The real costs of ransomware in 2021, 2022, and beyond.
Rick Howard: Hey everyone, welcome to CyberWire-X, a series of specials where we highlight important security topics affecting security professionals worldwide. I'm Rick Howard, the chief security officer, chief analyst and senior fellow at the CyberWire. Today's episode is titled "The Real Cost of Ransomware in 2021, 2022 and Beyond". As you all know, ransomware is the problem that everyone is talking about these days, yet somehow continues to get worse with each passing year. Some pundits estimate that the ransomware bill will reach a whopping 20 billion dollars in 2021. In this show, we're going to put on our prognosticator's hat and try to anticipate the direction the ransomware environment will go in the next five years.
Rick Howard: One program note, each CyberWire-X special features two segments. In the first part we'll hear from industry experts on the topic at hand. In the second part, we'll hear from our show's sponsor for their point of view, and since I brought it up, here's a word from today's sponsor, ExtraHop.
Rick Howard: Keeper is the top rated cybersecurity platform for protecting organizations of all sizes from the most common password-related data breaches and cyber attacks. Did you know that 81% of data breaches are caused by weak password security? Keeper is more than a password manager. It's a scalable and customizable security platform that includes industry-leading features, such as automated user provisioning, world based enforcement policies, SSO SAML integration, advanced reporting compliance, breach watch dark web monitoring, and more. Members of the CyberWire community will receive a free three-year personal password manager when they take a business demo. Visit keeper.io/cyberwire to learn more, and we thank Keeper for sponsoring our show.
Rick Howard: Joining me at the CyberWire HashTable for the first part of our show is one of our regulars, formerly the North Dakota state CISO, but now the new CISO for the Environmental Systems Research Institute, headquartered in Redlands, California, Kevin Ford.
Rick Howard: Kevin, thanks for coming on. We're talking about ransomware and we've had a number of new developments, new innovations if you will, just in the last couple of years from both the good guys side and the bad guys side. Ransomware groups have gone after critical infrastructure targets like oil pipelines and hospitals. Their business model has diverged from a one-stop shop to a SASS model, or an affiliate model if you like, where criminals can subscribe to services like phishing as a service, access as a service, and others.
Rick Howard: And on the good guy side, we've had international law enforcement organizations increase the pressure on these criminal groups by conducting influence operations on underground message boards and hacking back to disrupt the criminal infrastructure. In response, some ransomware groups have rebranded or claimed to disband altogether. I think it's safe to say that this is a dynamic environment. So Kevin, I've asked you to bring your crystal ball to predict what we might see in the next few years. Let's just start with a year from now. What do you think is going to happen? More chaos or something more predictable?
Kevin Ford: I think that ransomware is such a lucrative threat factor that I expect it to increase. I think ransomware will become probably-- I, I mean, I don't want to put any dollar signs around it, but I bet it will increase by maybe about 30 to 50% again this year as far as events. It would be actually really cool to have some numbers on how much money is being funneled down that pipeline. I'm sure we'd never get to accurate numbers, but I bet that will also increase as well.
Rick Howard: If you talk about the other side, the good guy side, one of my concerns in this next year is they start to get success taking down these crews. And if you're right that less mature crews, even one man crews, one person crews emerge, that it'll be easier for law enforcement and government agencies to knock off those teams, claim success, or progress anyway, but the main folks will still keep doing their thing, and, and we might lose focus there. I don't know, what do you think about that?
Kevin Ford: I think that's a possibility. I also see the reverse being something that could potentially happen. From a research perspective, if you're in a lot of the chat rooms and areas that I, I traverse when I'm looking into these things, you'll see a number of individuals just taking it up with tools. So I could see it becoming a case of whack-a-mole, where we go after the big crews, maybe take them down, but the tools exist and one person or two people pick it up and run with it and then all of a sudden you have this very distributed environment of ransomware attacks where potentially you can't trace it to any one particular sophisticated threat actor. It becomes more of a kind of whack-a-mole, constant-nuisance type scenario.
Rick Howard: What I anticipate is, like we said, there's going to be more SASS services offered under, underground to the criminal element because even though it looks like all that stuff you could just grab the code and use it the way you want to, it turns out that running code and running platforms to do complicated things is really hard to do. So if you're, if you're not maintaining that code, then I could see the main lever that governments and law enforcement has is just dismantling the infrastructures so they can't deliver that service. I think we're seeing that now, but I don't know, what do you think?
