Crime Watch: Why Are Ransomware Attacks Intensifying?Also: Threat Landscape's Evolution; Limits of User Awareness for Boosting Security
The latest edition of the ISMG Security Report analyzes why the number of ransomware attacks and the amounts being paid in ransoms are both on the rise. It also discusses today's cyberthreat landscape and whether organizations should rely on user training to improve security.
In this report, you'll hear (click on player beneath image to listen):
- ISMG's Mathew Schwartz discuss why the ransomware problem is not just persisting, but intensifying;
- Bugcrowd founder Casey Ellis describe the evolving threat landscape;
- Adam Wedgbury of Airbus on whether you can drive cybersecurity risk reduction through awareness and behavioral change.
The ISMG Security Report appears weekly on this and other ISMG websites. Don't miss the June 28 and July 7 editions, which respectively discuss why firewalls and VPNs don't belong in Zero Trust design and how to respond to the new "fraud universe."
Anna Delaney: The ransomware attacks and the amounts being paid are on the rise, and how is the threat landscape evolving in 2022? These stories and more on this week's ISMG Security Report.
Hello, I'm Anna Delaney. Ransomware continues to amass new victims. Last week, the head of Britain's National Cybersecurity Centre and privacy watchdog Information Commissioner's Office said that in recent months, they have seen an increase in the number of ransomware attacks and the ransom amounts being paid. To discuss, I'm joined by Mathew Schwartz, executive editor for DataBreachToday. Matt, why is the ransomware problem not just persisting, but intensifying?
Mathew Schwartz: If there's one thing we've seen from ransomware groups, it's that they're good at innovation. There's an imperative for them to get better at what they do to counter improving defenses and victims not wanting to pay. So, by getting better at what they do, they're bringing more pressure to bear in more innovative ways. In recent weeks, for example, there's a ransomware group called Black Cat, also known as Alpha. It has been allowing users of its data leak site to search on the data leaks that it's gathered from victims. So, this seems to be an attempt by the group to add pressure on victims to say, “If you don't pay, we're going to list you on our data leak site. And if you still don't pay, we're going to take that data that we stole from you, and we're going to not just make it available via our website, but also give functionality to search for confidential information or passwords, social security numbers, to anybody who comes to our site.” So that's one way that they've been adding pressure. With Black Cat, it's found that the group has upped the base ransom demand to two and a half million dollars. Now, things can get discounted. There can be sale prices, but they're setting the two and a half million dollars as a way to open negotiations with victims and promising a discount of usually up to 50% if a victim pays within five to seven days. So again, the impetus here is to pressure victims not just into paying but into paying quickly.
Delaney: Matt, do we know how bad the ransomware problem really is?
Schwartz: That's a perennial question, because we keep seeing these reports about the latest innovations being practiced by ransomware groups. As you noted in your introduction, the National Cybersecurity Centre says that it has been seeing an increase not just in successful ransomware attacks but in the amounts going to victims. This is useful because they've got intelligence that the rest of us don't have. And they're able to say, “The problem is getting worse. We're normally forced to rely on anecdotal evidence. For example, the data leak sites that I was mentioning will list victims that don't pay, but they don't list victims who do pay. So we need to infer about how many victims there might be based on how many show up on sites. That's an inexact science, but there's thinking that maybe only a third of ransomware victims end up getting listed. Does that mean that 40 to 60% could be paying the ransom is an open question. Something else we have is that blockchain intelligence firms are tracking cryptocurrency payments that go to wallets that are known to be operated by ransomware groups. They don't know all the wallets that get operated by these groups. And intelligence on this front continues to come to light. You'll see the known ransomware proceeds for recent years continuing to go up and a greater realization comes of where the funds were going and which criminals were in control of them. We've got this imperfect patchwork of intelligence telling us that the problem is bad. We don't know exactly how bad, but it's worse than anybody would like it to be.
Delaney: Do you think more needs to be done?
