Today’s columnist, Lyndon Brown of Pondurance, says costly ransomware attacks like the one on Colonial Pipeline will keep happening until security teams can build visibility into corporate networks that catch these attacks before they happen. peripathetic CreativeCommons CC BY-NC-SA 2.0

The growing threat of ransomware brings up an unsettling conundrum for the modern enterprise: On the one hand, organizations are buying more security tools and have heightened awareness around cyber attacks and the threats posed by increasingly sophisticated and resourceful hackers. On the other, hackers exploit weaknesses and install ransomware at will – profiting immensely in the process.

We saw one of the most notorious of these incidents in May, when Russia-based group DarkSide infected the business networks of Colonial Pipeline, briefly shutting down its gasoline supply operations and triggering a massive panic over fuel shortages in the East Coast. The company paid $4.4 million to DarkSide, of which the U.S. Department of Justice recovered $2.3 million.

The incident occurred essentially on the four-year anniversary of the WannaCry ransomware attack, which disrupted hospitals, the financial sector and additional companies in 150 nations in its first three days. The Trump administration identified North Korea as being responsible for WannaCry.

Although much has been written about the attacks and the resulting fallout, the core question remains: Why does this keep happening? We just had another big ransomware attack against Kaseya and up to 1,500 of their customers over the July 4th weekend. Overall, there were 304.6 million global ransomware attacks in 2020, an increase of 62 percent over 2019. Victim organizations now pay nearly $221,000 on average in ransomware payments.

In reviewing and assessing these incidents, it’s clear that there are underlying common factors which set the table for these attacks. Here are three of the factors, along with recommendations about what organizations can do in response:

Criminals are hiding in plain sight – on foreign soil. The Colonial Pipeline and WannaCry incidents illustrate that hackers are targeting U.S. companies from overseas and – because they’re located in countries considered adversarial – they face no consequences in the form of extradition and prosecution.

How to respond: We as a nation should lead a global effort that views ransomware as the world’s problem, and not just ours. No country stands immune from the threat, after all. If we come together to establish international laws and a system of justice to enforce them, then the bad guys are no longer on safe ground – anywhere. If our perceived adversaries resist this effort, then we can turn to measures such as sanctions, and other forms of deterrence, when these countries are clearly harboring cyber criminals.

Cryptocurrency makes it too easy to get paid. In old movies, kidnappers would direct someone – a family member or law enforcement officer – to go to a low-key location with a suitcase full of money. Well, hackers don’t work that way. Why would they, when they can easily arrange for hefty payments via digital currency? It’s much more convenient and less traceable than traditional payments. And, if they pocket the cash during a major cryptocurrency market upswing, they stand to gain far more than the amount of the ransom. Actually, we can at least partially attribute the spike in ransomware attacks in 2020 to record highs in cryptocurrency prices.

How to respond: The Colonial Pipeline incident demonstrates that law enforcement agencies are developing methods to find and recover cryptocurrency-enabled payments. Such capabilities, of course, are currently at a nascent stage. But we can build upon the Colonial Pipeline recovery success to develop better ways to trace cryptocurrency transactions and identify potentially ill-gotten ones, while monitoring dark web interactions to prevent these schemes before they’re hatched.

Because there are so many attack vectors, IT and security teams are stretched thin. Hackers realize that there are multiple ways to strike, with remote desktop protocol compromises, phishing emails and software vulnerabilities emerging as the top ransomware attack vectors. Attackers often look for the path of least resistance, which can frustrate security teams by “spreading them thin” with respect to personnel and available tools.

How to respond: Companies need to start with visibility. Today, most organizations do not have a good handle on what’s happening within their environments. By establishing risk-based vulnerability management and 24/7 detection and response, organizations are better equipped to proactively discover and fix vulnerabilities, and protect against potential threats. The more comprehensive and continuous the visibility, the more likely organizations can prevent infection or isolate issues on a single device, before ransomware can spread any further across the enterprise.

The WannaCry and Colonial Pipeline incidents starkly convey how much damage ransomware can do. As a result, we have two choices: Stick with the approaches that we’ve always used, or develop new responses to new threats.

If history has taught us anything, it’s that the status quo can be a recipe for failure. IT and security teams must accelerate their security maturity across prevention, detection and response, with the help of trusted security partners. At the same time, government agencies and law enforcement must work to deter attacks, gain a handle on illicit cryptocurrency transactions and take a global stand on catching and prosecuting the perpetrators. If we take on these challenges, we can look forward to a future where hackers don’t collect a single digital dime from these attacks.

Lyndon Brown, chief strategy officer, Pondurance