Kevin Ford: Right. I think you've correctly identified, that's what we need to go after, and we, not you and I, but the government [LAUGHS] need to go after...
Rick Howard: [LAUGHS] Yeah. You don't want me doing that, that's not going to be good.
Kevin Ford: Yeah, we need to go after the infrastructure, not so much the groups, and be able to take down sites that host that code, that distribute that code, sites that potentially could offer this as a service. I will say, I'm not particularly hopeful that it can be done easily. I think we've seen with other types of attacks and other types of cybercrime that they just-- we just hop around the internet, right, until we get to a spot where it's just this big game of whack-a-mole. But yeah, I think that is the logical constraint to attack in order to try to disrupt ransomware as much as we can.
Rick Howard: Well I think the difference between now and, you know, let's say five years ago, we would hamstring ourselves, at least law enforcement would, with all these legalities. We can't move into other foreign countries unless we have an agreement with them, and for specific countries like Russia and say China, maybe Iran and especially North Korea, we're just never going to get those kinds of things. There hasn't been a willingness up until now to disregard those laws. That gives us more options than just the legal route.
Kevin Ford: I think that potentially there is maybe a mismatch internationally in the way these sorts of crimes are perceived. I think we certainly see it that way. But I think maybe some other nation states may reap the benefit of these sorts of attacks occurring. So I think in, in some cases, they may not be as, as interested in mobilizing a force against this, or taking these sorts of capabilities down. But I, I do think that probably the most successful way of taking this infrastructure down is to achieve something internationally, something diplomatic, where we can have better partnerships internationally to, to take these things down.
Rick Howard: Yes, well, we've been saying that for 20 years, okay. I think the thing that's changed now is that the ransomware attacks have ratcheted up the damage that can done. Before, if you lost your credit card to a cybercrime attack, banks would replace it. It would be a pain but it wouldn't be, it wouldn't be life-threatening. But we're in a different situation now. This first year, I think that western governments have decided that there are more cyber operations on the table as things they can do. Would you agree with that?
Kevin Ford: I think that's the case. I, I definitely think now that we're seeing it in critical infrastructure, that there's more willingness to go after this as a serious threat.
Rick Howard: Let's forecast three years out. I think you and I agree that one year, we've decided the governments have decided they were going to do a little bit more. Let's assume that western governments started attacking these folks on the internets, start taking down infrastructure. What else is happening there? What's going to happen?
Kevin Ford: I think we start to see a paradigm where I think everyone really understands that really severe harm can be caused in the cyber realm. And I think all the things we said about year one, as far as going after infrastructure, becomes even more solidified. I think it becomes more instantiated in policy. I think there becomes potentially more, becomes a better understanding of what kind of the quid pro quo is as far as retaliations around critical infrastructure and attacks on that sort of thing in the cybersphere. And I think while it's potentially new for people in the US, it's not new for people in other countries that maybe have been attacked in this way before.
Rick Howard: Well I'm an old army guy right, and I had an old boss of mine, we were doing cyber stuff and he would say stuff like, "Just because you decide to attack them doesn't mean they give up after that." He always would say, "The enemy gets a vote," so I would predict if we really ratchet up our offensive capabilities against criminal infrastructure, it could potentially get a lot worse.
Kevin Ford: Yes, I think that's the case. I mean I, I think we should expect that in a lot of regards the internet will become a more dangerous place. I think that the potential of retaliation is definitely a, a real potentiality that we should be concerned with. And I think, again taking my cues in the war on terror here, I think that there's a lot of-- probably a lot of potential for this to become a real political hot button issue as well. I could see it, you know, being featured in presidential debates, or in local political debates. I can see it becoming a, a real issue here politically and for the US government and for the citizens.
Rick Howard: One thing I've always tried to advocate for is a legal attack on bad guy infrastructure. And what I mean by that is, you know, Microsoft's been very successful over the last two decades of getting a bunch of legal people together, get a bunch of techies together, and dismantling infrastructure for bulletproof hosting providers and things like that legally. And I've always said that DHS shouldn't go hire more technicians. They should go hire 1,000 lawyers and have them full time causing trouble for anybody hosting bad guy services. I don't know. No-one has ever taken me up on that idea. How crazy is that idea?
