The following article was written for Secure360.org as part of the information presented in an hour-long presentation I gave in Minneapolis entitled Data, Identity & Compliance Under Attack: Trends for 2018 and Beyond and has been syndicated here.
In 2016, I provided predictions in an article entitled The (Immediate) Future of Ransomware. I indicated ransomware was going to grow and find other vectors for infection outside of simply malware links. Those predictions come true on a massive scale in particular with the WannaCry and Petya outbreaks, driven by system vulnerability vectors just as I foresaw.
In this article, let’s consider the overarching drivers behind ransomware and then consider it philosophically from an enterprise perspective. Our philosophy around any given cybersecurity threat is going to necessarily inform our view of that threat and how to effectively address it.
Another question to address: Is there a lesson we can learn from ransomware that we can carry over into other threat areas we perhaps aren’t seeing clearly and effectively addressing?
Ransomware Is About Numbers
From an overarching perspective, ransomware is about numbers, both in terms of its motivation as well as its continued success from a high level.
Instead of ransomware going away, ransomware has actually increased by 750% since 2016. Why? The continued success and increase are for reasons I stipulated in my last article as well as a few more I’ll point out here.
Criminals readily see the advantage and hold our own data for ransom through encryption, and yet we as technologists can’t see the value of encryption coupled with strong access controls as an effective deterrent strategy against the exfiltration of company information.
Enterprises should be taking a page from the bad guys…
Companies Are Still Paying
For one, companies are still paying ransoms. TrustLook stipulates that 38% of ransomware victims pay the ransom, resulting in hundreds of millions of dollars in payouts in 2016 and 2017. Why companies are paying (and whether they should) would make room for discussion in another entire article, but suffice it to state simply here, companies are still paying.
Ransomware Is Now Easy
Secondly, initiating ransomware has gotten easier. With ransomware kits and Ransomware-as-a-Service (RWaaS) now available, it’s easy for a technical novice to get involved in advancing ransomware attacks. Buying of ransomware kits and use of RWaaS has dramatically increased the rate and made ransomware writers rich.
The latest approaches no longer sell kits or services for a set price but instead stipulate as much as a 50% cut of any ransomware profits generated by the kit or service.
Easy Money Laundering
Thirdly, money laundering ransom payments have a new and very significant digital enabler: Bitcoin. As in any criminal scheme where financial gain is the goal, how does one remove risk from the backend of the transaction? No criminal wants the vehicle of payment to come under jurisdiction and be monitored, traced, seized, or closed. While law enforcement is aware and has some inroads into addressing Bitcoin payments, Bitcoin represents a darker side of digital transformation and is by far one of the most significant enablers of the spread of ransomware.
Criminals readily see the advantage [of encryption]… and yet we as technologists can’t see the value of encryption coupled with strong access controls as an effective deterrent strategy against exfiltration of company information.
Stopping Ransomware Is About Access Control
Finally, at base, ransomware enablement is still about access and not necessarily about the initiation vector, be it through malware links or through system vulnerabilities. Simply put, ransomware can’t take place when access to files is denied within the context the ransomware executable attempts to run within.
The Hidden Philosophical Lesson of Ransomware
The hidden philosophical lesson of ransomware is perhaps the most intriguing and yet the least considered and exercised. What one big lesson can we learn from ransomware?
That encryption is highly effective.
Why do criminals understand the effectiveness of encryption and we as enterprise strategists do not? Why is encryption consistently seen near the bottom or not listed at all on enterprise cybersecurity strategies?
I recently provided consultative advice for a major billion-dollar VAR regarding a very popular hyper-converged reference architecture. During our time, I was informed that of the 25 to 30 Fortune 500 companies who spec’d out that technology, not a single company asked for that infrastructure to be delivered with encryption capabilities. Not one.
Criminals See & Leverage the Value of Encryption – Why Can’t We?
Criminals readily see the advantage and hold our own data for ransom through encryption, and yet we as technologists can’t see the value of encryption coupled with strong access controls as an effective deterrent strategy against the exfiltration of company information.
True, encryption alone doesn’t stop ransomware as I stated in 2016. But ransomware isn’t the only significant enterprise threat and billions continue to be spent on strategies proven to be ineffective in stemming the tide of data exfiltrated from companies every year.
Our philosophy around any given cybersecurity threat is going to necessarily inform our view of that threat and how to effectively address it.
Approximately 7.8 billion records were breached in 2017, resulting in untold billion-dollar loses based on per instance value of those records, forensics, cleanup, fines, and brand recognition damage. In many cases, encryption was admittedly not used and would have been effective in protecting company and consumer data.
Our Philosophical Conclusion
Ransomware is driven by big numbers and isn’t going away. In my next article, I’ll provide a generic, high-level enterprise roadmap for defending from and responding to ransomware.
In the meantime, philosophically speaking, enterprises should be taking a page from the bad guys. This entails allowing themselves to see the incredible power and value of encryption with strong access controls as a standard enterprise strategy for protecting data in the face of other significant threats.
As always you can engage with me online via Twitter @ChrisEOlive.