CyberWire Daily - The real costs of ransomware in 2021, 2022, and beyond. [CyberWire-X]
Episode Date: November 14, 2021Ransomware: the problem that everyone is talking about, yet somehow continues to get worse with each passing year. In 2021, the cost of ransomware to global businesses is estimated to reach a whopping... $20B. The problem has reached such a critical mass that it can no longer be cast away as some unknowable IT problem–everyone from cyber insurance providers to the federal government have taken note. The CyberWire's Rick Howard speaks with Hash Table member Kevin Ford of Environmental Systems Research Institute (ESRI), and ExtraHop's VP, GM of International and Global Security Programs, Mike Campfield, joins The CyberWire's Dave Bittner on this CyberWire-X for a retrospective on ransomware in 2021. Mike shares his predictions on how it will evolve in 2022 and beyond, and what controls enterprises can put into place to build their resilience to the growing threat. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Hey, everyone.
Welcome to Cyber Wire X, a series of specials where we highlight important security topics
affecting security professionals worldwide.
I'm Rick Howard, the Chief Security Officer, Chief Analyst, and Senior Fellow at the Cyber
Wire, and today's episode is titled, The Real Costs of Ransomware in 2021, 2022, and Beyond.
As you all know, ransomware is the problem that everyone is talking about these days,
yet somehow continues to get worse with each passing year.
Some pundits estimate that the ransomware bill will reach a whopping $20 billion in 2021.
In this show, we're going to put on our prognosticator's hat
and try to anticipate the direction the ransomware environment will go in the next five years.
One program note, each CyberWire
X special features two segments. In the first part, we'll hear from industry experts on the
topic at hand. In the second part, we'll hear from our show's sponsor for their point of view.
And since I brought it up, here's a word from today's sponsor, ExtraHop.
Let's face it, cyber attackers have the advantage.
But ExtraHop is on a mission to help you take it back.
Regain the upper hand with security that can't be undermined, outsmarted, or compromised.
With complete visibility from ExtraHop, enterprises can detect malicious behavior, hunt advanced threats,
and forensically investigate any incident with confidence. When you don't have to choose between protecting your business and moving it forward, that's security uncompromised. See how it works
in the full product demo free online at extrahop.com slash cyber. That's extrahop.com
slash cyber. And we thank ExtraHop for sponsoring our show.
Joining me at the Cyber Wire hash table for the first part of our show is one of our regulars,
formerly the North Dakota State CISO, but now the new CISO for
the Environmental Systems Research Institute, headquartered in Redlands, California, Kevin Ford.
Kevin, thanks for coming on. We're talking about ransomware, and we've had a number of new
developments, new innovations, if you will, just in the last couple of years, from both the good
guy side and the bad guy side. Ransomware groups have gone after critical infrastructure targets like
oil pipelines and hospitals. Their business model has diverged from a one-stop shop to a SaaS model
or an affiliate model, if you like, where criminals can subscribe to services like fishing as a
service, access as a service, and others. And on the good guy side, we've had international law
enforcement organizations increase the pressure on these criminal groups
by conducting influence operations on underground message boards
and hacking back to disrupt the criminal infrastructure.
In response, some ransomware groups have rebranded or claimed it as banned altogether.
I think it's safe to say that this is a dynamic environment.
So, Kevin, I've asked you to bring your crystal ball to predict what we might see in the next few years. Let's just start with a year from now. What do you think is going to happen?
More chaos or something more predictable? I think that ransomware is such a lucrative
threat factor that I expect it to increase. I think ransomware will become probably,
I mean, I don't want to put any dollar signs around it, but I bet it'll
increase by maybe about 30 to 50% again this year as far as events. And it would be actually really
cool to have some numbers on how much money is being funneled down that pipeline. I'm sure we'd
never get to accurate numbers, but I bet that will also increase as well.
