No attack type has been as impactful as ransomware in 2021.
According to a panel of experts at the DEF CON 29 conference, the rising notoriety and impact of ransomware in 2021 has accelerated the need for both government and the private sector to act—though there was no clear consensus on the panel on exactly what actions should be taken.
Chris Painter, co-chair of the Ransomware Task Force, commented that after the ransomware attack against the city of Atlanta in 2018, more awareness could or should have been raised to help limit future impact. That didn’t quite happen, and in 2021, the Colonial Pipeline, Kaseya and JBS meat-processing attacks, among so many others, have further raised the profile of ransomware in the public consciousness. Painter suggested that organizations need to further harden their own defenses to limit potential attackers.
Security researcher Robert Graham, however, doesn’t necessarily think that hardening defenses is the best approach.
“The way you secure a bank is not by locking the front door; the bank has to be open for business and you have to have people come in,” Graham said. “It’s the same thing with networks.”
Graham argued that it is unrealistic for organizations to always patch everything. In his view, if they did that, the network will be down basically all the time. The same is true about email phishing, where users are told not to click on things, which Graham argued is counter-intuitive as users are always clicking on things, and it’s hard for a regular user to distinguish between a legitimate email and one that is not.
Cyber Insurance is Not the Answer Either
The panel also debated the role of insurance in ransomware. While having the financial ability to recover from an attack is good, it’s not a solution.
Lawyer Elizabeth Wharton commented that insurance is just money and doesn’t actually fix the ransomware problem. Wharton was a senior assistant city attorney for Atlanta when that city faced its ransomware incident.
“I think building in resiliency so that when your system starts burning, you can kick right into the playbook, have a plan and know who to call—that’s important,” she said.
To Pay, or Not to Pay
A primary question with ransomware is whether or not victims should pay the ransom.
Painter noted that the Ransomware Task Force did look at the issue of ransom payment but couldn’t agree on a formal recommendation. For some organizations, paying might well be the fastest way to recover, especially when they don’t have enough staff. Though ideally, in his view, the best approach is to provide better tools to organizations of all sizes to better protect themselves and limit risk.
Wharton commented that she has seen smaller counties in economically depressed areas get hit by ransomware. Those smaller local governments typically have small budgets and maybe one person responsible for keeping IT systems online. The choice for those types of group is to pay the ransom, or to not be able to provide services to their constituents. She noted that of course they should have planned better, but reality is that they just need to get back online.
Awareness is Not Enough
A key topic of discussion on the panel was how the awareness of ransomware is a good thing that should help drive better security.
Graham argued that awareness of ransomware is not the problem. Graham noted that lots of organizations have backups of their data, which is often cited as a best practice for ransomware recovery. The problem is that organizations have not looked at how the ransomware got into their systems in the first place and what they were able to do. So for example, if ransomware infected an organization and got control of a Windows domain controller that was connected to the backup server, the backups would also be encrypted by the ransomware.
“So the approach to ransomware is that we’re aware, but we’re not actually aware of the details,” Graham said.