Ransomware is no longer just a financial crime, it is an urgent security risk that threatens businesses and government agencies around the world. In response to this growing threat, the Ransomware Task Force (RTF) formed in December 2020, under the guidance of the Institute for Security + Technology (IST). The RTF ᠆ made up of government and private-sector organizations from the United States, Canada, and beyond ᠆ was given the imperative responsibility of finding effective new methods to counter the ransomware threat. In April 2021, the RTF launched its seminal report which included 48 recommended actions.
On Friday, May 20, 2022, I had the opportunity to participate in the Institute for Security + Technology’s ‘Combating Ransomware: A Year of Action’ event in Washington, DC. The event marked the one-year anniversary of the RTF report. The day was not only a celebration of the efforts of the RTF and its working groups, but an open conversation about the state of ransomware around the world. While great strides have been made, we acknowledge that a great challenge still lies before us in stopping ransomware.
This blog summarizes key takeaways from the event:
- The Ransomware Task Force is making considerable progress towards solving the challenge. The promise is being kept.
- All parties need to make it easier and more friendly for businesses and organizations to report ransomware, so that we can learn from the attacks. This helps fill the gaps in our knowledge of the actors and their tactics.
- Building collaboration across the cybersecurity community is essential. Information and effort sharing will pay off in exponential progress toward defeating ransomware actors.
- Cryptocurrency might enable adversaries, but we’re progressing quickly towards successfully attributing payment transfers to them.
- The community needs to help smaller businesses not only with access to and economical pricing for tools and training, but with making it all digestible in plain terms.
I recommend readers take a few moments to read the official “The Ransomware Task Force: One Year On” report for more detail.
A Year of Headlines Attacks
Looking back over 2021, it was evident that ransomware events were on the rise. There were numerous headline attacks. From the Kaseya supply chain attack, the Colonial Pipeline attack, the attack on the Oldsmar, Florida water treatment plant, to the re-emergence of our old nemesis REvil group, one might wonder if we’re in an unwinnable uphill battle against these threats. Kemba Walden, Principal Deputy National Cyber Director, Office of the National Cyber Director put it in a great perspective by stating that: “Ransomware is the malware deployed at the end of a long series of crimes”. What’s important here is that good cyber hygiene is critical to closing the gaps that let ransomware actors in. Every defense measure that you can take is a step in the right direction, no matter how small.
I can confidently state that due to the collective efforts of public and private industry partners, as well as the efforts of individual businesses to protect themselves, we are making notable progress in identifying, stopping and preventing attacks. You could feel the momentum in the room at the RTF event. Participants were openly sharing their successes, tips and tricks. Our goal now is to optimize our efforts and make it easier for businesses to prepare.
From the introductory remarks to the closing ones, there were several common themes throughout the day. One which struck me as a critical success factor in ransomware defense was the call from senior government and agency officials for businesses to voluntarily report ransomware events. Without the knowledge of what’s happening to our businesses, those in charge of combating the issue are doing so with an incomplete view of the ransomware landscape. US civil organizations must now report to CISA on all ransomware events, but not yet all businesses. While the US seems to be leading the effort, governments around the world have prioritized ransomware reporting as well, and are working with each other to share information. Regardless of your operating country, your input may help mitigate and prevent attacks on future victims.
Unfortunately, many businesses either purposely or inadvertently bypass regulators and authorities. Some may be concerned about embarrassment or even repercussions for having immature controls. Others mistakenly just deal with their cyber insurers to solve the issues. And yes, while it’s been estimated that 98% of ransomware actors keep their word and release the encryption/return the data, double extortion is a real threat. You may pay and still lose through data exposure in the dark web, or opening yourself up to becoming a repeat target.
Governments need to make it easier and more comfortable for businesses to report to achieve this goal. This includes improving the feedback loop so that ransomware reporters understand how their input was used and any outcome of the disclosure. For example, on May 19, 2022, the US Attorney General took a positive step in this regard announcing that ‘good faith’ cybersecurity research can no longer be charged, so long as the goal is for learning and information sharing with authorities.
We’re all in this fight together, so please report any ransomware incidents to your local authorities or CISA whenever possible so that we can collectively observe, learn and build defenses to these attacks.
