Anna Delaney: Is the tide finally turning on ransomware and how security leaders can improve their use of metrics to achieve better outcomes? These stories and more on this week's ISMG Security Report.
(Theme music)
Hello, I'm Anna Delaney. Could we finally be winning the battle against ransomware? The latest figures suggest that the number of victims who pay ransom has been decreasing, so too has the average amount that a ransomware victim pays when they choose to pay a ransom. Those findings come from ransomware response firm Coveware. Joining me to discuss this new report is Mathew Schwartz, executive editor of DataBreachToday and Europe. Matt, this looks like welcome, if overdue, news.
Mathew Schwartz: Indeed! It's fascinating to see how the ransomware picture continues to evolve. And one of my sources of information for that are these Coveware reports that get issued quarterly. One of the reasons I like them is Coveware is involved in thousands of cases every quarter. You might not necessarily know who the organizations are that it is assisting, but it wraps up the real world, actual ransomware victim trends that it's seeing. As you noted, the number of ransomware hit victims who opted to pay a ransom has declined—declined by 85% of victims paying in the beginning of 2019 to 46% paying at the beginning of this year. So 85% down to 46%—a great improvement. When victims do pay a ransom, we've seen some variation in recent years. But recently, at the end of last year to the beginning of this year, the amount that they paid declined, down to about $210,000. That was down a third from the previous quarter. This is welcome news. And Coveware says, especially the trend of fewer victims paying is demonstrable. And Coveware says, "This is what progress looks like when it comes to battling ransomware. It's slow. There's no single variable that explains it, but it's a fact." So, if these trends keep up in a few years, hopefully the ransomware picture may look very different.
Delaney: This is great news. But surely there's an X factor here. Ransomware wielding criminal syndicates surely won't just be sitting idly by.
Schwartz: Innovation remains rife. You've got a bunch of criminals who found a really great way to make money. When you see ransomware revenue stagnating, they'll introduce innovative new services. For example, the Maze group stealing data before crypto locking systems so they could not only attempt to get a ransom paid for a decrypter but also in exchange for their promising to not leak the stolen data. Other groups have doubled down on that strategy and we saw the number of ransoms being paid really increase for a while. Other strategies have been DDoS attacks against victims who don’t quickly pay. Some crime groups even contract with call centers to phone victims and say we've crypto locked to your systems. Some go a step further and call the victim’s customers to try to get them to complain that they haven't paid the ransom. We've had lots of different approaches here. But at the same time, we've seen a big shift in the ransomware-as-a-service model. That's been driven by some big mistakes. Last May, Darkside hit Colonial Pipeline. Shortly thereafter, REvil hit meat processing giant JBS and later, software developer Kaseya. And those big infections or infections of large targets drew unwelcome for the criminals’ pressure from Western law enforcement agencies who pursued the groups attempted to disrupt them and actively disrupted their infrastructure. In response, a lot of these groups have gone dark, and attackers by and large have changed or have been experimenting with new tactics. For example, Coveware reports that there are fewer attackers' crypto locking systems, instead, some of them are stealing the data and using the threat of leaking it as their attempt to get a ransom paid. The criminals are hoping this doesn't provoke the type of law enforcement response that was experienced by Darkside or REvil. Law enforcement can't pursue all of the bad guys. Will this strategy work for the criminals? We'll see. But we've also seen big brands becoming less valuable, fascinating trend there. Someone recently tried to reboot REvil. We know this because some of the dark net sites associated with the group came back online. Some security experts think that maybe it was a former developer rebooting REvil. But the point for me there isn't that the group has relaunched, it's that the brand has been brought back again. And so you do see this attempt to cash in on the cache of these names. At the same time, you have a lot of groups spinning their own, moreso than before, because being associated with the likes of Darkside or REvil hasn't necessarily been as easy or free of risk as they might have hoped. So we're seeing lots of different strategies. It's unclear yet how all this might shake out.
Delaney: What's your advice to organizations? How can they be doing a better job to defend themselves against ransomware?