If you talk about the other side, the good guy side, one of my concerns in this next year is they start to get success taking down these crews. And if you're right that less mature crews,
even one person, one man crew, one person crews emerge, that'll be easier for law enforcement and government agencies to knock
off those teams, claim success or progress anyway, but the main folks will still keep doing their
thing and we might lose focus there. I don't know. What do you think about that? I think that's a
possibility. I also see the reverse being something that could potentially happen from a research
perspective. If you're in a lot of the chat rooms and areas that I traverse when I'm looking into these things, tools exist and one person or two people pick it up
and run with it. And then all of a sudden you have this very distributed environment
of ransomware attacks where potentially you can't trace it to any one particular
sophisticated threat actor. It becomes more of a kind of whack-a-mole constant nuisance type
scenario. What I anticipate is, like we said,
there's going to be more SaaS services offered underground to the criminal element.
Because even though it looks like all that stuff,
you could just grab the code and use it the way you want to,
it turns out that running code and running platforms to do complicated things
is really hard to do.
And so if you're not maintaining that code,
then I could see the main lever that
governments and law enforcement has is just dismantling the infrastructure so they can't
deliver that service. I think we're seeing that now, but I don't know. What do you think?
Right. I think you've correctly identified that's what we need to go after, right? And we,
not you and I, but the government needs to go after.
You don't want me doing that. That's not going to be good.
Yeah, we need to go after the infrastructure, not so much the groups, and be able to take down
sites that host that code, that distribute that code, sites that potentially could offer this as
a service. I will say I'm not particularly hopeful that it can be done easily. I think we've seen with other types
of attacks and other types of cybercrime that we just hop around the internet, right, until
we get to a spot where it's just this big game of whack-a-mole. But yeah, I think that is the
logical constraint to attack in order to try to disrupt ransomware as much as we can.
Well, I think the difference between now and, you know, let's say five years ago,
we would hamstring ourselves, at least law enforcement would, with all these legalities.
We can't move into other foreign countries unless we have an agreement with them. And
for specific countries like Russia and, say, China, maybe Iran, and especially North Korea,
we're just never going
to get those kinds of things. And there hasn't been a willingness up until now to disregard those
laws. That gives us more options than just the legal route. I think that potentially there is
maybe a mismatch internationally in the way these sorts of crimes are perceived. I think we certainly see it that way, but I think
maybe some other nation states may reap the benefit of these sorts of attacks occurring.
And so I think in some cases, they may not be as interested in mobilizing a force against this
or taking these sorts of capabilities down. But I do think that
probably the most successful way of taking this infrastructure down is to achieve something
internationally, something diplomatic, where we can have better partnerships internationally to
take these things down. Yeah, well, we've been saying that for 20 years, okay? I think the thing
that's changed now is that the ransomware attacks have ratcheted up the damage
that can be done. Before, if you lost your credit card to a cybercrime attack, banks would replace
it. It'd be a pain, but it wouldn't be life-threatening. But we're in a different
situation now. This first year, I think that Western governments have decided that there are more
cyber operations on the table as things they can do. Would you agree with that?
I think that's the case. I definitely think now that we're seeing it in critical infrastructure
that there's more willingness to go after this as a serious threat.
Let's forecast three years out.
I think you and I agree that one year we've decided,
the governments have decided
that we're going to do a little bit more.
Let's assume that Western governments
start attacking these folks on the internets,
start taking down infrastructure.
What else is happening there?
What's going to happen?
I think we start to see a paradigm
where I think everyone really understands that really severe harm can be caused in the cyber realm.
And I think all the things we said about year one as far as going after infrastructure becomes even more solidified.
I think it becomes more instantiated in policy.
it becomes more instantiated in policy. I think there becomes potentially more,
becomes a better understanding of what kind of the quid pro quo is as far as retaliations around critical infrastructure and attacks on that sort of thing in the cybersphere. And I think
while it's potentially new for people in the US, it's not new for people in the U.S., it's not new for people in other countries that maybe have been attacked in this way before.
Well, I'm an old army guy, right?
And I had an old boss of mine that, and we were doing cyber stuff.
And he would say stuff like, just because you decide to attack them doesn't mean they give up after that.
He always would say the enemy gets a vote. So I
would predict if we really ratchet up our offensive capabilities against criminal infrastructure,
it could potentially get a lot worse. Yeah, I think that's the case. I mean, I think we should
expect that in a lot of regards, the internet will become a more dangerous place.
I think that the potential retaliation is definitely a real potentiality that we should be concerned with. And I think, again, taking kind of my cues in the war on terror here,
I think that there's a lot of, probably a lot of potential for this to become a real political
hot button issue as well. I could see it, you know, being featured in presidential debates or in local political debates. I can see
it becoming a real issue here politically and for the U.S. government and for the citizens.
