Yes, it can happen to you too
Posted by: GuidePoint Security
Tristan Morris and Victor Wieczorek, published Jan 12, 2022 1:00pm
We may only see the high-profile attacks covered in the news, but ransomware is a universal problem
If you head over to the Wikipedia page for 1989 and expand the “Events” header, you’ll find some interesting historical firsts for technology. The first consumer GPS units–like the 1.5 pound, $3000 Magellan Nav 1000–hit the market to take advantage of the first civilian-use GPS satellite’s launch in February. The early foundations of the web were laid out by Tim Berners-Lee in a written proposal in March. June brought the world’s first HDTV broadcasts in Japan. Nintendo released the first GameBoy in July. North America’s first commercial dial-up connection was made in November (unfortunately paired with the not-quite-as-fun first dial-up modem screech). While each of these was a monumental accomplishment in their time, they all grew and evolved and changed rapidly to have an incredibly outsized impact on our lives today.
Interestingly, one thing you won’t find on the page is the name Joseph Popp, or any mention of his unfortunate and unheralded contribution to the list: the first mass distribution of ransomware. I won’t go into the story too much–if you want to read a breakdown of how he launched the world’s first ransomware campaign you might enjoy reading Reckoning with Ransomware–except to say that, much like Tim Berners-Lee’s foundational proposal for a global internet, Joseph Popp laid a cornerstone, for what many now consider to be the largest threat in cybersecurity.
Over the course of the 90s and early 2000s, ransomware went through a growth cycle. Early attackers wrote their own encryption code and payments were mailed to PO boxes. But the mid-2000s saw a shift towards sophisticated, established encryption methods, and in 2009 the introduction of Bitcoin revolutionized the ransomware game. The promise of anonymous, untraceable payments significantly lowered the risk of ever being caught, and just like that ransomware evolved from an attack into a business model. The 2010s saw the proliferation of ransomware as a service. 2017 brought ransomware to the forefront of public discussion with attacks like WannaCry and NotPetya making the nightly news. The attacks got easier, the payouts got bigger, and the cycle continues.
But why am I talking about all this? If you’ve been in this industry for more than a month you’ve probably already seen a dozen high-profile attacks in the news. Anyone can look back across the last year of Week in Review news roundups posted in GuidePoint’s blog, and they’ll be hard-pressed to find a week that doesn’t mention ransomware. It’s everpresent, we all know it’s a threat. But from my perspective, I still see a glaring issue with the way ransomware is treated in our profession: there are too many people in our field who still view this as a problem for big companies, big targets with lots of money and sensitive information being targeted by sophisticated actors.
The reality is that ransomware has become so commoditized, so pick-up-and-play, that no one is really safe. And it’s not just ransomware as a service that makes this an issue, it’s the fact that there are open-source, free tools that are easy to find and use by anyone with a bone to pick. The elimination of the cost that ransomware as a service carries means ransomware is now completely viable as a destructive attack with no real intention of collecting payment, and that means the target pool has expanded significantly. A small, local law firm may not be a big enough organization to get hit by an established ransomware gang, but it’s a whole lot cheaper and easier to ransomware your legal troubles away than it is to hire a counter-defense and go to trial.
So if you find yourself reading this week’s news review and wondering “Could this happen to me?”, the answer is yes. The coverage may focus on the flashy attacks, the nation-state hacking groups, and the high-profile extraditions and arrests, but we have to stop thinking of ransomware as a big problem for big targets. If that’s all we focus on, we’re just putting our organizations–and ourselves–at risk.
But, I can’t end on a downer like that.
There is a silver lining that comes from the increased attention these attacks are getting. The continuous stream of high-profile incidents and seemingly endless coverage means that there is a willingness to allocate budget to projects that may otherwise go unfunded. Teams that might previously have struggled to get funding for basic block and tackle security investments–like infrastructure, penetration testing, or even just assessments–can leverage the threat that ransomware poses to loosen the purse strings for these critical investments. It falls to us as security professionals to not squander this opportunity. We must be good stewards of any budget this brings our way so that we can better prepare for the next evolution and wave of attacks.
And on that note, there is good news that comes from all this simplification and rampant proliferation as well, and it’s that we know how to defend against this. We know what vulnerabilities are most likely to be exploited by an off-the-shelf attack, so we can plan and test for them in a penetration test. We have years of threat research and attack frameworks built out to tell us what to look for so we can detect and cut off an attack earlier than ever before. We know what actions an attacker is likely to take in the event of an incident, so we know what a good incident response plan looks like and can build to that standard. Ransomware isn’t going away anytime soon, but the tools and strategies that we need to fight against it already exist.
GuidePoint Security