In an exclusive interview with Manoj Agarwal, former Gartner Analyst Prateek Bhajanka speaks exhaustively about multiple aspects of ransomware threats. He also shares various recommendations to prevent and to tackle this rising cyber threat.
Manoj Agrawal: Can you provide a quick overview of the ransomware trends in the financial sector?
Prateek Bhajanka: Compared to 2019, ransomware has evolved from being an encryption-based attack to a double-edged sword. Client confidential data, regulatory information, personal information stored in encrypted environments are at high risk. Even if enterprises have strong data backup and recovery systems in place, they are ineffective because the attacker has already stolen the data, which he can misuse or even delete if his demands are not met.
Of late, we are seeing some early signs of triple extortion attacks. Triple extortion threats are like a time bomb because the attackers not only steal and encrypt your data, but they also encrypt your systems, devices and infrastructure.
What is the modus operandi?
The attackers replicate the tricks and techniques used in the physical world to demand ransom in the cyber world as well. The only difference is attackers kidnap people in the real world, whereas they steal data and lock-up infrastructure in the virtual world.
They are getting smarter and organized. They are launching platforms and offering ransomware-as-a-service (on the lines of software-as-a-service) and toolkits to those who do not have sophisticated knowledge about the exploits and vulnerabilities. As a result, the attacks have become much more targeted. Compared with email links distributed earlier, the human-operated ransomware breaches are more specific, more sophisticated.
The players are also hiring affiliates from the market, cyber adversaries or even employees from your own organization. The recruitments introduce the human factor in the system. An automated ransomware may hit the wall due to watertight security, but with the ingenuity that the human mindset has, they would be able to bypass those and penetrate the organization.
The financial sector is traditionally a soft target. Are the attackers shifting targets?
The financial organizations are custodians of enormous amounts of personal and financial data available through KYCs and other sources. They are, therefore, easy prey to phishing campaigns and extortion threats.
All the same, the financial industry is strengthening its cybersecurity posture to a substantial extent. The segment is placing detection and response controls with a focus on vulnerability management, application security, external attack, surface monitoring, etc., to reduce the attack surface. These efforts have reduced entry-level cyberattacks significantly.
At the same time, the retail industry is being hit because attackers are exploiting vulnerabilities in point of sale (PoS) systems. Besides, the retail industry is witnessing a digital push.
Are attacks on infrastructure like a payment gateway increasing?
Yes, they are. State-sponsored attackers may target them because they are highly motivated. And you cannot effectively stop a state-sponsored attack because of the tools and technologies that they use, and the political motivation they may have. Commonly, they use zero-day vulnerabilities and supply chain vulnerabilities to target critical infrastructure. The best method is to have more controls for early detection.
What are the attempts being made to stop ransomware-as-a-service? Are the attempts successful?
The attempts are not highly successful. The reason is that the platform and the services are not available on surface Internet, but in the deep web or the deep dark web. Also, they are not hosted by the target country. For example, ransomware-as-a-service exploits might be used in India, but the platform is not hosted here. Therefore, we have no control over the infrastructure on which it may be hosted. These malware services are hosted in countries with a high density of state-sponsored attackers or in countries that do not have strict cybercrime laws.
Can you cite an example?
For state-sponsored attacks, the US was seeing a lot of ransomware activity from Russia. Political partnerships will play a vital role to curb these attacks. Around July-August 2021, on request from the US government, the Russian government arrested some threat actors belonging to certain ransomware families. Measures can be taken based on political cooperation between two countries. Otherwise, technically, it may not be possible, because the attackers are in the land beyond the sovereignty of control.
However, we are expecting countries to collaborate on a multilateral basis and form bigger alliances by 2025. This will certainly reduce the number of cybersecurity incidents. But these initiatives will have to be spearheaded by the governments.
What are some of the key technical and non-technical measures that Gartner recommends?
When it comes to ransomware, we always suggest organizations to opt for a comprehensive strategy. A ransomware may penetrate the server via an email and spread to network devices, other endpoints, the cloud, etc. We recommend organizations to move away from the ransomware protection approach to the ransomware defense strategy or a ransomware defense framework.
We know that attackers are becoming more sophisticated. They are actively hiring people from our own organizations to spread the virus. So having strong detection controls that go beyond the data center systems to endpoints and identity and access management, is important.
Our basic advice to all enterprises is to prepare a logbook and record incidents. The logbook enables the security organization to study the attack pattern, feed instant inputs and use the data to plug loopholes or prevent a similar attack. Keep effective backups and recovery procedures. This should be a cyclic process.
It is always useful to look within before buying modern technology. We recommend making use of the existing security investment by making sure that the tools are properly configured, the features are being used optimally. This raises the security posture to a considerable extent. Companies must also develop incident response policies and procedures as well as have proper security partners in place.
Is it necessary to have in-house experts to tackle ransomware? Can it be outsourced?
The approach should be that if you cannot prevent it then prepare for it. As we know, security incidents are not a matter of if, but when. In order to be prepared, enterprises should have upfront engagement and agreements with specialized incident response firms and service providers. By having an incident response retainer agreement in place, incident response firms can help organizations to create incident response policies, procedures, playbooks. They have the ability to jump right into the action rather than start at the planning stage.
People play a key role in any organization. What is Gartner’s take on the role of people to tackle sophisticated ransomware attacks?
Gartner recommends enterprises to empower individuals. The training should not be limited to understanding the nature of these attacks and security awareness but expand to cyber judgement and cyber training in which employees are encouraged to become the eyes and ears on the ground and empowered to report incidents at an early stage.
For instance, in a multinational company, an attack which was detected by some employees at an early stage snowballed into a large-scale corporate-scale incident since the employees who had observed some malicious activity in the system did not escalate it for two reasons: (i) they did not know who to report it to, and (ii) they did not know whether they should report the incident at all.
Had the detection and reporting procedure and policies been transparent and detailed to all during the training process, the security personnel could have curtailed the incident in the earlier stage itself.
Are there any regulations regarding ransomware?
There are regulators that talk about how to make the payment or whether you should be making the ransom payment at all, the due diligence that needs to be followed before releasing the ransom payment.
The Department of Treasury in the US Office of Foreign Asset Control states that ransomware is equally linked to national security. The Department of Treasury and the Alpha team sanction the payment after verifying whether the ransom money can or cannot harm US national security, irrespective of the loss to the enterprise. Such kinds of regulations are being formed for reporting guidelines. Some other information involves that time or duration in which cybersecurity incidents and ransomware incidents should be reported, and the authorities who should be cc’d in the complaint copy.
