In May 2022, President Joe Biden was forced to declare a state of emergency when one of the United States’ largest and most vital oil pipelines fell victim to a ransomware attack. The Colonial Pipeline’s digital systems had to be taken offline, and the attackers extorted a whooping sum of 4.4 bitcoin (USD$4.4 million) from the US government.
Ransomware continues to dominate the threat landscape, presenting low risk and high reward to threat actors. The number of ransomware attacks globally nearly doubled from 2021, and the overall cost was estimated to have exceeded $20 billion, according to Cybersecurity Ventures.
How did ransomware become one of the biggest threats to the safety of organisations? What can governments do to reduce risk and turn the tables on hackers?
Cybereason expert, C K Chim, Field Chief Security Officer, APJ, discusses findings from a recent whitepaper exploring the rise of complex ransomware crime organisations. Additionally, Dato’ Ts. Dr Amirudin, CEO of CyberSecurity Malaysia, shares the need for skilling cybersecurity professionals and implementing a strong legal foundation to support the victims of ransomware.
The rise of the ransomware crime network
There are several reasons why ransomware operations are on the rise. First, organisations are more reliant on digital infrastructure than they were in the past. “This is a by-product of the digitalisation journey many organisations are taking to enable business transformation,” Chim says.
Technology is a double-edged sword, adds Dr Amirudin. Drastic changes in technology have allowed for digital transformation but have also made organisations more vulnerable to cyber threats.
Second, Ransomware-as-a-Service (RaaS) has lowered the technical bar for cybercriminals. Complex attack strategies are now available to all, even low-skilled attackers, says Chim. RaaS providers supply completed ransomware codes, handle negotiations, and provide other “customer service” resources to both the attacker and the victim.
Lastly, the rise of the cryptocurrency sector has allowed for unregulated trading activities, Chim adds. This has enabled attackers to launder extorted payouts through cryptocurrency platforms.
Ransomware gangs today function like legitimate companies. “They have a HR process, R&D departments, and even call centres. They implement highly complex business models that are extremely profitable and efficient,” shares Chim. Furthermore, they operate in countries where they can attack organisations of other nations with little to no legal consequences.
All the factors above have created a “gold rush” in the cybercrime world, resulting in a significant surge in ransomware attacks and record-breaking multimillion-dollar payouts. Ransom payments have spiked 500 per cent to US$5.3 million, and some ransom demands exceed US$50 million, a study by Cybereason found.
When victims pay, everybody pays
A major concern is that victims may be indirectly providing financial assistance to ransomware organisations when they choose to pay the ransom. “It’s very important for victims to understand that even if they pay, there is no guarantee that they will be able to recover the stolen data, or be safe from future attacks,” Chim says.
83 per cent of organisations globally end up paying the ransom; but among organisations who paid, 80 per cent suffered another attack, Cybereason found. To add to the problem, not all ransomware victims are obligated to report an attack, making it difficult to stop future attacks, shares Dr Amirudin.
As such, a robust legal framework needs to be in place, says Chim. A legal framework can mandate businesses and other organisations to report ransom payments and consider alternatives before making payments.
Chinks in the armour: What causes data leaks
There are three main factors contributing to data leaks today, making organisations vulnerable to ransomware attacks, according to Chim.
First and foremost, “basic cyber hygiene” is still lacking among the common public. Oftentimes, hacks occur because employees unknowingly open phishing emails or select insecure passwords – an issue boiling down to the lack of security awareness.
Preventing this may not necessarily require more budget, technology, or manpower, shares Chim. “Instead, they only require a basic understanding of how ransomware occurs, which can drastically reduce the ability of cyber criminals to steal valuable data.”
Next is the lack of visibility after an attack has occurred. These days, many ransomware attackers breach an organisation weeks or even months before detonating the ransomware, encrypting systems and demanding a payout.
The ransomware infection can go undetected because many organisations focus on their cyber defence at the prevention layer, shares Chim. This includes relying only on a firewall or antivirus programme for a cybersecurity measure, which only targets suspicious activities from outside the organisation’s systems.
This allows the attacker to be able to bypass older security systems and move freely inside the victim network – whether it is for taking command and control of the system to download even more malware, or stealing credentials to make threats, says Chim.
However, moving from prevention to detection and response might be challenging for many organisations, causing the third driving force contributing to data leaks – “alert fatigue”.
This happens when the high number of false alarms generated causes cyber defenders to become numb to incoming security alerts. “This provides a window of opportunity for the attacker to launch a successful attack,” Chim points out.
In the face of crime, no one works alone
Overall, governments need to work more closely with the private sector and other governments to coordinate a more aggressive and data-driven approach to cybersecurity.
Because many governments are deploying antiquated software instead of deploying around the clock threat hunting, they are far less successful at stopping ransomware attacks compared to the private sector, shares Chim.
For example, a targeted ransomware attack against government agencies in Costa Rica resulted in the country’s President declaring a ‘state of emergency’ in his country because they were ill equipped to deal with the threat.
“No single organisation, public or private, will have all the competencies to deal with cyber threats alone,” says Dr Amirudin.
The good news is that many inter-agency partnerships are already in the works between public and private sector organisations, says Chim. For example, the CyberSecurity Malaysia Collaboration Programme, brings together governments, private companies like Cybereason, and academics, to strengthen existing cybersecurity initiatives.
“In other sectors like finance, which may require specific services, private companies can work with government agencies as business partners,” shares Dr Amirudin. This means that governments such as CyberSecurity Malaysia and private cybersecurity companies can now explore joint commercial projects, creating a win-win situation.
If cybercriminals are becoming increasingly resourceful, so must governments, in order to keep up with this cyber arms race. Only with extended defence partnerships, strong legal infrastructures, and public awareness will they stand a chance against the global rise of ransomware.