6 August 2017

Data Breach Digest: Ransomware rising to the top of the nation-state threat vector list


BY MICHAEL BRUEMMER
Michael Bruemmer, CHC, CIPP/US, is vice president with the Experian Data Breach Resolution group. With more than 25 years in the industry, Bruemmer brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity protection services. Bruemmer currently resides on the Ponemon Responsible Information Management (RIM) Board, the International Security Management Group (ISMG) Editorial Advisory Board and the International Association of Privacy Professionals (IAPP) Certification Advisory Board. 

Today the use of ransomware extends far beyond the traditional cybercriminal ploy for payout, serving as probable acts of war by nation-states – think the recent Petya and WannaCry incidents. Whether the rise in these types of attacks – ransomware and nation-state – are directly correlated or not, there’s no denying the gradual and coincidental increase in both. In his monthly "Data Breach Digest" column, Experian's Michael Bruemmer analyzes the current landscape, explores why ransomware attacks continue to be successful and provides guidance to businesses that often get stuck in the crosshairs. 

Michael Bruemmer, CHC, CIPP/US, is vice president with the Experian Data Breach Resolution group. With more than 25 years in the industry, Bruemmer brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity protection services. Bruemmer currently resides on the Ponemon Responsible Information Management (RIM) Board, the International Security Management Group (ISMG) Editorial Advisory Board and the International Association of Privacy Professionals (IAPP) Certification Advisory Board. 

Today the use of ransomware extends far beyond the traditional cybercriminal ploy for payout, serving as probable acts of war by nation-states – think the recent Petya and WannaCry incidents. Whether the rise in these types of attacks – ransomware and nation-state – are directly correlated or not, there’s no denying the gradual and coincidental increase in both. In his monthly "Data Breach Digest" column, Experian's Michael Bruemmer analyzes the current landscape, explores why ransomware attacks continue to be successful and provides guidance to businesses that often get stuck in the crosshairs. 

Widespread infections, locked systems, demands for payment – sound like your average ransomware attack? Well, if you think the answer to this is simple, the recent Petya and WannaCry incidents would suggest otherwise.

Without sounding off alarm bells (or should I say, sound away?), we must face the ugly truth that cyber schemes are becoming more sophisticated, and in turn, being used – or presenting the ability to be used – as a disguise for different, and potentially darker, attacks all together. In the case of the recent Petya and WannaCry incidents, many believe the viruses were used to hide state-sponsored attacks with motives well beyond the typical cybercriminal ploy to make a profit. Why? While not necessarily the preferred or number one vector for acts of cyber war by nation-states, ransomware happens to be one of the easiest to carry out and cover up, and according to founder of cybersecurity firm Comae, a “lure to control the media narrative.”

Although I recognize that with these types of incidents come many theories, I can’t help but notice the simultaneous escalation of both ransomware and nation-state attacks amongst the current, volatile political climate. This is not to say that there’s a direct correlation between the two, but it’s further reason to believe that cyberthreats and ransomware, specifically, are evolving at a rapid rate. To best help businesses that are often stuck in the crosshairs, I’m sharing my take below on the current threat landscape, what we may see in the future and how to prepare for the resulting disruption.

The Current State of Ransomware

Eight months in and 2017 has been monumental for ransomware. As stated above, we’ve seen these attacks evolve from quick methods for hackers to cash out to one of the most dangerous techniques, involving even acts of war.

This spring, the largest cyber-attack and one of the “biggest ransomware” outbreaks in history occurred, infecting more than 300,000 computers in 150 countries with “WannaCry” malware. The attack, which leveraged a Windows exploit used by the NSA to go undetected, hit a number of organizations including the UK’s National Health Service, U.S. hospitals, FedEx, Nissan plants, universities in China, and banks and telecom providers in Russia, among thousands of others. The result? Forced surgery delays, canceled appointments, preventative shutdowns, outages and… chaos.

