Ransomware: ‘World War Business’ and the post-modern CIO

You can’t have failed to have heard about the recent outbreak of ransomware (software designed to block access to IT assets until a ransom is paid) that has hit medical care facilities in the US. In at least one case, Methodist Hospital in Henderson, Kentucky, a ransom is reported to have been paid. The hospital was forced to declare a state of emergency when patient files were locked, and ended up paying to have them unlocked. There are different claims about the amount paid, ranging from $17,000 to an awful lot more.

MedStar, the group of 10 Maryland hospitals were struck by a ransomware called Samsam at the end of March, with hackers offering a bulk deal to unlock the systems. The attacks on medical facilities are likely to be due to two factors:

1. Putting lives at risk increases the pressure on the teams trying to resolve the issue. Faced with the risk of losing a patient (which could also have huge financial implications for the facility if they are judged to have bene negligent), management are unlikely to give the CIO’s team time to do much to resolve the issue;
2. A belief by the hackers that such facilities may have less experience in dealing with hacking, as they have not, previously, been targets.

Even if you are not in the medical filed, this should have you worried. In fact, this should have you very worried. We are entering a new era of organized crime and your teams are going to be at the forefront.

By Starkus01 (Own work) [CC BY-SA 4.0 (http://creativecommons.org/licenses/by-sa/4.0)], via Wikimedia Commons

IT security – past and present

Since the late 80s and early 90s, with the advent of the first computer worms and Denial of Service attacks (DDoS), security has been an import element of every CIO’s agenda. The establishment of Computer Emergency Response Teams (CERTs) comes from this era.

In the 90s MELISSA caused massive email failures, while in the 2000s the rise of online shopping led to the targeting of credit cards, with just one group reportedly costing US company TJX some $256 million. Data breaches had suddenly become a subject touching regulated information, and the economic consequences began to mount. As the years progressed, data breaches became of greater and greater concern at the board level, with fallout leading to even greater financial loss, loss of customer confidence, and resignations up to the level of the CEO themselves.

While data breach and theft, and DDoS have become common place happenings that only warrant mention in the press when the scale affects millions of people, there are new threats in recent years that are worrying. For any organization with a net presence, malware propagating through adverts on your corporate site (Malvertising) will tarnish your organization’s reputation, and open you up to potential litigation.

Many sites, such as Forbes, beg people not to use Ad blocking software only to immediately serve us malware in ads! Other companies are actively attacking the creators of Ad Blocking software claiming that it presents a threat to their business. If such a site is then the vector of a huge distribution of malware, it is almost inevitable that someone will sue them.

The post-modern CIO and the world of tomorrow

In my previous article, I began describing how I see the next generation of IT and the Post-Modern CIO who will lead it. As if data breaches and DDoS attacks weren’t enough, the world is going to get an awful lot worse for tomorrow’s business, and ransomware is only the tip of the iceberg.

The current generation of ransomware attacks are generally using known exploits (such as through JBoss), and aren’t always smart in the encryption techniques that they employ (sometimes only using XOR). The low risk and sheer size of the economic gains that criminal organizations can make through this, however, make it inevitable that future attacks will be more and more complex, and increasingly devastating in potential. Stu Sjouwerman in his book “Cyberheist” says that:

“Not since the markets melted down, and the recession sank its icy hooks into the business climate in 2008, has American business faced a threat as serious as the current cybercrime scene. Small to medium enterprises have been hard-hit in particular, amounting to tens of millions of dollars being stolen out of their bank accounts.”

In my opinion, worse is yet to come. Cyberwarfare conjures up, for most people, images of nation against nation using cyber means of espionage and sabotage to try to decimate infrastructure, financial markets and essential services, probably prior to a traditional war. Yet, the weapons of cyberwarfare are no different from those of the cybercriminal. The new weapons became apparent with Stuxnet. Imagine being held to ransom not by encrypted data, but by threats to use your company’s technology to create mayhem and death!

While states may have far greater resources at their command than criminal organizations, rogue nations and former members of state research going into crime makes it hard to believe that anything developed today by nation won’t be used tomorrow by criminals, and states may themselves engage in criminal activities against business (a concern noted as far back as 2011).

It is my profound conviction that the post-modern CIO is going to be living in a constant state of virtual warfare (proportional to the size of the organization) being waged. With cybercrime already estimated to be 1% of global income in 2015 and growing, the CIO of tomorrow needs to be cybercrime in a completely different light from our traditional security concerns. We are entering the era of “World War Business.” Gone are the days when IT security was only about firewalls, anti-virus software and training personnel about good email and surfing habits. Security risks are now about the economic survival of the organization, and potentially about threat to life. The post-modern CIO needs to plan accordingly.