Ransomware perspectives: The shape of things to come

Michael Hamilton, CISO of CI Security, has worked in the information security industry for 30 years. As former CISO for the City of Seattle, he managed information security policy, strategy, and operations for 30 government agencies.

In this interview with Help Net Security, Michael discusses ransomware attacks and offers insight on how they will evolve in the near future.

What are some of the most interesting ransomware trends you’re seeing this year?

Double extortion. Combined with data exfiltration to incentivize paying ransom, and monetizing data in auctions if not. Corporations can buy competitor’s info this way – it’s not all organized crime leveraging things stolen by organized crime.

The “intelligence” built into ransomware campaigns. They used to be smash and grab. Now they gain persistence, elevate privilege, and identify and disrupt data and computing that are critical to an organization’s continuity of operations.

The commoditization of ransomware as a service, and how that has played into current economic distress, allowing people to get into the crime business – mainly out of necessity.

Ransomware attacks increasingly target cities and municipalities. What kind of damage can they do exactly?

The services operated by local governments are critical on the scale that we live our daily lives. Water purification, waste treatment, storm water removal, traffic management, communication systems for law enforcement and public safety, emergency management, election systems, and 9-1-1 are all enabled by, and in some cases dependent on IT. So the potential impacts of disrupting local government operations can be civil unrest, public health emergencies… all the way up to loss of life.

Think about it this way: your toilet can stop flushing and cause a public health emergency, traffic lights can be all turned to flashing red and impede first responders, drinking water can be rendered suspect (ref recent Israeli water utility compromised by Iranians, had control of Chlorine injection), and county governments can be knocked over by ransomware as a service in the middle of an election.

What advice would you give to the CISO of a major city when it comes to protecting the IT infrastructure against ransomware attacks?

Because of the criticality of the services you provide, it is important to address the source of compromises that lead to ransomware: your users. Work to rescind the policy of de-minimis use (using government technology for personal purposes), and institute a policy of all personal use on a personal device. Period. Measurements I’ve made while CISO of the City of Seattle indicate that 40% of the compromised assets were due to the use of personal email.

Second, because credentials are under attack, use multi-factor authentication everywhere and nullify that vector.

Lastly, your preventive controls will fail, and you’re left with identifying a compromised asset through its behavior. You have something between 3 and 12 days (according to reports) to purge the compromise from the environment before it finds the “good stuff” to encrypt/exfiltrate. Your monitoring must be comprehensive, and someone must be assigned to follow up and investigate security alerts. Without proper people resourcing, your technology is yelling into the wind. Ask Target how this works out.

Ransomware as a Service continues to be available at different price points, making it very easy for inexperienced cybercriminals to get started quickly. What should be done to curb the surge of such services?

Insurance companies want the cheapest way out of a ransomware event, and that is frequently lower than the cost of full restoration and rebuild. This “market force” should be countered with strong disincentives for insurance companies to pay the extortion demand – this could be done through the rule-making process with state insurance commissions, however that would mean 50 separate actions.

Credit-card transactions that pay for cybercrime as a service could be flagged, but this is easily circumvented with cryptocurrency.

The other way is to defend forward and go after the RaaS operations, and frankly I think the military should be involved. They shut down the Russian disinformation campaign at the end of the 2016 election, and Israel shot a missile into a building where Palestinian attackers were operating, so there’s a bit of precedent. We can’t use missiles, but government-run DDoS operations against dark market vendors might move that needle. However, without an extremely press-worthy disincentive, one that really gets the attention of the actors, this is going to continue.

How is ransomware going to evolve in the near future? What tactics are cybercriminals most likely going to implement?

Next stop is operational technologies, and specifically things like robotic manufacturing (we’ve already seen this). The double extortion and data auctions will become more prevalent, making it nearly impossible to avoid paying.

Apart from criminal activity, we are seeing our first legal action against a company that was hit with ransomware, its customer data exfiltrated and samples made available, and one very significant customer of this company is suing because their intellectual property was stolen and put up for sale. There’s going to be more of this. I think that rather than regulatory action, it will be litigation and the expectations of business partners for verifiable controls that move the needle.