What ransomware reveals about our cybersecurity strategy

Ransomware is here to stay.  Worse yet, the blind-spot in your cybersecurity, leveraged by Ransomware may lead to damage well beyond “simple payoffs.”

Imagine logging in to your network to find this message: “All of your files have been encrypted. You have 72 hours to obtain a secret key to unlock your files, or else they will remain locked forever. The price to obtain the key is $100,000 worth of Bitcoin.” Worse yet, what if the bad actor was threatening to destroy your back-ups, having already encrypted your files?

Unlikely to happen to your organization, you say. Think again. More and more, Ransomware is succeeding at fleecing companies across the nation and around the world, including banks and credit unions. Just last month, the Bankers Electronic Crimes Task Force joined with the State Bank Regulators and the U.S. Secret Service to publish a “Ransomware Self-Assessment Tool” meant to guide you toward better security practices to reduce the threat posed by Ransomware. They use the word “protect” often, but I see more “mitigation” than I do “protection” when reading through it. And I wonder why our collective thinking, here and elsewhere, continues on the path of “monitor and mitigate” in the face of Ransomware’s growth and success. According to cybersecurity experts such as CyberTheory’s Steve King, it’s “a classic 2020 Cybersecurity nightmare: We know what’s going on, but we can’t stop it.” Worse yet, people working to change how the industry approaches the endpoint security challenge, point out how Ransomware’s success REVEALS THE BLINDSPOT and the weakness in our cybersecurity efforts.

What is that weakness, and what might it cost us?  Our collective acceptance that we can’t stop this from happening, that we can only mitigate loss by cleaning up and paying up after the damage is done is the weakness we’ve accepted. This failure to address the challenge directly, to work to render malicious software benign, not just “patch and backup”, has left us all vulnerable to existential threats to our organizations and our brands, not just demands for ransom.

What is this thing we choose to minimize rather than stop?  Traditionally, Ransomware has been malicious software designed to encrypt the victim’s data storage drives, rendering them inaccessible to the owner. An ultimatum is then delivered, demanding payment in return for the encryption key. If the ransom demand isn’t met, the key will be deleted, and the data lost forever. Current guidance focuses on backing up data and keeping it clear of external access, then using it when successfully attacked; but too few do this or can afford to do this.  More importantly, paying off the bad guys or restoring systems and data, while mitigating the immediate disaster, hasn’t solved for the systemic BLINDSPOT in Cybersecurity practice. 

I wrote “traditionally” above because, as Steve King recently wrote “Ransomware continues to dominate the news and has become a major business risk. It’s not your granddaddy’s Ransomware either. Threat actors have become more sophisticated. No more opportunistic or shotgun attacks on non-specific targets. Now we see lengthy reconnaissance. Currently, the average time from the first evidence to deployment is 3 days. The global average dwell-time is 56 days.”

He goes on to explain that these bad actors are collecting tons of useful network topology (e.g., ingress and egress points such as compromised web servers), backup sources and destinations, crown jewel assets, and administration (e.g., KRBTGT, ADFS, Microsoft 365) targets. And he points out that many times, these access points are productized and made available for sale on the dark web, saving the modern attacker a lot of work. He refers to how “back in the day, attackers were simply encrypting an OS and network files. Now, we’re seeing them exfiltrate key data and destroy backups before the encryption takes place.” He rightly points out that this is much more impactful and increases the likelihood that the ransom gets paid. And now it’s “pay me twice, first for decryption capabilities, and second to return or destroy the stolen data. If not, public excerpts happen.”  Clearly, these guys have gotten really good at being bad! And they can do even more damage once they have breached your system, often hiding from your “detection” efforts in order to do more than just demand ransom.

Just a matter of time. You may not yet have been targeted by Ransomware, but many large, medium and small financial institutions have; and because your cybersecurity tools and methods do a poor job addressing the threat of Ransomware it’s not unkind to write “it’s just a matter of time.”  So, what should we be doing?

There are ways to mitigate the risks of ransomware (but are they good enough?). We are told to worry, a lot, and we are presented with a laundry list of policies and tasks to bring to bear on the problem. For instance, the FBI, U.S. Computer Emergency Readiness Team and the Federal Financial Institutions Examination Council put out guidance and best practices on how to help protect your systems from this growing threat. Some of the basic defenses against ransomware they prescribed include:

• Educating all staff on the risks and how to safely use email and the web;
• Making sure to regularly back-up critical systems and data;
• Maintaining up-to-date firewalls and anti-malware systems and protections;
• Limiting the ability of users or IT systems to write onto servers or other systems;
• Having a robust patch-management program;
• Using web- and email-protection systems and software; and
• Removing any device suspected of being infected from your systems.

While good and necessary, none of the above prevent the most pernicious forms of malware delivering today’s Ransomware. All of the above tasks are part of the standard methodology and prescribed practices to limit the access of unauthorized users and software to your systems. They are all good things to do. They all reduce risk, and show you are working hard to address your cybersecurity responsibilities but, unfortunately, they aren’t enough. WHY NOT? Because, as I’ve come to learn, the best Anti-virus/Endpoint Detection software on the market today, and the best monitoring and detection tools and processes, and the best mitigation and recovery tasks all have a critical blind-spot — they all fail to see what is happening INSIDE OF APPLICATIONS, which is where the majority of today’s successful security attacks are occurring including Ransomware attacks (which do their designed damage before detection and mitigation can make any impact). According to TJ Tajalli, CEO of OnSystem Logic, “what you’re using today, regardless of the vendor you’ve chosen, while absolutely necessary, is unfortunately also absolutely insufficient, tragically insufficient, in the face of today’s next-gen Ransomware because its defenses are built based only on AI, signatures, and behavioral data of previously seen attacks.” 

Mr. Tajalli goes on to suggest that “we must stop accepting the idea that even the most sophisticated endpoint security products are incapable of PREVENTING attacks in the first place.” He points out that “clicking on one email by an employee should never put a company in a position to have the type of disruption we see happening today.” And he laments that the news stories regarding Ransomware attacks and the payoffs or expensive mitigation efforts are not “success stories” but, rather, reminders of how “customers have been trained to accept that attacks will succeed but if they can afford to pay big dollars after an attack has succeeded, there are companies out there, including those that built their endpoint security product in the first place, that may be able to clean up the mess for them.”

So, what can we do? Well, it’s time to learn about and start adding endpoint prevention solutions that stop malicious software from running and delivering attacks such as Ransomware. Bad/misbehaving software can get on the endpoint any number of ways (which is why we receive so much advice about patching, training and monitoring). It could arrive via phishing attacks, credential stealing, pictures, links, or other data files containing its bad payload, malicious Microsoft Office macros, or any other method.  But what is important, is to make sure that bad/misbehaving software CANNOT execute its damaging instructions, including Ransomware, no matter how hard it tries. It’s time to demand answers to this problem. It’s time for the market to provide solutions.  Monitoring and mitigation are not prevention. It’s time to act on that knowledge.