I was recently asked about cyberattacks and their growth this year by Security Magazine. The growing threat of ransomware brings up an unsettling conundrum for the modern enterprise. On the one hand, organizations are buying more security tools and have heightened awareness of cyberattacks and the threats posed by increasingly sophisticated and resourceful cybercriminals. On the other hand, increasingly sophisticated and resourceful cybercriminals seemingly exploit weaknesses and install ransomware at will — profiting immensely in the process.
We saw one of the most notorious incidents in May when Russia-based group DarkSide infected the business networks of Colonial Pipeline,1 briefly shutting down its gasoline supply operations and triggering a massive panic over fuel shortages on the East Coast. The company paid $4.4 million to DarkSide, of which the U.S. Department of Justice has recovered $2.3 million.
The incident occurred essentially on the four-year anniversary of the WannaCry ransomware attack,2 which disrupted hospitals, the financial sector, and additional companies in 150 nations in its first three days. The Trump administration identified North Korea as being responsible for WannaCry.
While much has been written about the attacks and the resulting fallout, the core question remains: Why does this keep happening? Overall, there were 304.6 million global ransomware attacks in 2020, an increase of 62% over 2019.3 Victim organizations now pay nearly $221,000 on average in ransomware payments.4
In reviewing and assessing these incidents, it’s clear that there are underlying common factors that set the table for these attacks. Here are three of the factors, along with recommendations about what organizations can do in response:
Criminals are hiding in plain sight — on foreign soil. The Colonial Pipeline and WannaCry incidents illustrate that cybercriminals are targeting U.S. companies from overseas, and because they’re located in countries that are considered adversarial, they face no consequences in the form of extradition and prosecution.
How to respond: We as a nation should lead a global effort that views ransomware as the world’s problem, not just ours. No country is immune from a threat, after all. If we come together to establish international laws and a system of justice to enforce them, the bad guys are no longer on safe ground — anywhere. If our perceived adversaries resist this effort, we can turn to measures such as sanctions, and other forms of deterrence, when these countries are clearly harboring cybercriminals.
Cryptocurrency makes it too easy to get paid. In the old movies, kidnappers would direct someone — a family member or law enforcement officer — to go to a low-key location with a suitcase full of money. Well, cybercriminals don’t work that way. Why would they, when they can easily arrange for hefty payments via digital currency? It’s much more convenient and less traceable than traditional payments. And, if they pocket the cash during a major cryptocurrency market upswing, they stand to gain far more than the amount of the ransom. (The spike in ransomware attacks in 2020 is partially attributed to record highs in cryptocurrency prices.)
How to respond: The Colonial Pipeline incident demonstrates that law enforcement agencies are developing methods to find and recover cryptocurrency-enabled payments. Such capabilities, of course, are currently at a nascent stage. But we can build upon the Colonial Pipeline recovery success to develop better ways to trace cryptocurrency transactions and identify potentially ill-gotten ones while monitoring dark web interactions to prevent these schemes before they’re hatched.
Because there are so many attack vectors, IT and security teams are stretched thin. Cybercriminals realize that there are multiple ways to strike, with remote desktop protocol compromises, phishing emails, and software vulnerabilities emerging as the top ransomware attack vectors.4 Attackers often look for the path of least resistance, which can frustrate security teams by spreading them thin with respect to personnel and available tools.
How to respond: It starts with visibility. Today, most organizations do not have a good handle on what is happening within their environments. By establishing risk-based vulnerability management and 24/7 detection and response, organizations are better equipped to proactively discover and fix vulnerabilities and protect against potential threats. The more comprehensive and continuous the visibility, the more likely organizations can prevent infection or isolate issues on a single device before ransomware is able to spread any further across the enterprise.
The WannaCry and Colonial Pipeline incidents starkly convey how much damage ransomware can do. As a result, we have two choices: stick with the approaches that we’ve always used or develop new responses to new threats.
If history has taught us anything, it’s that the status quo can be a recipe for failure. IT and security teams must accelerate their security maturity across prevention, detection, and response, with the help of trusted security partners. At the same time, government agencies and law enforcement must work to deter attacks, gain a handle on illicit cryptocurrency transactions, and take a global stand on catching and prosecuting the perpetrators. If we take on these challenges, we can look forward to a future where cybercriminals don’t collect a single digital dime from these attacks. Learn more about how to protect your organization from ransomware in our eBook 3 Ways To Reduce Ransomware Attacks.
- Feds recover $2.3 million from Colonial Pipeline ransom, SC Magazine, Jun 2021.
- U.S. pins WannaCry on North Korea, SC Magazine, Dec 2017.
- SONICWALL Cyber Threat Report, SONICWALL, 2021.
- Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound, Coveware, Apr 2021.
Chief Strategy Officer | Pondurance
Lyndon Brown brings a career focus in building high-growth technology companies to Pondurance where he is responsible for Product Management, Corporate Development, Marketing, and driving cross-functional performance. Prior to joining Pondurance, Lyndon served as Vice President of Business Development at FireEye Mandiant, where he focused on strategic growth initiatives. As an executive, Lyndon has successfully led product management, M&A, and global partnerships at firms such as Verodin (acquired by FireEye) and Endgame (acquired by Elastic).