Kevin Ford: I don't think it's crazy at all. I think actually when we're looking at bad guy infrastructure, one of the hardest things to do is get through that kind of outer shell, right? The reason that exists, that bulletproof infrastructure exists, is because they've in some cases found loopholes or in some cases found areas where the legal precedent and the legal push is reduced or maybe doesn't occur as quickly, and so I think yeah, there are a lot of criminal infrastructure and criminal gangs hiding behind that kind of administrative shell as it were. That's probably not a bad idea. I think anything's possible. It may be a little pie in the sky, but I do...
Rick Howard: I've been accused of that many times, I've been accused of that many times, Kevin. [LAUGHS]
Kevin Ford: As far as civilized ways to, to do this, I like that potentiality better than hacking back or starting cyber wars. I think, you know, it would be a, a pretty great way to do it if we could get that, you know, kind of almost filtering capacity at the ISP level and back it up with a serious legal or administrative requirement. You know, with political weight behind it, I think that's potentially a, a great way to solve it.
Rick Howard: So the first year was, we've decided to do something. Over three years, we're going to see a back-and-forth escalation. Both of us think that's going to happen. Let's think about five years. What are we seeing in five years from now when it comes to ransomware?
Kevin Ford: I think in five years entropytakes its toll. It's not as big a deal [LAUGHS] anymore. Or it's normalized and I think there are some new exotic attacks, yeah.
Rick Howard: I like the way you said that. It could be normalized, okay. In five years, we've just gotten used to it or we've had some successes too. The good guys have had some successes, taken some of the crews out. But this is a problem that doesn't go away just because you take, let's say, Evil Corp off the grid. They're going to disperse into their hidey holes and reform in different forms. So it isn't like it's just, "Oh we just do things for a couple of years and we're okay." This is the new norm, like you said, Kevin, that we're going to be in this fight, this kind of fight, from now on I think.
Rick Howard: Yeah, I believe so. There are two threads we could pull here. There's one that's, the, the maybe more narrow thread, the ransomware thread. I think there's a potential for us to eventually get over that, take that threat off the board, whether that's because we get so good at defending against it, or there's a new more exotic cyber attack out there, that criminals are more interested in. I think the larger thread to pull though is that cyber security hopefully becomes normalized, right? It starts to become something that every organization does, and that individual citizens, individuals do on their own as well. People start to just kind of understand how to be a little more hygienic on the internet.
Rick Howard: I have no hope that that's going to work. I have-- Kevin, I mean, you're a young, you're a youngster compared to me, all right? I've, I've been thinking...
Kevin Ford: I'm a glass-half-full guy. [LAUGHS]
Rick Howard: [LAUGHS] I don't see the populous deciding that even if they could do hygiene better, I don't see them doing it any better. But I'm a glass-is-kind-of-half-empty kind of guy compared to you. [LAUGHS]
Kevin Ford: Yeah. Well let me-- look, I, I counter with this, right? I think tech companies have a responsibility here really to push the end user into a better cyber posture. And I think that as soon as our, you know, our Facebooks, our YouTubes, all of the social networks, as well as you know, the other things, banking, Amazon, so on and so forth, start enforcing really important cyber security measures like MFA and whatever else comes down the line here, if they'll start enforcing it for the end user, I do think certain cyber hygiene habits will increase and will become the de facto way of doing anything on the internet.
Rick Howard: For many years my generation of security practitioners have said, "Well we're just going to make the user smarter." I think that's the wrong answer. We have to make it so they cannot make mistakes on the internet. Why, I'm, I'm the chief security officer here for the CyberWire. We have an anti-phishing program, you know, from KnowBe4, and out of the 25 employees we have, I've been fooled twice, and I know what I'm doing. I can't expect grandma to absolutely know what to look for in a phishing message, right? I think that's a ludicrous proposition. Like you said, the tech companies have to make it so that it's more secure, enforcing really simple things like multi-factor authentication and others we've all talked about over and over again. So last words on the future of ransomware, Kevin. What do you think? What, any words of wisdom you can pass our way?
Kevin Ford: So I think ransomware, again, is kind of a very very important topic right now, and it's just my hope that we will grab onto the things that are happening here as far as ransomware, things that have happened in critical infrastructure and really look at that and use that as a way of escalating cyber security in the national narrative so that we're looking at the importance of cyber security, not just from a data protection perspective and maybe even a privacy perspective, but from a safety perspective, from a perspective of protecting people, protecting health, protecting the infrastructure of the countries that are potentially interested in this. So I think just, yes, it's a painful topic, but it's also an opportunity to get better, and so let's use it to get better.
