Ransomware often feels like an insurmountable problem that will plague us forever, but recent data suggests we may be finally making progress. The key to solving the most difficult problems is to understand the size and scope of the threats, analyze their inner workings, and devise strategic means to tackle the root causes. We need to treat the ailment as much as we need medicine to treat the symptoms.
Establishing Trust
Assessing size and scope is harder than it sounds. For years, the IT community has ostracized victims for their “failures” that lead to compromise — blaming people for clicking things, plugging in USB drives (or floppies!), or being too busy to have noticed a red-alert patch release from a crucial vendor, requiring immediate action. All these things have led to victim shaming and the resultant underreporting of cybercrime.
Additionally, many companies do not want public shaming to drag down their reputation or stock price either — and the more people who are aware of your victimhood, the more likely you will experience additional damage beyond the crime itself. Of course, there is a healthy dose of fatalism as well — why bother reporting these crimes, the police cannot help, the criminals are in untouchable enemy states, and so on.
The latest SEC (Securities and Exchange Commission) guidance and the upcoming CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act) rules from CISA (Cybersecurity and Infrastructure Security Agency) have been trying to help close this gap in visibility. This is likely to have increased the number of US organizations willing to reach out for help through the normalization of reporting incidents.
The latest data from our Sophos State of Ransomware survey shows we have made significant progress on this front. 98% of US organizations (n=496) who were the victim of a ransomware attack reported the attack to law enforcement or government regulators. Even better, 65% of those who engaged authorities received help investigating their attack, 63% received advice, and a third received assistance in recovering their encrypted or stolen data.
A small number, 11%, reported that it was very difficult to report and engage with law enforcement. In my experience this is due to the chaos and panic of incident handling and a lack of preparation. Not only do organizations need a well-rehearsed incident response plan, but you should also establish a relationship with the cyber-cavalry before your moment of crisis.
Knowing whom to contact when an emergency happens is why we established the simplified 9-1-1 system in 1968 for police, medical, and fire emergencies in the United States. While there is no three-digit number to call the cyber cavalry, having their name and number in your phone’s contacts and on your incident response plan can ease the pain of reaching out expeditiously. (In fact, best incident-readiness practices would encourage you to get to know your local cyber-constabulary in advance, if possible. There’s no harm in introducing yourself or even having a cup of coffee before everything’s on fire.)
Where we are failing
We are improving our cooperation and lowering our response times, which are both excellent advances. It’s great to hear that nearly everyone is now reaching out to report these crimes, and more than half are receiving a tangible benefit from their engagement. The problem here is that this is all treating the symptoms and not really addressing the elephants in the room: prevention and deterrence.
Network devices with exposed and unpatched vulnerabilities are not being addressed quickly enough, or at all. In our “Sophos Active Adversary Report for H1 2024” analysis we found that in almost one-sixth of incidents, attackers gained access through exposed vulnerabilities. Many of those vulnerabilities had patches available for weeks, or months, or years before they were used for the attack.
Despite multifactor authentication making its debut to most of us in the security community in the 1990s, with early patents making reference to then-current technology such as two-way beepers, it is still not widely deployed across small and mid-sized organizations remote access gateways. In at least 56% of cases analyzed in the 2023 report data, stolen credentials were the root cause of the breach. (The more recent case of Change Healthcare, which was breached by attackers who found their way into the multibillion-dollar company through a single server lacking MFA, is a reminder that such deployment gaps aren’t limited to small- or mid-sized organizations.)
Lastly, of course it isn’t just on us to up our game; legal systems around the world haven’t made much progress on prevention and deterrence through incarceration. While the number of arrests and criminal network disruptions have increased, they are not putting much of a dent in this multi-billion-dollar problem. With many of the perpetrators in uncooperative nations, this is an arduous task to accomplish as incarceration is not an option in most cases.
What next?
The obvious answer is to do more of what is working and to not dwell on what cannot be accomplished. It brings many of us joy to see the people behind hacking hospitals and schools in the old iron pokey, but these outcomes are slow to accomplish and often unavailable due to geopolitical considerations.
Here is a brief roadmap based on where I feel we are today.
• Leverage the data that shows high global levels of victims reporting ransomware attacks to law enforcement to make the case for funding dedicated ransomware-trained police investigators that can work to expand the disruption that began to accelerate in 2023. There were some serious wins such as QakBot, ALPHV/BlackCat, and LockBit, but to date they only appear to have been speed bumps. We must amplify these disruptions that not only dismantle much of the infrastructure required to successfully conduct these attacks, but also undermine the network of trust amongst the criminals themselves. This is our most powerful offensive tool.
