Eradicate Ransomware by Changing Attacker Risk and Reward
Smart criminals look for opportunities that offer low risk, low effort and high reward. Ransomware is currently a sweet spot for the bad guys. Earlier this month, IT management software company Kaseya fell victim to a ransomware attack, which led to infections at some of Kaseya’s customers. Sadly, reports of ransomware attacks are commonplace. This post explores how changing the equation of risk, effort and reward could make ransomware a relic of the past.
The anonymity of internet attacks and the availability of non-governmental payment options — Bitcoin and other cryptocurrencies — means that careful cybercriminals have a low risk of being identified and apprehended. Ransomware toolkits are readily available and can be applied to new victims with relatively little effort. Victim organizations that are desperate to recover their own data will pay a steep premium.
The way to eradicate ransomware is to increase attackers’ risk, increase attackers’ effort and lower rewards.
Increasing Attacker Risk
Increasing risk is the least promising approach. The decentralized, transnational nature of the internet will always give attackers the opportunity to operate mostly anonymously. Even in cases where crimes can be properly attributed, which is difficult at best, navigating a multijurisdictional apprehension and prosecution can be nearly impossible.
Likewise, the ready availability of decentralized financial systems like Bitcoin will always give attackers a means of getting paid without being identified.
Increasing Attacker Effort
This is by far the best protection for individual organizations. Software security needs to be a first-class citizen in every organization. In the big picture, software security is a part of risk management. Savvy organizations make plans and structure their businesses to minimize risk from accidents, natural disasters, infrastructure failures and malicious insiders. Software is a fundamental infrastructure for every business and must be included in risk management.
At the top level, this means that security must be part of selecting, deploying, operating and maintaining software. It’s not enough just to get software working. Organizations must ensure that the software they use has minimal risk.
The intrinsic security of any piece of software should be evaluated before it is used. This includes verifying that the software vendor has used a secure software development process, examining test results and security artifacts, and performing independent analysis. Using a secure development process ensures that the number of weaknesses in the software is as low as it can be, which makes an attacker’s job more difficult.
Updates must be installed as quickly as possible. This minimizes the amount of time a ransomware gang has to exploit a known vulnerability.
All personnel must be trained to understand the threats and risks of everyday software use. Well-trained employees will be less likely to click on a malicious link or perform other actions that could introduce ransomware into an organization.
Decreasing Attacker Rewards
Ultimately, it’s all about the money. Criminals invade victims with ransomware because they want to be paid. If victims never paid a ransom, ransomware gangs would cease to exist.
Disaster recovery planning and business continuity planning are the facets of risk management that deal with exactly these types of events. What happens if a tropical storm knocks your data center offline? What happens if half your CxO team is wiped out in an airplane crash? What happens if you are infected with ransomware?
By planning ahead and putting mitigating controls in place, you can minimize the effects when something bad happens. When planning for ransomware, for example, you should put a robust plan in place for regular data backups. Properly implemented, such backups would allow you to rebuild your computing resources quickly if a ransomware attack did happen. With good planning and execution, rebuilding will be quicker and less expensive than paying a ransom.
When security incidents happen, it is important to take the lessons learned and feed them back into your existing security program so you never get burned by the same kind of problem again.
Learn From Others
My wife is the youngest of three siblings. When she was growing up, she observed what her brother and sister did that got them in trouble and adjusted her behavior to avoid the same problems. The situation with ransomware is similar. Organizations that have been lucky enough to be unaffected should keep an eye on current events and adjust their behavior. Many organizations are completely unprepared for this type of attack. If you are not ready, start today with a proactive approach to software security.
You can never eliminate risk completely, but you can take fundamental steps to improve your security posture. In the case of ransomware specifically, you can make it harder for attackers to break into your organization. If the worst should happen and you get infected anyhow, you can make sure you are prepared for a speedy, no-ransom-paid recovery.