Rick Howard: Well, I'm going to subscribe to the Kevin Ford glass-is-half-full kind of philosophy.
Kevin Ford: You should. It's great over on this side.
Rick Howard: [LAUGHS] Thanks for coming on Kevin, we really appreciate your thoughts and we'll have you on the next time.
Kevin Ford: Great. Thanks a lot, Rick.
Rick Howard: Next up is Dave's conversation with Mike Campfield, the VP and General Manager of International Operations and Global Security Programs for ExtraHop, our show's sponsor.
Mike Campfield: Yeah, so ransomware has grown dramatically year over year and month over month and almost day over day. You know, to contrast this, the total cost of ransomware back in 2015 was, was about 325 million, you know? It's expected to reach 20 billion this year. So, it's about a 6,000% increase. I'd love to be in a business that does that [LAUGHS] in just about six years. And, and so that, that's actually from cyber security ventures, those numbers, and incredible, incredible growth in a bad way.
Dave Bittner: So what are some of the areas when it comes to battling this that you feel perhaps aren't getting the attention they deserve?
Mike Campfield: Yeah. In order to, to battle ransomware, there's, there's two main areas. There's prevention, so that would be security tools that stopped infiltration and, and cyber security attacks, and then there's the, the ability for a company to restore themselves or, or be resilient in, in a cyber attack. So that would be your, your backup and, and your-- more of your retention products out there.
Dave Bittner: There's so much talk about insurance and, and backups and so on and so forth. I mean, certainly that's part of a company's defensive posture, but is, is there over-emphasis in those areas?
Mike Campfield: I think so. Like anything, when the government funds something or doesn't fund something, it either works or it doesn't. You can kind of correlate that to insurance as well, and, and when you look at cyber insurance, you know, most, not all, but most insurance companies are paying ransomware and ransom damages right now to, to companies. The problem with that, or the implication of that, is obviously ransomware is increasing because there's, there's money there. Additionally, the, the end users are the people that have these insurance policies, are increasingly having to pay dramatically higher premiums year over year. So, so you have really funding of, of the issue as well as an expense. Whether or not you have ransomware or not, because if you want to protect yourselves, and most companies do, from a financial loss, you're, you're going to, you know, you're going to pay whatever the premium is.
Dave Bittner: And what about on the backup front? I mean, you know, robust backups of course are part of any organization's security posture, and, and there's been a, a spotlight shown on them because of ransomware. Again, are people putting perhaps too many eggs in that basket?
Mike Campfield: I believe so. When you, when you look at, you know, for example, the Colonial Pipeline, that's just, you know, an example. If you get a pretty deep infection from ransomware where it spreads across your enterprise, the time to recover, even with complete backups, is, is pretty long. And usually unacceptably long for most organizations. So you know, when you look to Colonial they said that, you know, they, they had the ransomware keys, number one, so they were decrypting with that, as well as they were using their backups, yet they, they were still down for a very, very long time.
Mike Campfield: So you know, having a prevention from a backup mindset is super risky and usually most businesses can't recover in, in a quick enough time, and, and even if they do, there's a lot of statisticsout there that are well south of 100% of what people get back. So you never get everything back. So the, the last comment on this is it's, it's not just about restoration or, or decrypting your files. You have these ransomware attacks with multi-facet extortion. So you know, we just saw over the last few days, with the, the NRA, and what the grief issue was, you know, the grief ransomware gang, which a lot of people are speculating comes out of Evil Corpwhere, you know, they have had a ransomware attack, unconfirmed by the NRA but confirmed by the dark web.
Mike Campfield: And they have their files. And they, they say they're going to use those files against the NRA. So even if you do recover, your data is, is removed or exfiltrated outside of your environment and it can be used against you at any point in time. Let's, let's face it, you know, they're cyber criminals and you really can't trust or, or even baseline what they're going to do next.
Dave Bittner: Let's talk about recommendations then. I mean you know, organizations have a, a limited amount of resources, and time, and, and all of those things. How should they go about calibrating the various methods that they put in place to help protect themselves against ransomware?