One thing I've always tried to advocate for is a legal attack on bad guy infrastructure.
And what I mean by that is, you know, Microsoft's been very successful over the last two decades of getting a bunch of legal people together,
get a bunch of techies together and dismantling infrastructure for bulletproof hosting providers
and things like that legally. And I've always said that DHS shouldn't go hire more technicians.
They should go hire a thousand lawyers and have them full-time causing trouble for anybody hosting bad guy services.
I don't know.
No one has ever taken me up on the idea.
How crazy is that idea?
I don't think it's crazy at all.
I think actually when we're looking at bad guy infrastructure, one of the hardest things to do is get through that kind of outer shell, right? The reason that exists, that bulletproof infrastructure exists, is because they've,
in some cases, found loopholes or, in some cases, found areas where the legal precedent
and the legal push is reduced or maybe doesn't occur as quickly.
And so I think, yeah, there are a lot of criminal infrastructure and
criminal gangs hiding behind that kind of administrative shell, as it were. That's
probably not a bad idea. I think anything's possible. It may be a little pie in the sky,
but I do- I've been accused of that many times.
I've been accused of that many times, Kevin. As far as civilized ways to do this, I like that potentiality better than hacking back or starting cyber wars.
I think it would be a pretty great way to do it if we could get that kind of almost filtering capacity at the ISP level and back it up with a serious legal or administrative requirement.
With political weight behind it, I think that's
potentially a great way to solve it. So the first year was we've decided to do something.
Over three years, we're going to see a back and forth escalation. Both of us think that's going
to happen. Let's think about five years. What are we seeing in five years from now when it comes to
ransomware? I think in five years, entropy takes its toll.
It's not as big a deal anymore, or it's normalized. And I think there are some new exotic attacks.
Yeah. I like the way you said that it could be normalized. Okay. In five years, we've just
gotten used to it, or we've had some successes too. The good guys have had some successes taking
some of the crews out, but this is a problem that doesn't go away just because you take, let's say, Evil Corps
off the grid. They're going to disperse into their hidey holes and reform in different forms.
So it isn't like it just, oh, we just do things for a couple of years and we're okay. This is
the new norm, like you said, Kevin, that we're going to be in this fight, this kind of fight from now on, I think.
Yeah, I believe so.
There are two threads we could pull here.
There's one that's the maybe more narrow thread, the ransomware thread.
I think there's a potential for us to eventually get over that, take that threat off the board, whether that's because we get so good at defending against it,
or there's a new, more exotic cyber attack out there that criminals are more interested in.
I think the larger thread to pull, though, is that cybersecurity hopefully becomes normalized,
right? It starts to become something that every organization does and that individual citizens,
that every organization does and that individual citizens, individuals do on their own as well. People start to just kind of understand how to be a little more hygienic on the internet.
I have no hope that that's going to work.
I haven't, Kevin, I've been, you're a youngster compared to me, all right?
I'm a glass half full guy.
I don't see the populace deciding that even if they could do hygiene
better, I don't see them doing it any better. But I'm a glasses kind of half empty kind of
guy compared to you. Yeah. Well, let me, I'd counter with this, right? I think tech companies
have a responsibility here really to push the end user into a better cyber posture.
And I think that as soon as our Facebooks, our YouTubes,
all the social networks, as well as the other things,
banking, Amazon, so on and so forth,
start enforcing really important cybersecurity measures
like MFA and whatever else comes down the line here,
if they'll start enforcing it for the end user,
I do think certain cyber hygiene habits will increase
and will become the de facto way of doing anything on the internet.
For many years, my generation of security practitioners have said,
well, we just got to make the user smarter.
I think that's the wrong answer.
We have to make it so they cannot make mistakes on the internet. I'm the chief security officer here for the
Cyber Wire. We have a anti-phishing program from KnowBefore. And out of the 25 employees we have,
I've been fooled twice. And I know what I'm doing. I can't expect grandma to absolutely know what to
look for in a phishing
message, right? I think that's a ludicrous proposition. Like you said, the tech companies
have to make it so that it's more secure and forcing really simple things like multi-factor
authentication and others we've all talked about over and over again. So last words on the future
of ransomware, Kevin, what do you think? Any words of wisdom you can pass our way?
