“The continued survival and future of your organization cannot be based upon negotiations with criminals,” was the stark message given by Tanner Johnson, principal analyst of OMDIA, during his session at Black Hat Europe 2021.
Titled ‘Ransomware: The New Terrorism,’ the session was dedicated to ransomware and covered its history, the evolution of the threat, response challenges, escalation to terrorism and mitigation practices.
History of Ransomware (As We Know It)
Johnson’s analysis of the history of ransomware (as we know it) started on the concept of ransom, one with a long history spanning the globe and covering thousands of years: “criminals hold an entity hostage to extort money for its release.” Once stolen, “the criminals provide an official request outlining their demands for the release of said items,” explained Johnson. While ransoms have historically been tied to physical items of value, “they demanded physical logistics.” Focusing instead on today, as we have transitioned into an information-driven society, our dependence on access to data has only burgeoned.
Evolution of The Threat
“How, though, has the threat evolved?” pondered Johnson. “The proof of concept shown from the AIDS Trojan illustrated just how viable this criminal tactic was,” remarked Johnson. As encryption technology evolved, adversaries designed their own advanced ransomware toolkits. “The inception of cryptocurrency technology ushered in the modern ransomware challenges we face today.”
As many know, within 20 years of its first use, criminal ransomware campaigns were regularly making international headlines. This is when the advancement of ransomware as a service utilizing premade toolkits “began to take shape.”
Response Challenges
When focusing on ransomware, many question why responding to ransomware appears to be so challenging. “The severity of the problem has been overlooked or dismissed by organizations within every market since its creation,” rued Johnson. He continued that a central problem is visibility, “which is a crucial component to any security strategy.” Worryingly, “many organizations remain blind.”
Because of this challenge, Johnson claimed that it’s incumbent on organizations to take the initiative to “discover, identify and define their own respective ‘crown jewels’” so they can properly draft an effective incident response.
"The inception of cryptocurrency technology ushered in the modern ransomware challenges we face today"Tanner Johnson
The chaos surrounding the COVID-19 pandemic has provided “countless vectors of potential compromise, including hybrid working and an increased attack surface,” commented Johnson, and organizations operating in markets deemed by adversaries as “high value” have become primary targets.
Recent events have also brought the threat of ransomware to the forefront, and most organizations are simply “unprepared.”
Escalation to Terrorism
“Today, ransomware has escalated to the point of being terrorism,” warned Johnson. Indeed, the US Department of Justice (DOJ) recently chose to elevate ransomware to the level of terrorism. This decision has “strong implications”, according to Johnson, since victims will now have greater access to government resources. Furthermore, and a promising sign, the Biden administration has also taken steps to improve the nation’s overall cybersecurity posture.
Even with this new classification, “what practical steps should businesses follow when victims of ransomware attack?” asked Johnson.
Mitigation Practices
Effective data management is “vital” for proper defense, warned Johnson, which “requires implementing comprehensive controls throughout its lifecycle.” Organizations must know that the number of attack vectors available to criminals is growing and “require organizational diligence to address,” said Johnson.
Johnson pointed out that the chaos and panic created by ransomware attacks requires a strategic and orchestrated response, such as a disaster recovery plan. In addition to actions from the White House and the DOJ, “the Cybersecurity and Infrastructure Security Agency (CISA) has provided organizations with guidance.” Part of this guidance includes some general best practices to help organizations harden their defenses. Moreover, CISA recently released a Ransomware Readiness Assessment module for its Cyber Security Evaluation Tool.
Take Away Points for Organizations
Worryingly, until more organizations act on the severity of the threat, “consistent attacks are expected,” warned Johnson. “Whether organizations recognize themselves as targets is meaningless since criminals don’t discriminate.” Crucially, there are immediate steps businesses can take to mitigate the fallout should they become the victim of an attack. This includes using backups and following a cyber incident response plan. Additionally, there are several factors to consider before any organization decides to pay a ransom. “It’s vital to know that it isn’t guaranteed that encrypted or stolen data will be returned.” Johnson concluded that “the continued survival and future of your organization cannot be based upon negotiations with criminals.”