In the last few months, it is not rare that every now and then we read about a large company that has fallen victim to ransomware, either brought to a halt or extorted. Anyone reading this has some recent examples in mind. A devastating epidemic that, let’s face it, is not going to stop anytime soon. At least until, as with the viral pandemic we are also suffering from, we manage to coordinate all relevant forces globally. Let’s look at the minimum necessary.
Due to the global COVID pandemic, many have come to understand basic concepts that can be brought to cyber security. For instance, the importance of layered security and complementary mitigations (ventilation but also masks, hand washing but also social distance… even when vaccinated). In addition, we have questioned the concept of false sense of security (outdoor mask, is it really useful in all circumstances?). We have learned notions such as calculating the risks and benefits of applying some measure (potential side effects of a vaccine versus real risks of contagion) … Perhaps with all this, the average user is more prepared to understand how complex problems such as ransomware require multiple complementary approaches once the severity of the threat is understood. Before understanding this, defence measures are likely to be erratic, incomplete, insufficient… A process of trial and error (we went through a phase of underestimating the danger of Coronavirus, initially emphasising the use of gloves until the focus shifted to masks as more research was done…). Did anyone believe that, with social distance and masks, we would end the pandemic by 2020? We suppose that (let’s be honest) deep down we knew they were necessary, but not enough. We always hoped for vaccines, because we knew that something was missing in the equation to win the war. We were “defending” against the virus, but not yet “attacking” it as a strategy. And that is perhaps where we are now if we draw parallels with ransomware. Something else is missing.
Something very similar happens in the field of security. The first thing is to have a good understanding of the risks… and this is what reality is forcing us to do with a great deal of discomfort. Then, we must propose mitigations that (again, let’s be realistic) are not going to be effective on their own and in a short term. Because unless all strategies and actors work together globally, persistently and with the same level of maturity, the strategy will fail. Without that, we will continue to suffer more or less aggressive waves of attacks.
They Are Way Ahead of Us
The malware industry developed in the early 2000s, when cyber security was still called computer security and was just a thing for crazy people. They are way ahead of us when it comes to organising attacks and connecting them to the global crime industry. First, they tried to get rich with banking trojans and, when the breach was closed because the legitimate industry reacted, as we became more dependent on digitalisation, they turned to extortion, which has resulted in the magic formula they successfully explored and still maintain. First by locking users’ screens, then by encrypting their files. Next, they moved on to hijacking SMEs, from there to large companies. From these to all kinds of organisations and finally to the critical infrastructures of a country, which is where we are now. No hesitation, they attack where the impact can put lives at risk or destabilise a country, wherever they know it is easier to get paid. In these circumstances, it doesn’t seem so easy to follow the mantra of “don’t pay”..
Legitimate industry matures at a different pace, much more reactive. Although it may not seem like it, perhaps where we are best positioned is in terms of company awareness (no other chance) and, in a way, technical. We concentrate on patching and responding, auditing and certifying within our budgets. This will prevent many security problems. But attackers move faster at a technical level (against harder defences, more complex vulnerabilities exploited earlier and better) and there, we will always lose. We will not move fast enough against the ransomware industry if we don’t get other actors on board as well. As it happened with the pandemic, what will change the rules of the game and make us bend the curve will not only be individual “technical” responsibility, but global coordination at the scientific, economic and legal levels… in other words, the equivalent of what has been achieved with the enormous global public-private and logistical effort that vaccines have meant, but in cyber.
What Is the Vaccine For The Ransomware Epidemic?
Everything counts, but the most important thing is to coordinate so that attackers do not find motivation in this type of attack. To discourage them technically (the cost of breaking into certain systems), economically (the benefit of extortion) and legally (the punishment if they are caught). How to strangle them from an economic point of view? By not paying? It is not that simple. AXA recently took a decision in France: cyber insurance coverage will cover certain damages but will not refund ransom money to clients who pay for extortion. Cyber insurers such as AXA have concluded that this clause normalised precisely the least traumatic of the exits: paying and giving in to extortion. And we also assume that it did not pay off with so many incidents. And normalising payment has not only made the insurance business unprofitable but has also fuelled the cybercrime industry itself.
But what is the alternative for organisations that are forced to close down if they do not pay? Either they give in to extortion and feed the process that strengthens the attackers, or they resist payment and lose everything. In this respect, cyber insurers have yet to find a sustainable and viable model, their niche as a relevant player, insuring companies under a premise of minimum cyber security adoption and correctly adapting policies. Dynamise the industry to minimise the risk (so that they do not turn to their insurance so much) and in the worst-case scenario, effectively help in their recovery.
On the legal side, Joe Biden recently signed an Executive Order to improve national cyber security and therefore efficiently protect the federal government’s networks. The attack on pipeline operator Colonial Pipeline was the last drop. This executive order aims to update defences and will mean that companies will have to meet minimum standards. And just in case we were missing laws that would make it easier to prosecute attackers, identify them and impose global sanctions, progress was also made recently in this direction: ransomware will be treated as terrorism. Another way to discourage attackers.
In short, the ransomware business must not only be tackled by preventing the financing of extortion, but also by improving the end-to-end security of companies and by effective laws that prosecute criminals with exemplary penalties. Easy to say, complex to orchestrate and implement.
And Finally, Let’s Not Forget That This Is a Global Problem
Supply chains are a serious problem for cyber security. The SolarWinds incident made this clear. An interconnected world demands global measures at every step of the chain. As with vaccines, we are not all safe until we have all received our doses. When we know how to apply all these mitigations from different angles and the actors find their niche, we must also ensure that they are applied precisely by all relevant and minority actors globally. Even those who think it is not their problem (as happens in the US with random prizes for those who have been vaccinated, to motivate the anti-vaccine activists).
This combination of global actors, approaching the problem from different angles and according to their capabilities, is the best vaccine against ransomware. Patience, it will not be solved in a short term because of the complexity of the situation… but it will happen. The necessary elements are already in place. Let us apply defensive techniques on the technical side, but also offensive ones on other levels.