices. The following best practices should be considered as you design your program:

Identifying risks within your supply chain and business vendor landscape starts with building an inventory of vendors and placing them into risk tiers. A good place to start is your vendor master within the organization’s accounts payable system. This will identify all the vendors that you are paying for goods and services. Once you have the inventory, you can place them in risk tiers. Your risk modeling approach should consider the type of data accessed by the vendor, the criticality of the vendor to your business process, the connectivity of the vendor to your data, systems and networks, and any recently observed experiences with the vendor. Creating risk tiers will allow you to build a program that is responsive to the risk in each tier and to focus your limited resources on the areas of greatest risk.

As you build your vendor risk program, you should work closely with procurement, legal, and other functions.  Your cybersecurity vendor risk program should integrate with your organization’s vendor life cycle processes. Security requirements should be defined and utilized in new vendor identification.  Selection, negotiation and contracting should include security and privacy protections in contracts- Onboarding and implementation should include appropriate security review, and termination processes should ensure destruction or removal of sensitive data. With strong collaboration across functions a more unified vendor risk program can be implemented that addresses all key risk areas including financial viability, safety, and legal compliance.

There are many approaches to evaluating and monitoring vendors. Popular techniques to evaluate how vendors are addressing their cybersecurity risk include: surveys and questionnaires; review of third-party audits and certifications; onsite visits; technical testing; and continuous monitoring. As you design your program include flexibility in your approach to evaluating and monitoring vendors. A risk-based approach should be used to determine the extent and frequency of evaluation. Higher risk vendors will need higher levels of assurance such as completion of security questionnaires, onsite visits or audits, security certification, or ongoing intelligence monitoring. Lower risk vendors might need to complete a simplified questionnaire or be subject to less frequent review. Also be reasonable in what you expect from vendors; don’t ask for information that you are not using to evaluate risk. Far too many vendor questionnaires request data that is never used in the risk management process.

Your vendor risk program should use automation to help efficiently manage many of the vendor risk processes. Over the last several years there has been a significant growth in the number of tools that can help automate aspects of your vendor risk management program. Gartner now tracks this as a separate category of software. Many of the integrated risk management or governance risk and compliance tools provide third party risk management modules. There are also many solutions that just focus on vendor risk. Most of these solutions now run in a software-as-a-service mode. Many include the ingestion of intelligence about a vendor’s cybersecurity profiles, financial condition, and business conduct to complement other frequently used evaluation methods (such as security questionnaires and onsite visits). Integration with procurement, ERP and service management tools is also becoming common place.

Vendor risk management is still a relatively new field and continues to evolve. VRM-as-a-service offerings are emerging to help offload some of the “heavy lifting” in managing a vendor risk program. Several exchanges and shared assessment programs are now in place to reduce the burden on vendors completing literally hundreds of questionnaires. Security certification programs are gaining more prominence as vendors seeks to provide assurance that their security programs meet acceptable industry standards.

When a vendor suffers a data breach or significant security incident, your business may also be impacted. Your program design should integrate vendor risk management into your incident response process. Studies indicate that 60% of data breaches involve a third party. Your vendor cybersecurity requirements should stipulate how soon you should be notified of a potential security breach or incident. Your incident response playbooks should address the actions your incident response team should take when a vendor incident occurs. Critical vendors should be included in your incident response tabletops and simulations.

Boards of Directors are increasingly asking security leaders about third party risks. Your program should include dashboards and metrics that measure and report on third party risk. Senior leaders and governance boards want to know how third-party risk is being addressed. Your program should capture and report on key metrics such as the percentage of vendors included in the program, the percentage of higher risk vendors evaluated or under continuous monitoring, exception rates, and the reduction of risk achieved.

*****

As a security leader you need to develop and continuously evolve your vendor risk management program. Just like most things on cybersecurity this is not a “one and done effort”. Continue to find ways to build in more continuous monitoring and alerting to augment your periodic reviews. Monitor your coverage and risk profile over time and periodically refer to your objectives and validate your program is appropriately focused and resourced. Keep senior management and the Board updated on vendor risk. Ask yourself: “Do I know who my high-risk vendors are and am I comfortable about the cyber risk we are accepting”? If the answer is “no”, it is time to update your vendor risk program.

Join our webinar on the 21st to hear Graeme discuss your vendor risk management questions. Click here to register.