Why Does Ransomware Still Work?
Paul Watts, Distinguished Analyst of the Information Security Forum (ISF), features in the latest Write Side Up by Freeform Dynamics for Computer Weekly.
As someone who first encountered ransomware during the last millennium – thankfully at second-hand – and has been writing about it for almost as long, I sometimes find myself amazed by the high profile it still has, here in 2021.
Of course there’s technical counter-measures available, as my colleague Tony Lock has been discussing elsewhere on this blog. But at a recent round-table event on the topic of Cybercrime, I found myself wondering who still gets caught out by the well-known social engineering tricks that typically trigger a ransomware attack…
The answer is simple: us. Despite the selfish fantasies of a minority of Ayn Rand fanatics, the average human is actually pretty generous, co-operative – and trusting. You might think ‘Lord of the Flies’ suggests otherwise, but that book was fiction. What really happened when six schoolboys were shipwrecked for over a year was much more reassuring.
Our co-operative nature is why we have civilisations and societies, after all. But it is also why fraudsters are still around, fleecing the unwary and innocent with variations of the same lies and tricks they’ve used for centuries, if not longer.
Modern technology makes the fraudster’s job easier than ever
And tricking the unwary and trusting is, essentially, what ransomware, phishing, ‘business email compromise’ and all the rest depend upon. To make it worse, modern technology has dramatically boosted the bad actors’ capabilities – targets can be analysed remotely via data freely available on the web, and email costs nothing to send. We’ve even seen the emergence of malware-as-a-service providers – they provide the software you need for a ransomware attack, you just add the social engineering.
At an individual level, dealing with this requires people to think before they act, said one of the others at that round-table, Information Security Forum distinguished analyst Paul Watts. “There is still personal responsibility for the person behind the keyboard,” he said. “You need situational awareness – it’s a life skill that needs to be taught to our kids.”
You can train for this to some extent, and of course you should be applying threat-detection technology, multi-factor authentication and so on, but none of this is perfect. As another speaker, Simon Taylor of hybrid cloud backup company HYCU, put it: challenge anyone who claims they can prevent you being attacked. “You will be attacked, it’s what happens next that matters, how you respond,” he said.
That’s where data protection comes in, along with air-gapped or otherwise immutable backups. Those aren’t enough though – the key point of failure in data protection usually isn’t the backup, it’s the recovery. Even with snapshots and the like, recovering a working and synchronised set of systems is no mean task in these days of multi-layered, tiered, modular and containerised applications.
As ever, the keys are people and processes
And then it’s the people and processes, both before and after an attack. For example, you need people on the business side to recognise and assess the risks, and understand that there’s shared responsibility here. After all, as another round-tabler, IT lawyer Ben Sigler, a partner at Stephenson Harwood LLP, put it, “Is an IT department focused on procurement and delivering end-user services really capable of assessing [business] risk?”
Afterwards, it’s the lengthy processes to get things running again (probably starting with the minimum viable infrastructure), decontaminate systems, analyse what went wrong, and of course keep people informed. All the while, you also need to keep an eye on the legalities – not least because you don’t want the Information Commissioner, your insurers or angry shareholders and customers coming after you, and citing your analysts’ speculations on Slack or Teams as evidence of fault!
So when compared with 10 or 20 years ago, the attacks have scaled up, the technology has advanced considerably in both offence and defence. Worse, the changed regulatory environment and the increasing digitalisation of business and industry mean that the consequences of a successful attack can be far more severe.
Yet the fundamentals are little changed. You need to help your people be ‘situationally aware’ and you need a secure backup that you can effectively and swiftly restore. Why is all that so difficult?