It鈥檚 not the first time I鈥檝e seen something like this happen, and it certainly won鈥檛 be the last.聽
During my time as an auditor at the North American Electric Reliability Corporation (NERC) in Critical Infrastructure Protection (CIP), I discussed this topic regularly about how a business IT system can indirectly impact OT (operational technology) systems. The world of industrial control systems is a scary one considering how much we rely on them.
So when I saw the news about Colonial, one of my first thoughts was to reach out to my colleague and cyber expert, Joshua Motta, the CEO and co-founder of 杏吧传媒 partners with Coalition to provide basic security awareness training to their policyholders for cyber insurance, and we connected for a webinar late last year to discuss the biggest cyber threats in 2021 and beyond.
Joshua has seen it all over the years, and he鈥檚 not even 40 (he just made the San Francisco Business Times list of 40 Under 40). He sold his first business to Microsoft at 15, worked as a nation-state adversary for the CIA, and now he鈥檚 on a mission at Coalition to help organizations prevent cyber incidents, and assist them with response and recovery in the event of a cyber attack.
One of the things that stood out to me the most about the Colonial incident was the scope of how ransomware can impact a business through trickling down to other parts of the organization鈥檚 infrastructure.
Joshua agreed, reminding us of how everything is interconnected. 鈥淲e see these ransomware attacks every single day, and it just varies on what鈥檚 encrypted plus parts of what they got access to,鈥 he said. 鈥淚n this case, if it鈥檚 billing, you can鈥檛 operate a business if you can鈥檛 bill your customers.鈥
While everyone in the security industry鈥攁nd now the mass media鈥攊s talking about how ransomware is getting worse, Joshua said that if you look at the annualized claims data from Coalition policyholders, not much has changed from a claims perspective. But the severity of ransomware has increased as threat actors have become more sophisticated, and we saw the average ransom demand increase 2x from the first half of 2020 through the second half of the year.
鈥淭he other part of this equation is severity,鈥 Joshua said. 鈥淏ut the much larger cost is all the other things: the incident response, business interruption, income losses鈥 it鈥檚 an open question of how this actually impacted supply, or radically changing demand. Was there actually a shortage of gasoline, or was this the panic from the media frenzy?鈥
The sky isn鈥檛 actually falling. It鈥檚 been like this for almost two years now. People are finally taking notice of ransomware because they had to pay a couple of extra bucks to fill their gas tank.
Joshua Motta
CEO, Coalition Inc.
It鈥檚 ironic that it was this type of attack that drove this mass awareness of ransomware despite the fact that cyber attacks are an issue that鈥檚 been at a pandemic level for a while, Joshua shared. According to what they鈥檝e seen at Coalition, the severity of ransomware attacks peaked in the first half of 2020 and has been decreasing slightly ever since. So essentially the total cost has gone down.
This has been an eye-opener for a lot of people, though, as we鈥檙e now looking at how the macroeconomic impact was much bigger since it personally impacted consumers. And it wasn鈥檛 because there was a lack of supply of gasoline, but the ensuing panic of people going out of their way to fill up or hoard gas because they did think the sky was falling, thus resulting in the shortage. Remember 鈥渢oilet-paper-gate鈥 at the beginning of the COVID pandemic?
And this is where I鈥檓 starting to think about how major cyber events could impact other industries. These short-term blips on the market ultimately could be caused by something like ransomware.
Take phishing, for example. If an online account is compromised, with the hacker obtaining a user鈥檚 password for an account without multi-factor authentication (MFA) enabled, it can ultimately lead to an entire system being shut down.
鈥淭hese supply chain attacks are super tricky,鈥 Joshua said. 鈥淭he root cause is poor cyber security hygiene, and unfortunately it鈥檚 endemic across the U.S. economy. That鈥檚 why companies are being targeted.鈥
Something that really got my attention was when Joshua shared how these cyber criminals, once they鈥檙e inside a system, are largely making a determination to encrypt literally based on whether or not it鈥檚 worth their time.
鈥淲e have data showing threat actors have lists of companies to target over $1 billion in revenue,鈥 Joshua explained. 鈥淭here could be someone dormant in your network. A lot of these groups are going big-game hunting.鈥
Call it what you will, but hackers are essentially creating what we call a target list like account-based marketing to focus on their 鈥減rospects鈥 to victimize. Why? Because they know they have money to pay.
At the end of the day, Joshua said that鈥檚 their guidance: don鈥檛 pay the ransom unless you have to. 鈥淲hat鈥檚 worse, paying criminal organizations, rewarding them for criminal behavior, or the survival of a business鈥攑articularly small businesses鈥攁nd those are the ones who might not survive and be entirely disenfranchised?鈥 Joshua opined.
The ransomware business model has evolved. It鈥檚 gone from hitting a single computer to an entire business network. It鈥檚 gone from not targeting backups to actively targeting backups. It鈥檚 gone from just encrypting data to exfiltrating data and threatening the privacy of that data.
In short, every single one of these technological innovations is increasing the leverage that cyber criminals have over their potential victims.
Joshua and I both agree that most of the attacks we see are not complex in nature. If organizations did some basic cyber hygiene, they can help prevent a devastating attack and at least keep themselves out of the spotlight. Here are some basic recommendations for cyber security best practices to prevent ransomware.
We鈥檙e all in this together to educate organizations and their people on cyber security best practices to prevent ransomware. To get started, sign up for a free account and start monitoring your attack surface right away, and also request a free trial of Curricula鈥檚 security awareness training.
Get insider access to 杏吧传媒 tradecraft, killer events, and the freshest blog updates.
