On May 7, when Colonial Pipeline announced it experienced a ransomware attack, Yonesy Núñez was in a meeting with his threat intelligence staff receiving a cyberthreat landscape update. While the actual attack against the oil pipeline system didn’t surprise the veteran CISO, the severity of the outcome—gas stations shuttered across Eastern states—did.
“It was the first time a cyberattack had such a widespread kinetic effect on U.S. critical infrastructure,” said Núñez, Chief Information Security Officer at Jack Henry & Associates, a technology company and payments processor whose clients include more than 8,500 banks and credit unions.
Such effects have long been feared, making ransomware not just a financial and reputational scourge for companies of all sizes but also a threat to a well-functioning society—one bound to worsen. “What we’re seeing now presents more system risk to organizations than anything we’ve ever experienced before,” said Núñez. “Hands down, ransomware is the single most important threat facing companies today.”
Certainly, a complete shutdown in a company’s business and operations supports this view. While early ransomware attacks focused on hospitals, schools and banks that simply had to stay open, nearly every industry was targeted by ransomware threat actors in 2020, according to cybersecurity company Digital Shadows. The reason is the perception of easy money.
Multimillion dollar ransom payments by victim organizations are commonplace. CNA Financial, one of the largest insurers in the U.S., forked over a reported $40 million ransom in bitcoin to hackers, making it the biggest known ransom demand paid by a victim company. JBS, the world’s largest supplier of meat, paid $11 million in bitcoin to REvil, a cybercrime gang—and just before the July 4 weekend, the specter of an even bigger payment to the group arose when REvil demanded $70 million to unlock an attack on 1,500 small businesses in at least 17 countries. Colonial Pipeline paid another cybercrime gang, DarkSide, a $4.4 million ransom in bitcoin to get its systems back online.
Other recent high-profile ransom payments include $4.5 million paid by travel services provider CWT Global, $4.4 million paid by chemical distribution company Brenntag and $2.2 million paid by currency exchange services firm Travelex. Yet the size of the payout pales in comparison to the impact on a company’s brand and reputation. “The ransom payment sends out a concerning message to investors, shareholders and customers that the company lacked the operating resilience to respond and recover from a cyberattack in a quick and agile way,” said Sean Joyce, global and U.S. cybersecurity, privacy, risk and regulatory leader at consulting firm PwC.
This concern may explain why a large but unknown contingent of companies endure a ransomware attack and stay mum on the fact. “Right now, the number of attacks is grossly underreported,” said Joyce.
Although President Biden signed an executive order in May requiring businesses to report information on cyberattacks to the federal government, the order does not mandate that companies also provide the information to the public at large—a problem, said Joyce. “Businesses need mandatory reporting of ransomware events if we’re going to more clearly understand the threat to address it more effectively,” he explained.
Still, the president’s action suggests he intends to halt the recent surge in ransomware attacks, in large part because of the risk to critical infrastructure. In December 2020, a cyberattack reportedly launched by Russian hackers successfully compromised the technology infrastructure at SolarWinds, a major supplier of software to multiple government departments, agencies and military branches, in addition to 425 companies in the Fortune 500. The federal government has since elevated ransomware as a “critical priority,” with FBI Director Christopher Wray recently telling the Wall Street Journal the agency is presently investigating 100 different ransomware types.
A 2020 survey of CISOs indicated that almost six in ten (59 percent) U.S.-based companies experienced a ransomware attack in 2019. Only 25 percent were able to halt the attack before the cybercriminals encrypted and/or exfiltrated their data. Of the organizations that shelled out a ransom and made it known to the public, the aggregate tally suggests a steep rise in the size of payments. In Q1 2021, ransom payments averaged $220,000, an increase of 43 percent from the average $154,000 payments made in Q4 2020, according to Codeware’s most recent ransomware report.
While that’s pocket change for large companies, the sums are considerable for midsized and smaller organizations with tighter capital resources. Nearly a third of companies (32 percent) pay the ransom, although the amount generally is negotiable. Nevertheless, all companies hit in such attacks must bear the expense of remediation. Measured in terms of business downtime, operational costs and data decryption, the average cost is presently $1.85 million, up from $760,000 in 2020.
Meanwhile, the number of cyberattackers appears to be growing. “Anyone can go on the Dark Web and buy a ransomware-as-a-service toolkit to launch a successful attack,” said Núñez. “It’s never been easier to become a cybercriminal or tougher to catch them. They’re using fully assembled cyberweapons and the highest encryption levels that companies like ours are using to encrypt our data and defend the environment.”
Catching hackers in the act of perpetrating a cyberattack has long been the responsibility of CISOs, ever since Citigroup named Steve Katz the world’s first Chief Information Security Officer in 1994. The position then through the next 20 years has no comparison to the scale and complexity of the job today.
“The proliferation of mobile devices and cloud computing systems, as well as wide-scale end-to-end digital transformations, increases the number of (malware) entry points,” Núñez said. “Companies are entirely reliant on well-performing and secure technology systems to thwart and respond to an attack. Once a system is penetrated, a business can be brought to its knees. We’re in an all-out war.”
Like Núñez, Sam Rehman sees his work as a battle of good versus evil. “The bad guys have tactical and strategic goals,” said Rehman, CISO at $2.7 billion software engineering firm EPAM Systems. “The tactical goal is to disrupt a network’s services by making it unavailable to users. Once accomplished, the strategic goal is to extort money through the use of malware.”
