Estimates of actual and projected damages underscore the need for multiple defensive measures
Friday, June 7, 2019
By Marcus Chung
The threat of ransomware being used as a highly effective form of cyber terrorism has been receiving a lot of media attention lately. The storyline stems from a Lloyds of London report which boldly states that a large-scale ransomware attack could cost the global economy $193 Billion and impact more than 600,000 businesses worldwide.
The report further speculates that if coordinated and executed properly, a global attack like WannaCry could cause even more severe damage and cost companies significantly more when factoring in all the business disruption and recovery-related costs that would follow in the wake of a wide-scale attack.
With doomsday projections like these, it's easy for people to become numb to the associated cybersecurity risks. Yet security professionals must always remain objective when assessing the scope of a threat versus the cost of implementing security measures to arrive at a risk-based recommendation.
What is Ransomware Terrorism?
Terrorism is broadly defined as the use or threat of violence that aims to spread fear in a population, and to advance a political, ideological or religious cause. Ransomware can be used in this context to disrupt the life of individuals and organizations, which depend on the smooth functioning of information technology to maintain operations.
While historically, the main goal of ransomware has been to extract, or extort, money or other valuable consideration from the affected party, NotPetya made us aware that there is a lot more damage an attacker could do with access to an army of computers spread across the globe than just turning them into bricks.
To prevent or avoid the consequences of an attack of terrorism, the defenders must effectively repel every single attempt to perpetrate the crime. Ultimately, the attackers only need to overcome the defenses once in any given situation to prevail.
Exploring the Potential Impacts
In the proposed scenarios created by the Cyber Risk Management (CyRiM) project and Cambridge Centre for Risk Studies (CCRS), put forth in the report Bashe Attack: Global infection by contagious malware, a ransomware terrorist attack could be launched through an infected email, which, once opened, would be forwarded to all stored contacts.
Then, within 24 hours, the malware could encrypt all data on 30 million devices worldwide. In the worst-case scenario, even the back-ups would be erased - meaning companies of all sizes would be forced to pay a ransom to decrypt their data or replace their infected devices.
It is easy to conceive that a ransomware attack on this scale would cause substantial economic damage to a wide range of business sectors through reduced productivity and consumption, inaccessible data files, IT clean-up costs, ransom payments and supply-chain disruption.
The moral of the story, according to Lloyds, is that all businesses should pay close attention to systemic risk across all lines of business, not just within the silo of cyber, and businesses should buy insurance to help protect against such catastrophic scenarios.
Clearly, as companies increase their reliance on technology, the need to defend against cybersecurity challenges like malware becomes ever more critical to meeting the goals of the business. While cyber insurance has its place in a well-executed cybersecurity strategy, it doesn't protect a business or the economy from the operational nightmare caused by a massive ransomware attack.
At BoldCloud, we have typically worked with companies after they've been hit by a one-off ransomware attack. When the city of Atlanta was hit by ransomware, it provided a very public view into the aftermath of an attack. It basically brought all cyber-related city activities to a complete standstill.
More recently, Norsk Hydro was a victim of the LockerGoga ransomware and estimates the current costs at $40 million, with a projection of months before being able to resume normal operations. I can only imagine the nightmare that would ensue if 600,000 businesses were hit within 24 hours. Needless to say, we'd be very busy helping clients with their data security needs.
Are We Defenseless?
Hackers are becoming extremely resourceful and have found ways to circumvent even the most advanced anti-virus and anti-ransomware solutions. These solutions cannot protect against Fully UnDetectable (FUD) and targeted threats that were conceived by cyber criminals to directly evade existing security layers and harm data.
Easy-to-use “ransomware as a service” can be purchased cheaply on the darknet. Some vendors even offer customer support for buyers of their malware. And would-be terrorists who want customized ransomware can hire black-hat coders for its development.
While defending against ransomware may seem daunting, business leaders and system owners, whether they be physical or cyber-based, must prepare for and take defensive actions to prevent one-off as well as large-scale attacks. While there is no silver-bullet ransomware solution, the following are some of the most important actions your organization should take:
- Educate your employees. Humans are the first line of defense against ransomware applications that prey upon computer users to gain access to the target files and data. Train employees to avoid clicking on any emails from unknown or untrusted senders, especially those with attachments. Make sure they understand that links to websites can also lead to the installation of ransomware if clicked.
- Install and keep anti-virus software up to date. While antivirus software is by its nature reactive to new threats and cannot protect against FUD, which typically have a 24- to 48-hour window of opportunity to infect protected systems, anti-virus does provide an important line of defense when used in conjunction with other preventive measures.
- Install and keep current a robust back-up and recovery system. Your back-up and recovery strategy should include frequent back-ups, as well as remote or at least separate on-site storage, and systematic duplication and recovery capabilities. This has always been a good security practice, even before the onslaught of ransomware, as other systemic failures can compromise the availability of data and files.
- Take a layered security approach. As an added, key layer of data protection, consider implementing data security or mirror shielding solutions. New technologies, which are available at a relatively low price point, are helping businesses effectively deal with new strains of malware that are designed to circumvent traditional security solutions. The most promising solutions allow businesses to instantly recover data and files when other defenses fail.
- Invest in good cybersecurity advisers. Professionals are trained to see things your own IT team may not. They will take a holistic look at not only your systems, but at how they support your overall business goals, and identify any potential security gaps.
With an unprecedented number of ransomware and targeted attacks being reported, and insights into the large-scale damage that could result from more coordinated global attacks, it seems every business has an obligation to put adequate measures in place to make themselves a less likely target.
Attackers will always exploit weaker and more vulnerable targets. While no one can stop terrorists from using ransomware as their weapon of choice, you can, and should, advocate to make sure your business is at least a less likely victim.
Marcus Chung is chief executive officer of cybersecurity and data-protection advisory services company BoldCloud. He previously worked in key roles at Sygate (acquired by Symantec) and as COO at MalwareBytes. His earlier contribution to GARP Risk Intelligence was Employees Are Best Defense Against Ransomware.