As organizations adjusted to pandemic-induced remote work, cybersecurity experts worried that cybercriminals would take advantage of relaxed security habits, and if that happened, the aftermath could result in massive cyberattacks.
Well, during the worst of Covid-19, phishing campaigns skyrocketed, many of them centered on coronavirus concerns, testing, and later, on vaccines. And now we are seeing the impact of those campaigns – a surge in ransomware attacks. Sophos has reported that 51% of organizations worldwide were the target of a ransomware attack in the past year, with criminals successfully encrypting data in 73% of these cases. At this point in time, not only does it seem like each new ransomware announcement is bigger than the last, but we’re seeing how ransomware can impact everyday life. After a short reprieve, threat actors have resumed their assault on healthcare, taking down access to equipment like MRI and X-ray machines and patient data.
While many of the attacks have targeted small and mid-size businesses – even my local veterinarian had their records encrypted – they also have gone after bigger fish, most significantly in the critical infrastructure pond. The Colonial Pipeline attack created a panic that led to gas shortages. Cybercriminal groups like REvil have shut down food-source supply chains and are now responsible for the latest ransomware attack on software vendor Kaseya, which has impacted hundreds of companies worldwide. REvil is extorting $70 million from Kaseya, the largest ransom yet, at least as of this writing.
With as quickly as ransomware attacks are happening, and with larger and more critical targets, it won’t be long before we see ransoms upwards of $100 million. CISA released a warning that operational technology assets and controls are a rising target for ransomware attacks.
It’s all about the end game – financial gain for criminals
Where in the system the ransomware appears doesn’t matter. At this point, if impacted, incident response teams will need to tell leadership to shut everything down until the attack is resolved. You can’t take the risk that the threat will impact everything else and give the cybercriminals the ability to “island hop” between clusters and infect anything else. The threat actors have one primary end game and that is to make as much money as possible. They don’t care how much destruction it causes as long as they get the gains.
Every organization is susceptible to ransomware, but some are at greater risk than others. Two organizations could appear to be almost identical – same industry, same regulations, similar approach to cybersecurity – and yet one is more likely to be attacked than the other. Some of that is due to human behavior – one mistaken click on a phishing email by a vendor’s employee can take an otherwise secure company down the ransomware rabbit hole.
There are many issues at play that increase your organization’s susceptibility. The security industry is just starting to understand these critical factors that can make one organization stand out as a more likely soft target. For example, data derived from scanning publicly visible Remote Administration Ports, email configuration parameters, application and operating system patch levels, and other factors in the overall IT architecture can be used to derive a relative risk profile. Combining this data with other factors, such as the volume of the organization’s credential data found on the dark web, it is possible to estimate whether adversaries are more or less likely to attack, in particular relative to others in the same industry or those who have been attacked previously.
Solutions exist that leverage machine learning to help organizations create a risk score based on their vulnerabilities, and even extend the vulnerability rating analysis to the third parties in their supply chain. What happened to Target a few years ago should have been a wake-up call regarding third-party risk, but too many companies still ignore the fact that an error or vulnerability in a vendor’s system can result in an attack. The bad guys can easily tunnel through those little guys/or third parties to a company where real damage can be done, and more money can be made.
What ransomware susceptibility looks like
How does your company answer the following questions:
- Financial impact. How big is the risk you are facing with your cybersecurity posture and how do you balance that with spending output based on potential financial loss?
- Cyber vulnerability. How vulnerable is your organization to a cyberattack?
- Do you know your third-party risks?
- How do outside attackers see you? Attackers have more insight into your company than you may realize, even if that insight comes from attacks on other organizations within your industry. They know what happens when the critical infrastructure is hit, for example, they saw the reaction by Colonial Pipeline, and they will look to exploit similar companies with similar vulnerabilities.
Depending on how companies respond to these issues, an analysis derived from ML and AI can provide insight on how you compare to companies that have suffered a ransomware attack, and how you can avoid becoming the next victim.