Cohesive collaboration is critical for improving our odds against attackers. Considerable progress has been made, both in developing alignment and collaboration between national governments (even inter-agency) and the public and private sectors. However, there is still so much more that can be done. To be successful, we need to share information quickly and openly. National Cyber Director, Chris Inglis, eloquently summed it up by saying that “If everyone doesn't work together, it won’t work. Consider this ‘Resilience by Design’.”
In her address to the audience, Jen Easterly, United States Director of the Cybersecurity and Infrastructure Security Agency, noted that we need to ‘bring operators and technical people to the same table’. ‘Government representatives and spokespersons should be informed, but not soloing or piloting the issues’, she continued.
Throughout the day there were similar calls to governments and businesses to bring their technical staff to the forefront and share a seat at the table when it comes to cybersecurity policy development and organizational stewardship. You’ll need this collaboration to scale your efforts.
The official RTF report provides more detail on these collaborations and their progress.
Cryptocurrency and Ransomware: The Chicken or the Egg Debate
Through its growth and adoption cryptocurrency has always had its detractors. No more so than the cybersecurity and law enforcement community who have spoken up against its use by the underworld to extort and stealthily shift funds around the world. A few may even blame cryptocurrency for the rise in ransomware. I tend to disagree. I think it's a mix. Cryptocurrency is an enabler. However, adversaries are also more advanced in their tactics and techniques, and can easily apply them against a landing ground of organizations that have been complacent in, or don’t yet understand how to protect themselves ᠆ but I digress.
The problem of how to transfer and hide huge sums of ill-gotten gains without getting caught had always been a speedbump to ransomware actors. However, in the past few years cryptocurrency became a significant enabler, and has created an almost perfect solution; It's fast. It's easy. It's largely anonymous, and it’s almost impossible to trace - or so they thought.
In reality, criminals are leaving immutable fingerprints on the blockchain. What’s missing is the ability to attribute those fingerprints to the actors. For example, lead investigatory processes have determined that of all known ransomware payments, they all landed on 5 points of exit, to 200 ‘addresses’. Of known payments, 80% come back to 25 addresses. What’s this mean? Once the capability to attribute is achieved, unfettered use of cryptocurrency will diminish greatly.
While many panelists and speakers throughout the day disagreed on the role of cryptocurrency in ransomware, one thing that they all agreed on was the need for the cryptocurrency market to establish some form of self-regulation and reporting that can co-exist with the conventional Fiat market.
Enabling SMEs to prepare and respond to ransomware
The most relevant theme to me, and to our ActZero audience, was the challenge of informing, encouraging, and aiding small- and medium-sized enterprises (SMEs). This need was ever-present in discussions. There was a cognizant acceptance that public and private sector cybersecurity organizations and vendors need to do more to provide guidance, tools, and support to SMEs.
To this end, I have summarized some of the quick things that businesses can do to prepare themselves for a ransomware attack:
- Old legacy passwords and lack of multi-factor authentication (MFA) are the top targets of ransomware actors. If you don’t already have an MFA solution for your business and personal accounts, get it now.
- Old technology and outdated software are killers. Ransomware actors are always looking for targets that have wide-open security gaps, like not applying patches. Yes, constantly updating is time-consuming, but so is having your business sidelined due to a ransomware attack.
- Stop thinking of cybersecurity simply as ‘keeping the bad guy out’. It’s really about ‘stopping the bad guy wherever they are’. You won’t stop everything, no one can, and any claim to that effect by vendors is an outright lie. Your goal is to stop what you can, and focus on reducing impacts.
- Having a good threat detection solution is one of the most efficient ways to achieve this goal. Manual response based on human decision making alone doesn’t work. The community needs to get behind using artificial intelligence (AI) and machine learning (ML). Based on this, I’d argue that having a managed detection and response (MDR) provider like ActZero that is built on AI and ML is not only important, but a necessity.
NOTE: Watch for an exciting announcement coming out in July from the Ransomware Task Force on ransomware defense controls specifically designed for SMEs.
Keep moving forward
It’s too early to predict the timeline of when we’ll finally be able to sound the death knell for ransomware, but we’re certainly on the right path. We need to all work together to maintain a focus on protecting ourselves, our businesses, customers and citizens from this ransomware scourge, and other cyber threats. Continued collaboration and more data are key. As noted earlier, if you (or in the case of cybersecurity vendors, your customers) are hit with a ransomware attack, inform your local authorities and CISA so that they have better data to help ensure we can eliminate gaps in knowledge.
Let’s work together to cover more ground in our journey to build collective ransomware resilience.