So I think ransomware, again, is kind of a very, very important topic right now.
And it's just my hope that we will grab on to the things that are happening here as far as ransomware, things that have happened in critical infrastructure, and really look at that and use it as a way of escalating cybersecurity in the national narrative so that we're looking at the importance of cybersecurity, not just from a data protection perspective and maybe even a privacy perspective, but from a perspective of protecting people, protecting health,
protecting the infrastructure of the countries
that are potentially interested in this.
So I think just, yeah, it's a painful topic,
but it's also an opportunity to get better.
And so let's use it to get better.
Well, I'm going to subscribe to the Kevin Ford
glasses half full kind of philosophy.
You should.
It's great over on this side.
Thanks for coming on, Kevin.
We really appreciate your thoughts
and we'll have you on the next time.
Great.
Thanks a lot, Rick.
Next up is Dave's conversation with Mike Camfield,
the VP and General Manager of International Operations and Global Security Programs for ExtraHop, our show's sponsor.
Yeah, so ransomware has grown dramatically year over year, month over month, and almost day over day.
year over year, month over month, and almost day over day. You know, to contrast this, the total cost of ransomware back in 2015 was about $325 million.
You know, it's expected to reach $20 billion this year.
So it's about a 6,000% increase.
I'd love to be in a business that does that in just about six years.
And so that's actually from cybersecurity ventures,
those numbers, and incredible, incredible growth in a bad way.
So what are some of the areas when it comes to battling this that you feel perhaps aren't
getting the attention they deserve? Yeah, in order to battle ransomware, there's two main areas. There's prevention, so that would be security tools that stop infiltration and cybersecurity attacks. And then there's the ability for a company to restore themselves or be resilient in a cyber attack.
So that would be your backup and more of your retention products out there.
There's so much talk about insurance and backups and so on and so forth.
I mean, certainly that's part of a company's defensive posture, but is there overemphasis in those areas?
I think so.
but is there overemphasis in those areas?
I think so. Like anything, when the government funds something or doesn't fund something,
it either works or it doesn't.
You can kind of correlate that to insurance as well.
And when you look at cyber insurance, most, not all,
but most insurance companies are paying ransomware
and ransom damages right now to companies.
The problem with that or the implication of that is obviously ransomware is increasing because there's money there.
Additionally, the end users or the people that have these insurance policies are increasingly having to pay dramatically higher premiums year over year.
are increasingly having to pay dramatically higher premiums year over year.
So you have really funding of the issue as well as an expense,
whether or not you have ransomware or not,
because if you want to protect yourselves, and most companies do,
from a financial loss, you're going to pay whatever the premium is.
And what about on the backup front?
I mean, robust backups are,
of course, a part of any organization's security posture, and there's been a spotlight shown on them because of ransomware. Again, are people putting perhaps too many eggs in that basket?
I believe so. When you look at, you know, for example, the Colonial Pipeline as just an example, if you get a pretty deep infection from ransomware where it spreads across your enterprise, the time to recover, even with complete backups, is pretty long and usually unacceptably long for most organizations.
for most organizations.
So when you looked at Colonial,
they said that they had the ransomware keys, number one,
so they were decrypting with that,
as well as they were using their backups,
yet they were still down for a very, very long time.
So having a prevention from a backup mindset is super risky,
and usually most businesses can't recover
in a quick enough time. And even if they
do, there's a lot of statistics out there that are well south of 100% of what people get back.
So you never get everything back. So the last comment on this is it's not just about restoration
or decrypting your files. You have these ransomware attacks with multifaceted extortion.
So we just saw over the last few days with the NRA and what the grief issue was, the grief
ransomware gang, which a lot of people are speculating comes out of Evil Corp, where they
have had a ransomware attack, unconfirmed by the NRA, but confirmed by the dark web, and they have their files.
And they say they're going to use those files against the NRA.
So even if you do recover, your data is removed or exfiltrated outside of your environment, and it can be used against you at any point in time. Let's face it, they're cyber criminals and you really can't trust or even baseline what they're going to do next.
Let's talk about recommendations then.
I mean, organizations have a limited amount of resources and time and all of those things.
