Ransomware is, yet again, snatching up headlines, with one of the U.S.’ largest pipelines, operated by Colonial Pipeline, the latest victim of cyberattacks. Before that, it was technology giant Apple that was caught in the ransomware crosshairs via its partner Quanta Computer, and even before that, Sierra Wireless fell victim.
In between the most high-profile cases exists a trove of nearly countless ransomware attacks targeting businesses of all types and sizes. The threat is growing so much, said Black Kite Chief Security Officer Bob Maley, that he now describes the risk as an “epidemic.”
But unpacking the landscape of ransomware is a difficult task. Understanding whether a company is at risk, how threatening that risk is and what to do about it is far from a straightforward process. Law enforcement officials, in a persistent effort to raise awareness, have warned businesses time and time again: Either a company has been breached and knows about it, or a company has been breached and doesn’t know.
That’s not entirely true, Maley told PYMNTS in a recent interview. The good news is, “There are more vulnerable systems on the internet than there are bad actors,” he said. The bad news, of course, is just how prolific system vulnerability is.
Understanding The Threat
As the ransomware threat expands, more businesses are discovering that some of the greatest areas of vulnerability exist outside of the enterprise. Cyberattackers are taking advantage of opportunities found along the supply chain with company business partners and suppliers.
This reality makes it increasingly difficult for businesses to shut those doors to bad actors. Convoluting this effort even further is the fact that there are not necessarily any surefire ways to determine whether a company will or will not be targeted in a ransomware attack.
Black Kite’s recently developed Ransomware Susceptibility Index (RSI) aims to bring clarity to the landscape. Operating in Beta, the Index enables businesses to understand the ransomware attack risk of their vendors on a scale of 0.0 to 1.0 based on a variety of so-called controls.
It can be a valuable tool, but one that Maley noted should not be used in isolation. Rather, it acts as one component in a company’s broader cybersecurity effort. After all, as he warned, just because a business has a high RSI score does not guarantee they will be breached — likewise, a low score doesn’t assure immunity from the threat.
Identifying The Risks
Phishing attacks remain one of the most common methods that ransomware attackers use to infiltrate business systems, steal credentials and trick employees. But Maley noted that there are vectors that are even more tightly correlated to a ransomware attack. Among them is the availability of remote desktop access to systems from the internet. Interestingly, however, this does not mean that the business ecosystem’s widespread use of remote working models over the last year has necessarily caused greater exposure to the ransomware attack.
“I think remote working has been implemented fairly securely,” Maley said. “I don’t think that’s why we’re seeing an increase. I think it’s a little bit more fundamental: There are a lot of vulnerable systems that are on the internet. From an IT perspective, not knowing what you have on the internet, and not knowing what’s vulnerable, that’s the problem.”
Mitigating those vulnerabilities should be No. 1 on the security checklist. Even simple measures, such as implementing DMARC, DKIM and SPF email security protocols, can be immensely effective — and yet, noted Maley, many businesses are failing to take action.
To Pay, Or Not To Pay?
A proactive approach to combating the ransomware threat is essential — but alas, 100 percent immunity is not a realistic goal. The assumption that a company will inevitably be hit by a ransomware attack has led some firms to plan ahead — not necessarily to safeguard their systems, but rather, to more quickly pay the ransom and (hopefully) regain control of data.
As the debate over whether businesses should or should not pay the ransom intensifies, Maley noted that efforts reflect a misguided strategy. “You need to ensure that you don’t have to make the decision to pay or not pay,” he explained. “One preparation can be to have a bitcoin account set up. But the caveat is that you have already emotionally decided to pay, and the ramifications of paying are far more than just paying off bad actors.”
There is no guarantee that an attacker will actually return control of systems and data once they have been paid, nor that the attacker won’t simply ask for more money. What’s more, he noted, even after data control has been reinstated, that bad actor may retain that information and sell it for profit.
The better strategy involves consistent data backups. Widespread use of this practice will mean ransomware is no longer as lucrative to bad actors. Unfortunately, the sad truth is that once ransomware phases out as the attack strategy of choice, another method will inevitably pop up. Cybersecurity is an ever-evolving effort, and where there is money, there will be crime.
But as organizations continue the debate over what to do once they have been hit by a ransomware attack, Maley said the conversation should instead focus on how to avoid it altogether. “I’m not saying we become 100 percent immune, but we work to raise our immunity levels,” he said. “And yes, there are tools today that can help.”