There’s been much discussion around whether WannaCry was carried out by a nation-state due to the fact that the attack used tools from a cybergang with connections to North Korea. And while sources at Symantec said that it’s “highly unusual to find code associated to nation-state actors within attacks believed to be conducted by cybercriminals,” they also reiterated that this doesn’t guarantee the attack was conducted “at the behest of a nation-sate.” 

On the contrary, a mere month later, “Petya” ransomware spread across Europe, the Middle East and the U.S., crippling companies, government agencies and critical infrastructure in what now appears to be a targeted attack on the country impacted most: Ukraine. Beyond the government, Ukraine’s banks, electricity grid, metro system and Kiev airport were affected. Given the complexity of the attack and the absence of a payment portal or functional email address to deliver the ransom payment, many experts presume the attack was launched by a state actor, or a non-state actor with support and approval from one. Either way, these massive incidents likely only hint at what’s to come.

To get into more of the specifics, Beazley’s April Breach Insights calculated that ransomware attacks were 35 percent higher in first quarter of 2017 than the same timeframe in 2016. Additionally, recent industry reports claimed that mobile ransomware has risen over 250 percent and that damage costs will exceed $5 billion in 2017. The underlying message? Ransomware is not slowing down.

The fact is, we’re seeing ransomware turn into a melting pot of sorts, involving different types of criminals and scopes of attack, but the scariest part is that every motive is just as disruptive or has the potential to be. Instead of passively bracing for the next big event, businesses must prepare for the potential and fallout of ransomware, as they’ll continue to be the targets of or used as “pawns” in these types of attacks. 

In my June column post, I shared several security threats that must stay on companies’ radars and ended my list with “ransomware on steroids.” Predating the Petya incident, this assumption couldn’t have been truer and I expect the resurgence of ransomware to continue. While this will likely include the more “traditional” attacks that infiltrate systems for money, attention will continue to turn to headline-grabbing incidents that knock out systems worldwide whether designed as a data heist by cybercriminals or cyber warfare by state actors.

Tips to Protect Your Business

Unfortunately, current preparedness levels are disheartening. In a recent survey conducted with the Ponemon Institute, Experian found that almost half – 45 percent – of companies are not taking appropriate steps to prepare for a possible ransomware attack and only 17 percent educate employees about the risk.

These sobering findings should serve as a wakeup call. If targeted today, would your company know how to respond? Be prepared to adequately manage an infection and the resulting fallout? If unable to answer, it’s not likely. The good news is there are many steps businesses can and should take to proactively prepare: 

Update software: Using WannaCry as an example, the malware attack could have been prevented and businesses spared had they upgraded systems with the most recent versions of Windows. This attack exposed major shortcomings and an overall ignorance in companies’ approach to cybersecurity. As I often say, it’s not a question of “if” but “when” you’ll be targeted by an attack. Updating business software is one of the most basic yet crucial actions to ensure greater security. 

Create backup files: Similarly, a step so often ignored that should be routine is data backup. Businesses need to copy important files to a second, secure location to prevent data loss from successful ransomware infections as well as other viruses, theft, hard drive failures, etc. There are a variety of options that should be discussed with IT departments and experts, but more businesses are moving to the cloud, which offers advanced security, storage and preservation processes that scale to specific company needs. 

Insure against the risk: Last, but not least, while cyber insurance policies are gaining traction, there’s much room for improvement in the purchasing of such coverage. In fact, only 38 percent of companies claimed to have a policy in place last year. For those that have purchased or are planning to, it’s vital that they talk with their insurance brokers to understand if the insurance covers ransomware. This could include everything from paying the actual ransom to covering the cost of any business disruption caused, as well as forensics work to try to recover systems. 

While not an end-all, be-all solution to ransomware – especially if driven and funded by state actors – these actions have the power to reduce the likelihood of successful attacks or alleviate businesses from the potential disruption. And by the looks of where ransomware is headed, I suggest you not take any chances. 

No comments: