Why do cyber gangs win? Because 'bad guys' talk to each other - interview


Ransomware attacks have gotten a lot more sophisticated over the years. Technological advances, however, are just one part of the coin. Threat actors are also better at sharing insights than people defending against them.

Ransomware attacks plague the corporate world. Every week more than 1,200 organizations fall victim to ransomware worldwide.

The prevalence of ransomware is best illustrated by a recent report showing that malware-fueled extortion makes up 69% of all cyberattacks against organizations. The problem is seemingly spinning out of control as the number of ransomware attacks this year grew by 30%, even compared to a record-breaking last year.

Some cyber gangs, like the notorious REvil, responsible for extortion attacks against meat supplier JBS and software company Kaseya likely got hacked by government agencies themselves, new cartels continue to spring up.

ADVERTISEMENT

"On the good guy side, we're much less willing and, and much, much less sophisticated at sharing information about what we're seeing in the threat landscape."

-Bob Scalise

According to veteran security expert Bob Scalise, Partner Risk and Cyber Strategy at Tata Consultancy Services (TCS), one of the reasons why it's exceedingly challenging to combat cyber gangs is that while threat actors share information between themselves, companies hesitate to cooperate with competitors.

"The attackers are very good at sharing information about their targets, about their victims. On the good guy side, we're much less willing and, and much, much less sophisticated at sharing information about what we're seeing in the threat landscape," Bob Scalise said.

In light of the cybersecurity awareness month, we've sat down to discuss how companies act and what they should focus on with malware-based Damocles sword hanging over their heads.

Double and triple ransomware attacks have become the norm in the last couple of years. What's next in line for businesses?

What we've seen the last year or two we're going to continue to see. Increasing ransomware demands, increasing volume and complexity, and increasing sophistication will continue. The cat is out of the bag. I think the criminal elements realize that this is an effective way to monetize their capabilities.

And the victims are core corporate America and businesses around the world. It even does extend down into individuals. You and I, and our families and our personal lives, also become victims of these attacks. We see that trend continuing into the near and foreseeable future.

ADVERTISEMENT

FBI and CISA advise businesses not to succumb to ransomware demands during an attack. Many, however, do pay up. What's the best course of action for a company in that situation?

It depends on the situation, and every company in every ransomware situation is unique and different. From a US government standpoint, and I think around the world, we would say, 'No, the wrong thing to do is to pay the ransom.'

The reality is that a lot of companies have already purchased cyber insurance. They've done it partially for that reason. And often, it's in their best interest to engage that policy and have that ransom paid so they can get their data back and continue their operations. So that is the reality on the ground. But, of course, each situation is unique.

Now, from our standpoint, we try to work with companies ahead of time. To try to get the defenses in place, so they're not in that situation where they need to rely on their backups. But there's no cookie-cutter approach. Everyone is very unique.

The ransomware itself isn't something new. However, it seems many businesses were utterly unprepared to face this threat. Why do you think that is?

The sophistication of the attacks has improved. The attackers are very good at sharing information about their targets, about their victims. On the good guy side, we're much less willing and much less sophisticated at sharing information about what we're seeing in the threat landscape.

That collaboration is happening on the dark side. It's not happening as effectively on the good side. We're helping our clients with that and helping them get over that hurdle to collaborate with your competitor. Get in the room and share data amongst competitors because you're all seeing the same thing and are being targeted by the same groups.

But you're right. The ransomware itself is just a form of malware, and it's been around for a decade or more. It's, however, easier to monetize it with cryptocurrency than it was ten years ago. And that probably led to that proliferation in that more widespread presence of it.

"The reality is that a lot of companies have already purchased cyber insurance. They've done it partially for that reason. And often, it's in their best interest to engage that policy and have that ransom paid so they can get their data back and continue their operations."

-Bob Scalise

How have companies adapted to the looming threat in recent years? What are the latest developments in the field?

ADVERTISEMENT

A lot of companies have started to address this risk. And it's focused on two things. First, it's focused on their people. And I would say the other aspect is focused around their vendor, their third-party ecosystem.

The reality of most of the attacks we've seen in the last several years, it's one of those two entry points. It's either a weakness in the employee side of things or a weakness in the vendor, the third-party ecosystem.

From the people side, it's two things. It's awareness and training, and that sounds so vanilla and so plain, but that's the reality of it. Educating people on what to do and what not to do is still a great defense. Now it's shifted a bit. We used to just take a checklist compliance approach to educate people. Show them a video about common security terms and then make them sign off that they watch the video once a year.

Now we're moving towards giving them the training to build their confidence to identify phishing or spear-phishing or a ransomware-type of attack and know what to do. So, it's a little bit different from just teaching terms and password management and telling not to hold the door open for a stranger. The other side of the people thing is that we're starting to see companies financially rewarding or punishing employees based on compliance.

Similarly, on the vendor third-party risk side, you would do a SOC 1 or a SOC 2 report, and you get those from your vendors. And that was enough, and you'd kind of refresh that every year periodically. And now it's evident what we see, given all the attacks through vendor ecosystems, companies are pressuring their vendors to be part of that third party, risk management ecosystem. Everything from personnel requirements and data privacy, and incident response, they want to understand all of that about their vendors.

Ransomware attack

Going after ransomware cartels seems like an endless whack-a-mole game with one cartel immediately replacing another. Do you see any significant policy changes that might help to close the floodgate?

The biggest tool that I have seen recently is companies able to reclaim or recover some of those lost funds. I call it asset recovery. We see a little more of that because I think the reality is that organizations and governments realize that attackers are sometimes vulnerable. Their digital currency wallets are vulnerable too.

I think there's been a little more focus on recovering some of those assets. Does that just raise the bar in terms of what's asked for and what's demanded in the next round? Perhaps. I don't envy law enforcement in trying to deal with this, what we call the scourge of our times. Not to mention the retail side of it and the consumer side of it, and all of the issues that individuals have with it as well. So, they have their hands full, and there's no obvious tool to me that we're missing.

The important thing is diligence. It's working on the front end with organizations like us. We're working with our customers on the front end to prevent it, to have a very thought-out, practiced response process of how you're going to handle an attack. Who you're going to notify in terms of breach notification, if it's your customers, you have to notify or law enforcement, if you have to go that route.

ADVERTISEMENT

Having all of that practiced makes it a lot easier to handle it at the moment. Because the reality of it is that this stuff always happens on a weekend or a holiday. And so, the more you've practiced it, the more it becomes second nature. And it's not as much of an imposition on your teams.


More from CyberNews

Threat actors leak Bosch iSite platform source code

GIGABYTE fell victim to ransomware again

Should former spies work on privacy products?

Attackers target the cloud. We just don't care to notice - interview

LockBit 2.0 listed a whopping 203 victims on its data-leak site

Subscribe to our newsletter

ADVERTISEMENT