Schwartz: Definitely. Now, we should acknowledge that lots is being done. There's been a big push, especially since last summer, by Western governments, including the U.K. and the U.S. They have been pushing domestic businesses to get better at cybersecurity resiliency. So, if they get hit by ransomware, they don't need to think twice about paying. They can restore systems. Now that's not a snap-your-fingers-and-it's-done exercise. But if we take out the ransomware profits flowing to the attackers, we cut down on their research and development budgets. We also help delegitimize ransomware as a viable if illicit money-making concern. These are all good things that help take a bite out of the ransomware business model. Another push has been sanctions or ransomware being lobbed at organizations or reservoir groups operating from Russia and North Korea, and this has helped disrupt the flow of funds to these groups. In particular, Conti recently had to rebrand itself because it was seeing the ransom payments to it dramatically declined after the group backed Russia in the war against Ukraine. So Western governments are taking advantage where they can. Another great point that was voiced recently by security researcher Paul Ducklin of Sophos is even when you do pay and get a decrypter, the decrypter often doesn't work. So, you're going to have to spend more money paying somebody else to build you a decrypt. That works better. Also, as I mentioned before, restoring systems is an easy exercises, it takes time and money. And if you're paying a ransom, you're adding to the total bill without doing anything for yourself, you still have to rely on backups that you already have to give the best chance of recovering the most amount of information in the least amount of time. So, why pay these groups? With these downsides being voiced, the threat of violating sanctions, and the fact that this perpetuates the criminal business model, we will be seeing organizations focus more on preparation, so they never even have to think about having to pay a ransom.
Delaney: Great advice, as always, Matt. Thank you for your insight.
Schwartz: Thank you, Anna.
(Transition Ad: You are listening to the ISMG Security Report on ISMG Radio. ISMG - Your number one source for information security news.)
Delaney: Over the past year, the cyberthreat landscape has continued to evolve and expand as attackers have found new vulnerabilities and ways to infiltrate organizations. So, what does the threat landscape look like today? Casey Ellis, CTO and founder of Bugcrowd, shared his perspective in an interview with our editor Mathew Schwartz at the recent ISMG London Summit.
Casey Ellis: The biggest thing is the focus on supply chain risks with open source software. You saw what happened with Log4j and the complete trash fire that turned into a lot for the internet. And then you consider that Log4j is one of your hundreds of open-source packages that are powering everything. They could potentially suffer a similar issue and cause a similar set of consequences. In a lot of ways, Log4j was an important and a wake-up call in terms of how people think and manage about that risk. It's also attracted attention into open sources, an area of vulnerability research. So, there's a lot more effort going into potentially on the bad guy side, as well as the good guy side, figuring out what's vulnerable and how to explain it. The other one that we've observed is the consequences of COVID-19. When you think about what happens in 2020, we all had the great zero trust experiment thrust upon us, and people had to change a bunch of stuff quickly. There's consequences of that phase. The phase that we're in now is everyone trying to work out what normal looks like. And there's different versions of that. Into that environment, you've got a lot of chaos and potentially blind spots popping out, and attackers love that. Chaos is their friend in terms of getting their thing done. So, from a threat landscape standpoint, that is talking about the attack surface itself. But what we're also seeing is the attackers respond to that. You see the rise of ransomware. There's other things that are happening when the threats take advantage of this stuff that's continuing to escalate. There's a lot going on.
Delaney: Finally, running user awareness programs continues to be a cornerstone of many corporate information security programs, driven in part by regulatory requirements. But can you drive cybersecurity risk reduction through awareness and behavioral change alone? This was a question posed by editor Mathew Schwartz to Adam Wedgbury, head of enterprise digital security architecture at Airbus, recorded again at our recent London summit.
Adam Wedgbury: There's a lot of discussion in the industry about this right now. And it has been for some time. Like almost every topic in the cybersecurity industry, there's no simple answer. I think a lot of the prevailing story today is that user awareness is almost a panacea of security and risk reduction. That's where we need to go. But for me, I think it's the wrong direction. I'll preface that by saying it will never go away. We need to do awareness and behavioral change management for cybersecurity will never go away. But it's not a primary source of risk reduction. There's a few reasons why. I've had held two roles over the past few years, one of which is leading the cybersecurity innovation capability at Airbus. A few years ago, we launched a group of research studies into what we call human-centric cybersecurity. And the idea of that research theme was not to understand what people do in cybersecurity, not just the behavior from the human-factor perspective, but also to understand why you would do that. When we make those decisions and engage in cyber risky behaviors. For example, we built a team of neuroscientists, so people that could run experiments with EEG caps understand what's going on in the neurons of the brain when we make decisions. And that allowed us to look at this topic more holistically, and much deeper to understand how we can interact with people. To preface the discussion, it's not a major change. And for me, the primary part of that is if we put people on the frontline of cyber defense, and we look at phishing attacks, for example. If we are telling people that they must inspect every single link, and that the cyber defense of the whole organization is based upon them recognizing a little envelope in a URL, we've already lost that battle. There's no way we can get that amount of expertise across all of our user bases and keep it current. If we rely on that as a frontline of defense, I think we failed.
Delaney: That's it from the ISMG Security Report. I'm Anna Delaney. Until next time.