Why Ransomware Deserves Our Attention

Sarah Meron, IBM; Bob Pearson, Next Practices Group; and Courtney Adante, Teneo

It is not a big surprise that the first episode of ransomware in the world of technology occurred in the same year, 1989, that Tim Berners-Lee designed the plan for the worldwide web.  

In the next 32 years, we have seen ransomware evolve from personal attacks to highly sophisticated organized crime gangs who have built a new economic model, Ransomware as a Service or RaaS, that rivals the best software companies coming out of Silicon Valley. 

Their areas of focus remind us of the famous quote by the bank robber Willie Sutton, who was asked why he robs banks. His answer was “because that’s where the money is.”

For ransomware organizations, their targets are the wealthier countries of our world and specific industries that are believed to be less secure. Based on actual ransomware attacks in the last 30 days, Professional Services is the lead industry, followed by Internet Software and Services, Construction and Engineering and Education Services. Other industries are not far behind.  

We often wonder how hackers get into our systems. Security experts know that there are well over 200 common ways to breach our systems.

The good news is we know a decent amount about who is conducting these attacks. About eight organized groups lead most attacks on our organizations. We know where they are based. We can figure out their modus operandi, ranging from how they attack us to what types of requests they routinely make for ransom. We know they are often inside our organizations for up to 280 days before they alert us. And more.  

The question is what we can do to improve, which was the subject of our Page Conversation on October 18. 

We start by taking these organizations seriously. They are technically proficient, smart, and savvy about how to extract value from us, and they are counting on us to be filled with surprise, fear and anxiety that causes us to panic and pay their ransom request.   

Here are five actions we can take to prepare and get ready to represent our interests more effectively. 

First, we improve our listening/intelligence of bad actors. Imagine our current listening platform that tells us what is happening related to our organization. Now, add to it social channels, forums, additional search engines and key areas of the dark web to our listening profile, so we can now watch how bad actors plan/act/recruit and go about their business.

Second, we can develop new red team scenarios where we learn how to prepare, negotiate, and take appropriate action. We must remember that we are dealing with criminals, not activists. The rules of engagement are different. And, we should red team, in advance, so our leaders do not react emotionally in the throes of an attack.  

Third, we should always think through in advance who we will need to contact, including our customers, legal authorities in key states, federal authorities, law enforcement, our Board, our employees and more. The cadence of how we do this can be as important as the message since these scenarios often play out in private for days or even weeks.

Fourth, we need to band together to find, track and expose bad actors. We should share our learnings with peer companies privately, so we can all learn in closer to real-time how ransomware is occurring.  We need to improve what we can provide to authorities to make it easier for them to pursue justice.  

Fifth, we should be ready to negotiate or even say no. Bad actors can’t make money unless our organizations or our insurance companies pay. Once they try to sell our data, we have an easier chance of locating them.  

And finally, we need to all be supportive of each other and realize any organization can be targeted. We should not be embarrassed or ashamed. We should not try to sweep the issue under the rug. 

The bad actors of our world are hoping that we stay fragmented, that we don’t share our learnings and we are filled with fear and anxiety about what could happen.  

If we don’t give them that satisfaction and we band together, share our learnings, and prepare in advance to represent our interests, we have taken one of the key steps towards minimizing their impact.  

Technology doesn’t change the crime. It just changes the approach and the sophistication of the criminal.  

And with that knowledge, it is equally important that we evolve with the world we live in.