The 2021 Verizon Data Breach Investigations Report was released this month and features its usual comprehensive review of important trends in cyberattack patterns. Notable in this year’s report are the increasing rates of phishing, ransomware and web application attacks – driven primarily by greater numbers of white-collar workers working from home, where network security may not be as strong as in an office environment.
From Ryuk targeting healthcare organizations and REvil following the Microsoft Exchange Server vulnerability to the more recent Colonial Pipeline attack orchestrated by DarkSide, the growth in ransomware across multiple industries is an especially troublesome trend. In this post we will review where and how ransomware is growing, why it is becoming increasingly expensive for organizations to address, and what steps organizations can take to secure their weakest security link: third-party suppliers, vendors and partners.
According to this year’s Verizon report, ransomware accounts for 5% of total security incidents and 10% of all breaches, up sharply in the last five years as the attackers’ “business model” has evolved from simply encrypting systems to threating to publish data until a ransom is paid. Stolen credentials and brute force attacks tend to be the most-used vector of attack for these cyber criminals, leading to direct install or installation through desktop sharing apps in as many as 60% of all ransomware cases.
Attackers are also now targeting more than the payment processing systems that manage the keys to many companies’ financial kingdoms. As in the Colonial Pipeline attack, they are now more frequently targeting systems that will impact business operations. The has tended to increase the likelihood that an organization will pay the ransom to regain access to their systems and data – and potentially skirt the harsh compliance penalties and reputational damage that can come with a data exposure event.
Few industries have been spared by the scourge of ransomware, with the Verizon report indicating that ransomware is a favored approach in financial and insurance, healthcare, mining and quarrying, oil and gas extraction, utilities and manufacturing.
As the Colonial Pipeline attack showed, ransomware can be very costly to an organization. The company reported paying $5 million to the attacker group DarkSide. And the costs will likely increase with lost revenue and productivity. This year’s Verizon report showed that companies can expect to pay upwards of $1.2 million on average to reclaim systems and data in a ransomware attack.
What’s worse, paying the ransom doesn’t mean you are safe. The Verizon report states that some groups take copies of data prior to triggering the encryption and then use it as leverage against the victim organization.
Ransomware is one of the most expensive and business-impacting risks facing organizations today. And, since most companies rely on third parties for everything from data hosting/processing and payments to delivering critical products and services, organizations must ensure their vendors, suppliers and partners have plans in place to mitigate the risk. Here are four steps that we consider essential:
Don’t wait for the news to hit the wire – assess your suppliers now to determine what controls they have in place to detect, protect, respond to and mitigate ransomware attacks. Leverage Prevalent’s free ransomware assessment that addresses areas such as incident response, responsible parties, disaster recovery plans, preventive controls and endpoint security measures. With these baseline insights you have centralized visibility into third-party security practices and can quickly identify risks and recommend remediations to reduce your organization’s exposure.
Assessing vendor security practices is essential – but it’s periodic. Augment these results with continuous monitoring of public-facing vendor web properties, criminal forums, onion pages, the deep dark web’s special access forums, threat feeds, paste sites for leaked credentials, as well as security communities, code repositories, and vulnerability databases for mentions of your key suppliers. Centralize this activity in a single service that monitors for cybersecurity intelligence and can automatically trigger remediation actions based on findings.
Simply monitoring news sites, social media posts, or getting daily updates about your key vendors from an RSS feed will not enable you to quantify or analyze or act on breach disclosures. That’s why it’s important to seek qualitative insights from a centralized service that includes hundreds of thousands of public and private sources and enables you to tie the data together in a unified risk register. Prevalent offers a free option to gain these insights for up to 20 of your most important vendors.
When ransomware strikes many organizations struggle to get timely notifications of impact from their supplier bases using manual spreadsheet-based methods, delaying risk identification and mitigation – and ultimately leading to unwanted exposure. Instead, seek out expert services to take this work on your behalf. Prevalent’s Rapid Third-Party Incident Response Service assesses your vendors against a customizable event questionnaire that is automatically triggered by events, enables them to proactively submit assessments, and offers prescriptive remediation guidance to quickly identify and mitigate the impact of a security incident.
Like any other security risk, ransomware can never be fully prevented. However, taking a prescriptive approach that provides continuous visibility into third-party exposures can reduce both the likelihood and impact of such an event.