In response to reports that the FBI has announced that BlackByte ransomware has breached the networks of at least three organizations from US critical infrastructure sectors in the last three months, IT experts offer the following comments.
Despite the amount of news coverage devoted to ransomware attacks, no amount of awareness seems to stunt their growth. Ransonware-as-a-service (RaaS) is the new mafia. As we are seeing with small players like BlackByte, as the cybercriminal underclass grows so will the black market for ransomware, malware, exploits and sensitive data harvesting.
With these shadow markets in place, hacking skills aren’t needed to target organizations across any industry: nation states, terrorist groups and profit-seekers can infiltrate a business by simply paying someone else to do it for them. It doesn\’t take god-like powers to pull off a ransomware attack, all it takes is the basic knowhow to exploit backdoor channels hidden across all modern websites and applications.
The critical infrastructure sector has been plagued by ransomware attacks, as the criticality of the systems makes quick recovery vital, which increases the likelihood that the victims will pay the ransom. This same criticality also makes law enforcement attention much more likely. However, given the low success rate of law enforcement busts, this is often a chance the groups are willing to take.
Critical infrastructure and many government entities are especially vulnerable to ransomware attacks as limited budgets, aging equipment and shortages in cybersecurity staffing all pose significant challenges for the defenders of these networks. These groups must focus on the top attack vectors used in ransomware attacks, usually email phishing and attacks on remote access portals. Training the users to spot and report phishing emails and improving the organizational security culture, along with ensuring remote access portals are monitored for brute force attacks and that credentials being used have Multi-Factor Authentication (MFA) enabled are some top ways to counter these threats.
It is imperative that organizations understand their exposure to ransomware and other attacks in financial terms, and especially in anticipation of increased threat activity. Only through quantification can organizations understand the potential financial impact of new and increased attacks, and justify the investments that are necessary to adequately prevent and mitigate them.
A large failing in the cybersecurity industry has been a lack of transparency from victims on how attackers breached their organization. I fully understand the potential legal liability or reputational damage that may result in an honest accounting of the attack timeline including possible failures or negligence that contributed to the incident, but the outcome of not publishing this analysis means that many organizations are left uninformed on where their own exposures may be. After all, many cybercriminal organizations use very similar techniques in attacking multiple victims. A detailed analysis of events would raise awareness for everyone. For example, how was the initial foothold gained? Was the victim running anti-malware software? Did the attackers bypass the anti-malware solution completely or were their initial attempts correctly flagged but dismissed by defenders because they were listed as “cleaned” or “quarantined”? As technology becomes core to our most critical institutions, we must change our mindset on communicating this information. The same way wouldn’t tolerate an airline refusing to provide a detailed account of an aviation incident to mitigate risks from equipment or procedures, we should demand that similar reporting and root cause analysis be made public where possible for cybersecurity breaches.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics