The threat from ransomware continues to grow and the situation will only get darker before mitigation efforts prove reliable and the miscreants move on to another attack vector.
This was just one of the points made by a panel of four noted cybersecurity experts gathered in midtown Manhattan on Wednesday morning for the Dell Data Security Ransomware Roundtable.
"Ransomware impacts business in different ways," said Brett Hansen, executive director at Dell Data Security Solutions. "For Fortune 500 companies it's a nuisance, a cost and a distraction from being able to identify more important threats. For smaller businesses, it's more of an issue."
And, for a third group, the health care sector and government, the expectations of data and employee access to the data can lead to a more profound impact, Hansen said.
For large organizations, ransomware is an availability attack, which means you don't have access to your data, added Jon Ramsey, CTO at SecureWorks.
Brett Hansen, executive director, Dell Data Security Solutions
Michael Kaiser, executive director, National Cyber Security Alliance (NCSA)
Zach Lanier, director of research, Cylance
Jon Ramsey, CTO, SecureWorks
Where the pain is greatest is where precautions have not been taken, said Michael Kaiser, executive director of the National Cyber Security Alliance (NCSA). But, he added, partnerships are one way to help the situation. He pointed to MS-ISAC (Multi-State Information Sharing & Analysis Center) as a prime example where small businesses and government agencies receive assistance (that is paid for by the federal government).
Ramsey agreed. The reality is that the space is too complicated for average users, he said. "Small businesses and government need partners who are more expert."
He broke the attack vector down into two components: Commodities, where attackers launch indiscriminate campaigns, and Targeted, where the criminals craft their attacks and customize the malware to make it specific to an organization.
In the Commodities space, hundreds of malware families have already been detected, Ramsey said, with the top four ransomware campaigns being:
- Locky – Run by one single group who in turn utilizes two main affiliate groups to seed out the ransomware;
- Cerber – The SecureWorks Counter Threat Unit saw Cerber emerge in February 2016, and the hackers who were using CryptoWall switched over to Cerber;
- TorrentLocker – It is the elder statesman of the ransomware ecosystem and is run by a single hacker group.
While Ramsey pointed out that 70 percent of targeted organizations are in North America and the coding is written in English, panelist Zach Lanier, director of research at Cylance, told the small group of reporters at the breakfast roundtable that the authors are usually from Russia or former Soviet-block countries.
Two technology shifts have made ransomware attractive to financially motivated threat actors, said Ramsey: More sophisticated cryptography and the ability of Bitcoin to facilitate transactions.
When asked whether victims should pay, he said, "It depends."
Ramsey elaborated in a followup email: “Although SecureWorks hates to see any organization or individual have to pay hackers a ransom in order to gain access to their encrypted computer files, we do understand that many times those encrypted files are critical to one's business or personal life. Thus, the victim often does not have a choice in the matter. In these cases, SecureWorks believes if the ransom must be paid, then so as not to end up in this unfortunate position again, computer users need to be sure to implement security steps which will help them avoid being infected by ransomware again. Also, should they get compromised by ransomware a second time, make sure to always back up one's critical files with so-called cold, offline backup media. Backups to locally connected, network-attached, or cloud-based storage are often not sufficient because some ransomware families encrypt these files in the same manner as those found on the system drive.”
Also aiding the bad actors has been their ability to learn about customer service, Hansen said. They've increased their level of assisting their customers, taking them through the steps necessary to set up a Bitcoin exchange, for example.
Lanier agreed, explaining the rise of ransomware as a service: "There are places to go where criminals can customize a ransomware kit," he said.
The Angler Exploit Kit is the most prevalent, said Ramsey. "The underground market is emerging and business models are quickly evolving."
This is the evolution of cybercrime, Kaiser said. "It's a shortcut to the money."
And, while ransomware has been around for quite a while, Ramsey added, with Bitcoin its value has grown and it has become one of the most attractive ways to monetize cybercrime. In fact, he pointed out, ransomware is growing so fast that it has brought about a fundmental shift in tactics owing to its success rate.
What about a cure? Well, don't go looking to anti-virus solutions. "Companies are using signature-based anti-virus, but that is no longer effective against ransomware," Hansen said.
Lanier agreed. "It's garbage," he said. "Ransomware is difficult because it's legitimate software that is hard to identify without false positives. It's growing so fast it's hard for the AV vendors to keep up."
What helps, Lanier said, is to have backups and to keep patches and auditing configurations up-to-date. But, he admitted, there is no panacea.
There is new technology emerging that moves beyond legacy models we've been using, said Hansen.
Beyond technological tools, another piece of the defense-in-depth strategy is user education, the panelists agreed. "Cybersecurity has to be considered for all businesses," Hansen said. Helping people become cognizant of making silly errors is key.
"We're seeing more and more companies offering user education," Kaiser said. "It's important."
But, there are caveats. Hansen admitted that even though there is a lot of user education, the vast majority of employees believe that cybersecurity is not their responsibility. "If end-users continue to be the weak link, attackers will continue to exploit the vulnerability and maintain their assaults," he said.
Ramsey added that users should know enough to not click on a suspicious link. "They don't necessarily need to know about ransomware," he said.
As ransomware campaigns continue, there is hope that mitigation tactics are evolving that might eventually render them less effective, said Lanier. At this point, the attackers will move on.
And, he added, the Internet of Things is a ripe vector for attack, particularly as delivery mechanisms could enable miscreants to get into critical infrastructure. "We have to start thinking about security controls for these devices," he said.
How do we solve this? Ramsey said it will get worse before it gets any better, but partnerships are helping.
Kaiser agreed. "Criminal activity is opportunistic," he pointed out. "The faster a small business can defend itself and do the basics – recover and respond – that makes it less profitable for the attackers."