Mike Campfield: So we, we believe these trends will push companies to implement more detection and response controls and other technologies that help defend their enterprise against advanced threats like ransomware. You know, this should help them spot these advance attacks and ransomware infections early so that way they don't have as much data to restore, as well as the data's not out on the dark web. So you want to catch these things early and we have a lot of, of our customers that have caught these, these issues early and haven't had to do massive restorations. And, and this not only protects them, but it should also help their premiums. A lot of cyber insurance companies look at the resiliency plans and the cyber tools that they have in place at the companies, and you know, based upon their level of investment in what they're doing, you know, they, they should reduce their premiums from, from that perspective. Not guaranteed, but we do see people doing that with the right technology in place.
Dave Bittner: Are there any common elements you know, you know when, when you think about the organizations that you all work with there, at ExtraHop, are, are there any common elements with the organizations that are doing this right, that are seeing-- that, that have these effective measures put in place?
Mike Campfield: So the, the biggest thing is, the people that are thinking about 24 by seven you know, monitoring of, of particularly where their, their data lies, their, their critical assets, there are no minutes off. And their ability to you know, spot these, these issues and be able to put in automated remediation where you're either shutting down a part of your enterprise that's infected or you're blocking what's going on is, is a big one. The other one is the, the people that are, are getting really serious about patch management number one, but also number two, around identity and access management. When you look at the attack vectors for ransomware in particular, you know, it's, it's not just you know, you know, you find Dridex and you know Evil Corp's in there as far as that.
Mike Campfield: Or you have a, a TTP from, you know, from a ransomware gang so, so you find it. Those are certainly things that, that you can do. But you know, they're still doing brute force attacks as well, and so you know, making sure that you have, you know, the right software up to date, that you're, you're really managing, you know. Enterprise-class identity and access management capability are, are two big ones, and, you know, the last one which I started with is really, you know, pushing to early breach detection. And you know, that's where ExtraHop comes in. You know, we, we really give enterprises a way to use behavioral technology across their whole environment to spot these challenges and issues before they get out of control.
Dave Bittner: What are your recommendations in terms of, of getting started here? I mean if, if I'm the person who's leading the security charge at my organization and I'm, I'm getting, you know-- I'm preparing to walk into my board of directors and my managers, and say, "Hey, this is something that we need to do a better job preparing ourselves for. Where's the best place to begin?"
Mike Campfield: Yes, so I, I have the fortune of going all around the world and speaking to a lot of peers and people that lead these programs for just this one question. And the first one that, that everybody believes is one of the more successful ones is data and comparing your organization to the unfortunate people that, that are out there. So you know, if you're in finance, you can bring up a, a financial ransomware attack. If you're in healthcare, you can show where hospitals or, or any parts of the organization have, you know, been shut down. And obviously any minute that those places are shut down are, are completely unacceptable. So, so you kind of do this peer review, so that way you have some evidence of, of what's happening out there.
Mike Campfield: And then secondly, which was, you know, a great question you asked a couple of questions ago, is you know, okay, what's the playbook in order to mitigate this issue? And you know, a lot of CISOs that I speak with, they'll, they'll even have peer organizations talk with the board, or, you know, give them some information and, and leave their contact information available so that way they, you know, they can see these playbooks for incident response. Additionally, there are a lot of resources out there, whether those are professional organizations like, like Mandiant, or you know, any other kind of cyber incident response company that can come and really help you do all the different phases of this.
Mike Campfield: So you know, it starts out with the security program assessment, so baselining where you're at, where you need to be, in order to mitigate ransomware. Then really what is, you know-- what are you going to do once you have it? And so a lot of great playbooks around response readiness assessments and you know, how do you, how do you handle down time, so you're going back to the fact that, you know, you can have a backup process, but if you don't have a full, fully implemented plan of where you know, you can take things offline, or ways to restore or, or ways to, you know, really bring your business either down or back up through some of these plans, you really fail once these kind of accidents happen. And you know, we always recommend and most cyber security practitioners recommend, you know, running through many of these events during the year, at least quarterly, to make sure that they're ready in the inevitability almost, unfortunately, that something like this will, will happen to them.
Rick Howard: And that's our show. We'd like to thank Kevin Ford from the Environmental Systems Research Institute and Mike Campfield from ExtraHop, our show's sponsor, for being on the show. CyberWire-X is a production of the CyberWire and is proudly produced in Maryland at the start up studios of Data Tribe where they are co-building the next generation of cyber security start ups and technologies. Our senior producer is Jennifer Eiben, our executive editor is Peter Kilpe, and on behalf of Dave Bittner, this is Rick Howard signing off.