Ransomware is taking the world by storm since the lockdowns of 2020. With record unemployment due to forced halting of economies and movement around the globe, without doubt some programmers with notable skill were negatively affected. Surely some have found homes in the rising number of groups engaging in ransoming of data and service.
Recent cases such as the Colonial Pipeline and Norsk Hydro hacks, with payouts of $4.4 million and $71 million respectively, show how lucrative such operations are. IT security operations are usually underfunded and notoriously understaffed, if not in headcount then certainly in talent. Such teams are classically seen as “cost centers” to financial types. Even in good times, corporate boards are unwilling to spend the necessary cash to find or develop talent necessary to handle such threats.
As explained by a close contact high up in the financial industry, “Why would we pay millions for talent when it’s cheaper for us to have an adequate insurance policy? It’s not like business leaders are under any threat to themselves [legally] or their companies from a hack.” Risk is calculated by actuaries. So long as their risk is perceived as covered, IT security remains a distant concern only insomuch as governance mandates.
Cyber liability insurance is starting to price in the risk of ransomware by utilizing “sub-limits”. For example, such stipulations may only pay out $25,000 for ransomware incidents, despite the insurance having potentially multi-million dollar limits for other cyber incidents. Without such initiatives companies may never have incentive to practice security measures which could prevent such incidents.
Governing bodies, such as the state of New York, may move to ban municipalities from paying out ransom demands, opting for initiatives such as a “Cyber Security Enhancement Fund” which limits ransom payouts to instead focus on upgrading security posture. The US Department of Treasury has warned companies that facilitate ransomware payments as a third party may face future economic sanctions for encouraging crime and future ransomware payment demands.
The astute reader may wonder how mature organizations are still being crippled by having mainline systems disrupted by ransomware, as data backup policies and procedures were well-defined and put in place since at least the 1990s. The current predicament proves the point that many (most?) organizations, even cyber-conscious ones, are failing to adequately cover basic system administration and networking practices. With the “cloud” now opening up perimeters worldwide, the effort for corralling systems and assets are more difficult.
History has cooled worries of executives about negligence and responsibility for data breaches and hacks. Equifax, one of the largest credit bureaus in the USA, received a mere slap on the wrist after hundreds of millions of peoples’ records were stolen. SolarWinds executives blamed a lowly intern for mismanagement of their server credentials. With no incentive for improvement for improvements sake and no pain for neglecting to secure infrastructure digitally, expectations of improved security posture for most organizations seem dire.
How many employees are bribed by outside forces to simply “run a program or command” from their work machines? Russian Egor Kriuchkov was found guilty of bribing a Tesla employee for $1,000,000 to place ransomware in the company’s battery plant network in Nevada. With such large ransoms being paid and the relative ease of insider threat attack models, expect threat actors to increasingly lean on this method in the future.