How should they go about calibrating the various methods that they put in place to help protect
themselves against ransomware?
So we believe these trends will push companies to implement more detection and response controls
and other technologies that help defend their enterprise against advanced threats like ransomware.
You know, this should help them spot these advanced attacks and ransomware infections
early.
So that way they don't have
as much data to restore, as well as the data is not out on the dark web. So you want to catch
these things early. And we have a lot of our customers that have caught these issues early
and haven't had to do massive restorations. And this not only protects them, but it should also
help their premiums.
A lot of cyber insurance companies look at the resiliency plans and the cyber tools that they have in place at the companies.
And based upon their level of investment and what they're doing, they should reduce their premiums from that perspective.
Not guaranteed, but we do see people doing that with the right technology in place.
Not guaranteed, but we do see people doing that with the right technology in place.
Are there any common elements, you know, when you think about the organizations that you all work with there at ExtraHop, are there any common elements with the organizations that are doing this 24 by 7 monitoring, particularly where their data lies, their critical assets.
There are no minutes off and their ability to spot these issues and be able to put in automated remediation where you're either shutting down a part of your enterprise that's
infected or you're blocking what's going on is a big one. The other one is that the people that
are getting really serious about patch management, number one, but also number two around identity
and access management. When you look at the attack vectors for ransomware in particular, it's not just
you find Dridex and you know Evil Corpse in there as far as that, or you have a TTP from a ransomware
gang, so you find it. Those are certainly things that you can do, but, you know, they're still doing brute force attacks as well. And so,
you know, making sure that you have, you know, the right software up to date,
that you're really managing, you know, enterprise class identity and access management
capability are two big ones. And, you know, the last one, which I started with is really,
you know, pushing to early breach detection. And, you know, that's where ExtraHop comes in.
We really give enterprises a way to use behavioral technology
across their whole environment to spot these challenges and issues
before they get out of control.
What are your recommendations in terms of getting started here?
I mean, if I'm the person who's leading the security charge at my
organization and I'm getting, you know, I'm preparing to walk into my board of directors
and my managers and say, hey, this is something that we need to do a better job preparing ourselves
for, where's the best place to begin? Yeah, so I have the fortune of going all around the world
and speaking to a lot of peers and people that lead these programs for just this one question. And the first one that everybody believes is one of the more successful
ones is data and comparing your organization to the unfortunate people that are out there. So,
you know, if you're in finance, you can bring up a financial ransomware attack. If you're in
healthcare, you can show where hospitals or
any parts of the organization have, you know, been shut down. And obviously any minute that
those places are shut down are completely unacceptable. So you kind of do this peer
review. So that way you have some evidence of what's happening out there. And then secondly,
which was, you know, a great question you asked a couple of questions ago, is, okay, what's the playbook in order to mitigate this issue?
And a lot of CISOs that I speak with, they'll even have peer organizations talk or at the board or give them some information and leave their contact information available so that way they can see these playbooks for incident
response. Additionally, there are a lot of resources out there, whether those are professional
organizations like Amandian or any other kind of cyber incident response company that can come and
really help you do all the different phases of this. So, you know, it starts out with the security program
assessment. So baselining where you're at, where you need to be in order to mitigate ransomware,
then really what is, you know, what are you going to do once you have it? So a lot of great playbooks
around response readiness assessments and, you know, how do you handle downtime? So, you know,
going back to the fact that, you know, you can have a backup process, but if you don't have a
fully implemented plan of where you can take things offline or ways to restore or ways to
really bring your business either down or back up through some of these plans, you really fail
once these kinds of accidents happen. And, you know, we always recommend and most
cybersecurity practitioners recommend, you know, running through many of these events during the
year, at least quarterly, to make sure that they're ready in the inevitability, almost
unfortunately, that something like this will happen to them.
And that's our show. We'd like to thank Kevin Ford from the Environmental Systems
Research Institute and Mike Camfield from ExtraHop, our show sponsor, for being on the show.
CyberWire X is a production of the CyberWire and is proudly produced in Maryland at the startup
studios of DataTribe, where they are co-building the next generation of cybersecurity startups
and technologies.
Our senior producer is Jennifer Iben.
Our executive editor is Peter Kilpie.
And on behalf of Dave Bittner, this is Rick Howard signing off.