Schwartz: The bad news is, we still see the same two top attack vectors. Coveware reports that in the first quarter of this year, phishing over to remote desktop protocol compromises as the top ways that attackers were breaking into victims before they unleashed their crypto locking malware. After that comes software vulnerabilities. Those have also been increasing recently, so typically known exploits that organizations have not yet patched. There again is the top three: beware of phishing, lockdown your remote desktop protocol or RDP, and try to patch or at least have defenses in place against the exploitation of known vulnerabilities. There's also been an increase in social engineering in Coveware reports. That can include things like phoning up the IT helpdesk and pretending that you need access restored. If you're a criminal, and you get this remote access, you can release your ransomware. To prevent that, Coveware recommends better user training, especially for IT help desks. It also recommends blocking the installation of legitimate tools that are unapproved. This means remote access tools such as TeamViewer, LogMeIn, or GoToAssist. It doesn't come out and say this, but this must be a finding that's resulted from some of the recent cases they've been investigating. They found shadow IT or an attacker somehow convincing someone, perhaps an IT helpdesk, to install a remote access tool. The attacker has remote access credentials, they get in, and they unleash ransomware. None of these things are sophisticated, but it does require some planning to make sure that you don't fall victim to these repeat attack vectors.
Delaney: Very good. Thank you, Matthew, for your advice. And some good news, finally!
Schwartz: Thankfully, yes.
(Transition ad: You are listening to the ISMG Security Report on ISMG Radio. ISMG - Your number one source for information security news.)
Delaney: We all know that healthcare entities, in particular, are often stretched for IT and security, budget and resources. So what can they do to better protect digital identities given this Herculean challenge? That's a question our executive editor of HealthcareInfoSecurity, Marianne Kolbasuk McGee posed to Carolyn Crandall, chief security advocate of Attivo Networks. Here's her advice:
Carolyn Crandall: It starts with visibility and being able to not just understand your network assets, but understand where your exposures are related to credentials, exposures and active directory, which is one of the main systems that's used for directory services and granting authorization to things. If you want to be able to understand if there's exposures and misconfigurations, live attack activity going on to be able to stop that early in the attack process. Look at the credential exposures, look at how they would escalate their privileges, look at how they would attack Active Directory and look at it in the cloud too, because we have seen attacks that jump from on-prem to cloud and cloud to on-prem. You need to be able to understand what those attack paths look like or those associations, and remove those risks as much as possible. We understand it's not always practical to be able to do that. The next thing is there's a trend that Gartner has called out as a 2022 top trend around identity threat detection and response - that is to be able to detect the attacks on Active Directory and to be able to respond very quickly. I would say, get visibility around identity exposures, get the identity threat detection and response into the organizations. If you could only do one thing right now is look at protecting your Active Directory environment. We know it's what the attackers are going after we've heard it from incident responders like Mandiant, KPMG, and others. We hear from our own customers that they're going straight for Active Directory, and there's very efficient tools now to protect it. I really encourage people to take a look and understand where those exposures and risks are and mitigate them because if they can't gain control of Active Directory, they won't have the control to do a lot of the damaging things that they do.
Delaney: And finally, the number of organizations being breached is on the rise, according to Forrester's 2021 State of Enterprise Breaches report. Its author, Forrester analyst Allie Mellen, says it's important to lead your organization with data and metrics to ensure that you aren't missing attacks from other more prevalent factors. I asked her for her thoughts on how security leaders can improve their use of metrics to achieve better outcomes. Here's her response:
Allie Mellen: When I think of gaps in the metrics that security teams are using, it's about more than just looking at something like meantime to remediate. You also need to understand how long did it take to investigate? What was the completeness of the response? Were you able to respond and prevent the issue from happening ever again? Or were you just able to close this gap right now or address this attacker for right now. All of the security metrics that we use have to be multi-dimensional if we want to get real value out of them on an operational level. One of the things that I recommend to security leaders is when you're thinking about how your SoC is organized, have someone who probably isn't technical at all, maybe isn't even involved in security, you can grab them from the operations team, just someone to set up all of these metrics, to track all of these metrics for you, so that they can help you identify areas for improvement. The last thing that we want is a completely optimized and efficient SoC. I know that sounds a bit crazy, but ultimately, we need resilience in the SoC. And that's about having backups and having multiple ways of getting to a particular outcome. But even just knowing that, hey, it's taking our analysts this long to do analysis, to execute on response, you can start thinking about where process improvements could be to maintain resilience to maintain quality and to even potentially make the system a little more efficient.
Delaney: That's it from the ISMG Security Report. Theme music is by Ithaca Audio. I'm Anna Delaney. Until next time!