• We must improve our defenses, which is an enormous task. There are just over 8.1 million organizations in the United States and approximately 6.8 million of them are under 500 employees – the contingent we talked about at length in our most recent Sophos Threat Report. Organizations under 1,000 employees rarely have dedicated security personnel and usually have skeleton IT crews. CISA has been doing a fantastic job of publishing useful lists of exploited vulnerabilities and providing other useful advice, but you must have an audience that is listening for it to count. CISA is trying, but they are limited to a small number of carrots and an equally small stick to affect change.
There are two approaches to this, but both must be approached as a global initiative, not just a US problem. Part of what empowers these criminals is the scale and efficiency with which they operate. They must be cut down across the board to achieve meaningful reductions in activity. Products must be safer to use without constant intervention and organizations must adjust their risk calculus to include the quantity and quality of their exposed devices and services.
• Software and networking gear providers must ship more secure products and make updating those products safe and frictionless. To this end, Sophos is joining CISA’s call for software vendors to sign a pledge to continue developing our products to be “Secure by Design.” We’ve already made tremendous progress toward many of the goals outlined in Secure by Design, but there is always more work to do. As an industry, we must continue to improve not just the quality of our code, but the experience of using the products in a safe manner. The seven items in CISA’s pledge will help close the gaps most frequently exploited in the wild and provide a safer experience for all customers, even when they lack security expertise or the ability to keep track of all of the security updates available to keep them safe.
• One of the most important things we can do is to make updating simple or, even better, automatic. As we have seen with browser vulnerabilities and even software updates on our mobile phones, continuous and automatic security updates dramatically improve customer security outcomes. Like your browser, Sophos’ firewalls consume emergency security fixes by default and are continuously monitored for intrusions that could introduce risk to customer environments.
• Businesses must also take greater responsibility for the private information with which they have been entrusted and more accurately assess their security risks, especially regarding stolen credentials and unpatched internet-facing equipment. On the first front, sustained work by privacy professionals has brought the concepts of data controllers and processors – two different kind of data custodians, both with explicit responsibilities to handle private data properly – into the public eye. On the latter front, CISA has announced a beta program for US-based organizations that includes scanning for vulnerabilities on the Known Exploited Vulnerabilities (KEV) list. Additionally, security providers offer similar services with remediation capabilities as well as managed detection and response (MDR) services to monitor for active exploitation.
• Last, but not least, is our old friend cryptocurrency abuse. The actions here seem to be similar to the takedown situation: more please. The United States has been aggressively pursuing bitcoin mixers and tumblers, and this needs to continue and expand to be an international effort. Thanks to its extraordinarily high cash flow, bitcoin itself is the only practical means of collection and laundering of large sums of illicitly acquired “wealth,” but that specific currency’s inherent traceability is a feature — if enough of the ecosystem can be meaningfully regulated. Pursuit of sanctions, shutdown of anonymizers/tumblers/mixers, and aggressive enforcement of know your customer (KYC) laws applied in a global fashion or at minimum as ransom payments traverse compliant exchanges (since ransomware gangs generally don’t retrieve their ransoms in the US, or in countries similarly accessible to law enforcement) will help slow the bleeding and increase the risk for those who see this as a “safe” crime with an easy path to cashing out.
Far from helpless
The wheels of justice turn infuriatingly slowly, but they are gaining momentum. While we continue to train and educate the justice and law enforcement systems on these modern crimes, we must continue to apply pressure across all aspects of ransomware infrastructure: Cut off the money; aggressively pursue perpetrators in those locales where they can be pursued; improve our readiness; undermine the criminals’ network of trust; and come together across international boundaries, public and private.
No time to waste. Let’s go.
About the author
Chester Wisniewski is Director, Global Field CTO at next-generation security leader Sophos. With more than 25 years of security experience, his interest in security and privacy first peaked while learning to hack from bulletin board text files in the 1980s, and has since been a lifelong pursuit.
Chester works with Sophos X-Ops researchers around the world to understand the latest trends, research and criminal behaviors. This perspective helps advance the industry's understanding of evolving threats, attacker behaviors and effective security defenses. Having worked in product management and sales engineering roles earlier in his career, this knowledge enables him to help organizations design enterprise-scale defense strategies and consult on security planning with some of the largest global brands.
Based in Vancouver, Chester regularly speaks at industry events, including RSA Conference, Virus Bulletin, Security BSides (Vancouver, London, Wales, Perth, Austin, Detroit, Los Angeles, Boston, and Calgary) and others. He’s widely recognized as one of the industry’s top security researchers and is regularly consulted by press, appearing on BBC News, ABC, NBC, Bloomberg, Washington Post, CBC, NPR, and more.
When not busy fighting cybercrime, Chester spends his free time cooking, cycling, and mentoring new entrants to the security field through his volunteer work with InfoSec BC. Chester is available on Mastodon (securitycafe.ca/@chetwisniewski).
For press inquiries, email chesterw [AT] sophos [.] com.