Easier and More Lucrative
Although ransomware is much in the news lately, the first known attack, called the AIDS Trojan, occurred in 1989. What makes the crime more prevalent and successful today is the ease with which cybercriminals collect a ransom. Cryptocurrencies like bitcoin have made it virtually impossible for law enforcement to track and trace the flow of money across national boundaries. “When the bad guys got paid in the past, that’s when you were able to catch them,” said Rehman. “Cryptocurrency makes it easy to not get caught.”
Joyce agreed. “By obfuscating how criminal gangs are paid, cryptocurrency—along with the availability of ransomware toolkits—has spurred the current proliferation in ransomware attacks,” Joyce said, pointing to a study by Chainalsysis in May citing a 337 percent increase in the monetary value of ransomware payments made in cryptocurrency from 2019 to 2020.
Another factor elevating ransomware as the most lucrative cybercrime is the availability of cyberinsurance absorbing the cost of the ransom. Cybercrime gangs know a company is more likely to pay a ransom if its insurer is picking up the tab. “Hackers research which companies have cyberinsurance paying the ransom and prioritize the organization (for attack),” Joyce said.
Many insurers now regret having insured the ransom payment, as the cost of sharply escalating payoffs has exceeded the premiums paid by policyholders. “The industry in the beginning saw an opportunity to provide much needed protection; the problem was that many insurers did not have adequate loss data or cyber underwriting expertise to correctly underwrite or price the risk,” said Ketan Pandit, CIO at the large global insurer, QBE North America.
Consequently, these insurers provided what Pandit said were extremely broad coverage terms and conditions in certain market segments yet had only a limited understanding of the risk exposures in these segments. He said the insurers also “failed to spread their risks across other segments to diversify their loss portfolios.”
Several insurance carriers have since pulled out of writing cyberinsurance altogether or severely constricted their insurance coverage terms, conditions and financial limits while sharply increasing the cost of the insurance. Cyberinsurance providers still in the market include QBE, which Pandit said was more selective in its underwriting and maintains a broad cyber risk portfolio.
Nevertheless, the retraction of aggregate cyberinsurance capacity appears to have upset some ransomware perpetrators. When insurance giant AXA decided to no longer cover the payment of a ransom in France, cybercrime gang Avaddon retaliated days later with a ransomware attack that disrupted the carrier’s IT operations in Thailand, Malaysia, Hong Kong and the Philippines. Whether or not the insurer paid the ransom remained unknown at press time.
Due to the surge in cryptocurrency ransom payments, Rehman said there’s little a CISO can do to win the war strategically against ransomware hackers. “You’ve got to put your security resources into defending the organization against their tactical goals, which is essentially what we’ve been doing in IT security for years,” he explained. “The challenge today is the attack surface is much larger, as it encompasses the end-to-end enterprise landscape.”
He emailed a document describing EPAM Systems’ attack surface, which is composed of known online assets, unknown online assets, rogue devices, vendors, inbound transactions and outbound transactions. The document plots the anatomy of a cyberattack, from the threat actors’ gathering of information about the target organization through their delivery of the initial malicious payload and subsequent evasion tactics, which are designed to discern system vulnerabilities. A second malicious payload is then deployed to take advantage of the weakness.
“Tactically, you need to draw a map of the technology landscape and secure it on an end-to-end basis,” said Rehman, advocating the use of CIS (Center for Internet Security) controls framework, which encompasses a prioritized list of 20 best practices to protect organizations and data from known cyberattack vectors. “You want an active and agile defense that is focused on prevention, deterrence, detection and response,” he said.
Once an intrusion is detected by EPAM System’s internal security operations center (SOC), an active response is executed using a combination of technology solutions and processes to monitor the intruder’s movements. “The actions determine the level of response by our SOC team in coordination with our legal, communications and incident response organizations,” Rehman said. Corporate policy does not allow him to delve into the particulars of the firm’s incident response tactics.
At Southern Methodist University, CISO George Finney follows a similar set of tactical protocols. Schools have been a persistent target in ransomware attacks. “We’ve been at this for a long time,” Finney said. “Nobody wants to be the next SolarWinds or Colonial Pipeline.”
He emailed a list of 15 tactics designed to protect SMU’s infrastructure against ransomware and other malware. They include requirements for multifactor authentication, the patching of operating systems and third-party software within two days of release, the use of modern antivirus systems that rely on artificial intelligence and machine learning tools to distinguish malware from legitimate data, and data and system backups in case the primary network is encrypted and unavailable for use.
With regard to the last tactic, Finney, author of the recently published book Well Aware: Master the Nine Cybersecurity Habits to Protect Your Future, said, “You need to approach cybersecurity with the end in mind, understanding that malware is inevitable and the only way to fully protect yourself is a fallback plan.”
Núñez pursues a similar tactical approach. “Once an attacker is inside the network and begins encrypting, your options are limited,” he said. “The first thing you need to do is identify where the attack originated to reduce the blast radius of what gets encrypted. Then you close that door down and flag it for the SOC team to do the forensics.”
As the leader of Jack Henry’s cybersecurity and threat intelligence teams, part of his job is to constantly gather information on incidents like the Colonial Pipeline and JBS ransomware attacks. “I study how the incidents occurred from a technical standpoint to learn where we might be vulnerable and how best to patch the weakness,” he explained.
Each time malware is identified in a system, he and the company’s CIO Rob Zelinka jointly inform the CEO and the board. “Knock on wood, we have yet to be compromised at a level requiring a ransom,” he said. “We hope to keep things that way.”