Nilesh Dherange | Industrytoday.com
Security practitioners are developing new tools to address the multiple challenges of Ransomware, but there are still many issues to overcome.
Ransomware has become more and more of a problem over the last several years. Cybercriminals moved from their older business models because getting paid a ransom directly by the victim was more efficient than, say, stealing credit card numbers and selling them on some dark web exchange. The rise of cryptocurrencies like Bitcoin made it even easier for them, as they now had a way to collect their ransom that was very difficult to trace. For them, it’s a bit of a Golden Age, while for us, in the cybersecurity world, it’s a Perfect Storm.
Most recently caught in that ransomware storm was Italy-based eyewear brand Luxottica, the world’s largest eyewear company, whose brands includes Ray-Ban, Oakley, Oliver Peoples, Ferrari, Michael Kors, Bulgari, Armani, Prada, Chanel, and Coach. It also operates Pearle Vision, LensCrafters, and Eye Med, and retail outlets such as Sunglass Hut. The September cyberattack impacted operations in Italy and China, and some online operations.
There are multiple challenges here. We deal with the constantly changing threat landscape, as the malware authors improve their tools using the same sorts of development cycles we use to develop ours, and we also have to deal with a constantly changing attack surface. We get new applications that bring new problems, while the bad guys keep turning up zero-day exploits on the applications and operating systems we already have. Not to mention the attacks against our user base from phishing and web-based exploits, or the ever-evolving threats against our portable devices.
As security practitioners, we’re not standing still. Our tools keep getting better as well. We have better visibility into our end points and across the network. Behavioral analytics tools let us consolidate seemingly disparate events to give them context and reveal risks before simple breaches become case studies. Deception technologies can divert attackers away from their targets. But we’re still on the defensive and, as it’s said, we need to be right every time while the attacker only needs to be right once.
When an organization suffers a malware attack, they’ve got two basic options. Pay the ransom and hope the attacker gives them a working key to restore their systems, or not, or that hope their backup and disaster recovery plans are up to the task of getting them back in business. Neither is especially appetizing. Ransoms can be tens of thousands to millions of dollars, and there’s no guarantee the attacker will actually deliver on their promise. Worse, there’s no guarantee they or another ransomware gang won’t just do it again some time down the road.
Relying on disaster recovery plans is an option, at least once the intruder’s been locked back out of the system, but do you know when was the last time was that your organization tested their disaster recovery plan? When was the last time anyone actually restored something from backup? This can be the perfect option for an organization has a robust and well tested system in place, and, honestly, every company should, but it still doesn’t keep it from happening again. Worse, an attacker that doesn’t get their ransom may resort to other attacks such as DDoS, or more destructive attacks beyond encrypting files.
The Hard Place
The US Treasury has warned that paying ransom may violate US Government sanctions. The Treasury’s Office of Foreign Assets Control (OFAC)and Financial Crimes Enforcement Network (FinCEN) say that paying ransom may run afoul of laws intended to block monetary transfers to sanctioned countries, putting victims and their insurers at risk of even more penalties beyond the ransom.
For agencies that offer Cyber-insurance, the problem is obvious. Many of the ransomware gangs operate out of countries that are under some form of sanction. In fact, some may be state sponsored cybercriminal organizations rather than mere criminal enterprises operating within friendly (to them) borders. That means paying the ransom likely creates legal problems, which raises the insurer’s risk, which means higher prices for insurance.
This is a lose/lose for everyone. Even organizations that aren’t directly affected by a ransomware attack can see insurance rates go up because other organizations have been attacked, because governments have shifted some cost burdens to victims.
On some levels, that reaction is understandable. Governments are trying to put a dent in cybercrime and are finding that conventional tactics aren’t working against an adversary that is both sophisticated and international in scope. Since they can’t directly lean on the aggressors, they put pressure where they can – on organizations – making it harder for the attacker to receive payment.
Caught in the Middle
Legally, a company’s security practitioners can’t “return fire” even when they’ve identified their attacker. While there are some cases of counterattacks against malware gangs, such as the recent disruption to the Trickbot malware where someone hacked its configuration files, they are operating in a gray area. They may have been successful in disrupting the attack and earning the wrath of the malware’s authors, but they did so without legal sanction. Unless, of course, the counterattack was launched by someone in the international Law Enforcement or Intelligence communities.
The fact is legally, and ethically, our hands are tied. We can only hope the international law enforcement community will put as much effort into finding and prosecuting these cybercriminals as they do into unauthorized game modders. They are the only ones who have the resources, and authority, to stop these malicious actors at their source.
In the meantime, companies and cybersecurity practitioners will keep doing what we do. Deploy the best people, tools, and processes we can, educate our users, and respond when things go sideways.
External Link: Ransomware: Between a Rock and a Hard Place