Why Ransomware?

Ransomware
Written By Vince Romney

We've seen a nearly endless chain of increasingly successful ransomware attacks over the past few months reaching a fever-tempo and threatening life itself for some people (i.e., the targeting of healthcare). The shutdown of the computing systems at Universal Health Services (UHS) is yet another example of how ransomware is literally capable of killing. Surgeries had to be cancelled, treatments postponed, and medications tracked by pen and paper, increasing the risk of dosing mistakes, etc.

Ransomware has hit all types of companies, but healthcare just adds a level of threat to life and limb that hasn't been prevalent in other attacks. There IS a significance to the impact ransomware itself that is often overlooked; it's entirely preventable.

ransomware-at-home.jpeg

We know by making that statement there's going to be shouts of "there's no perfect security!" and those shouts are correct. Perfect security doesn't exist. However, "enough security" can, and does exist in many companies.

So, what differentiates the companies with enough security from those that are getting pwnd by cyber criminals, having to make the hard decision of paying them to release control of their systems? It comes down to knowledge and execution.

Knowledge is based in the answers to the following questions:

  • What are your information systems composed of?

  • What vulnerabilities exist within those systems?

  • What controls have been put in place to mitigate or compensate for those vulnerabilities?

  • What gaps remain that need to be covered to create the level of "enough security" for the company to maintain business, even if a successful attack occurs?

Obviously, these four questions merely open the door to a very detailed conversation business owners and operational teams must have to find those answers and subsequently create and implement solutions, but without asking (and honestly answering) those questions, companies are sitting ducks, waiting for Ransomware cyber-hunters to wander across them and take them down.

Ransom.png

As far as who owns the responsibility, the C-Staffs and Board of Directors are the ones who need to be driving these conversations. They own the responsibility for ensuring the success of their organizations, and so they need to be driving these hard questions and ensuring their teams are fully-engaged in both answering, and in providing the correct solutions to their unique situations. There is no "one size fits all" solution, despite what some security vendors may state.

With the above stated, I'll re-ask the question in the title of this article: Why Ransomware? Because criminals will ALWAYS take the easy money first. Ransomware is literally a turn-key operation now. Ransomware as a Service (RaaS) is real. If you're a petty criminal and want to partake in the windfall, you simply sign up, setup your account, and start sending out phishing emails with weaponized PDFs or links to download the pre-made malware.

ransomware-threatlist.jpeg

The more sophisticated criminal enterprises are taking it one step further of course, and phishing for whales... the UHS's and Pitney Bowes of the world. They spend time finding just the right entry-vector to ensure successful deployment of their ransomware, but the effect is the same; a company becomes hostage to a criminal.

The Ransomware business, and it IS a business, continues to work because there are plenty of organizations out there who have not answered those four questions and implemented the controls necessary to gain "enough security". They've not hardened their systems, eliminated vulnerable shadow IT, implemented defense-in-depth (or its evolved version, Zero Trust Architecture), and ensured they have an off-site, immutable backup of both systems and data implemented and tested to ensure it actually works when needed.

The criminals are profiting as a direct result of inaction on the part of organizations of all sizes who are taking the head-in-sand approach to cyber defense. The larger the organization, the more effort required, but it's not an impossible task for anyone. There is no silver bullet to fix ransomware, despite what some vendors might tell you. Instead look towards a focused program of security to defend against these malicious opportunists.

If you are one of those who feels overwhelmed by the scale of the problem, reach out for help. Digital Defense Security isn’t the only competent team out there who can guide you, but our Level 20 system is designed to increase your defense posture incrementally and intelligently, until it indeed becomes “enough security.” With competent help, your company or organization can build out a defensive posture that will deny the prize for the cyber-criminal targeting your organization. When the payout of ransomware starts getting consistently denied, it will become less and less of an issue, and ultimately - fade away…

Vince Romney
Next

IDPS in the Public Cloud