CISO Q&A: Ransomware: A Top of Mind Threat Still Today

By Joe Robertson and Ricardo Ferreira | May 12, 2022

Ransomware is the threat that just keeps going; it rolls on relentlessly with increasingly sophisticated and aggressive attacks. According to the Global Threat Landscape Report from FortiGuard Labs, threat actors continue to pound away at organizations with approximately 150,000 individual detections per week. Double extortion attacks, where ransomware actors steal data and use the threat of leaking it as additional leverage for extorting ransoms, are no longer a rarity. 

Wiper malware is another increasingly common threat, which is designed to destroy data. We're now coming up on the fifth anniversary of the NotPetya attack and also the WannaCry ransomware. The NotPetya wiper malware attack originally targeted businesses in Ukraine, but because of its self-propagation capability, it spread to more than 65 other countries and became a very devastating malware to date. WannaCry is of course a global ransomware attack example and there are many more recent examples of wiper malware and ransomwares. 

Ransomware clearly isn't going away, Fortinet Field CISOs Joe Robertson and Ricardo Ferreira offer perspective on where we are with ransomware and what's next.

We have been talking about ransomware for years. Why is it still a top-of-mind threat?

Joe: Ransomware is still top of mind because it's become a business. It has developed into something far beyond what it was ten years ago. At first, it was just the purview of a few hackers, but as it has grown into an industry, the sheer volume of attacks has increased dramatically. Since the pandemic, more people have become aware of ransomware because hospitals were targeted, because lives were threatened and hospitals couldn't take care of patients, that focused more media attention on the problem.

It's important to remember that ransomware started as a cottage industry run by individuals, but it has evolved into a business run by criminal organizations that now have built their own cybercrime ecosystem. They don't just create the ransomware and put it into place. Now they have hot lines and boiler rooms where victims can contact them for info on how to pay the ransom. And it has grown to ransomware as a service (RaaS), so you don't even need tech skills to wage an attack. You can simply hire someone to steal you some money; they do all the heavy lifting for a fee.

In the past, state-sponsored attackers used ransomware for political ends, like NotPetya five years ago. It was designed to attack the Ukraine government and organizations, but it didn't have controls built in, so it had unintended consequences and moved out of Ukraine and into the rest of the world. Because of the political situation in Eastern Europe, Ukraine, and elsewhere, these state-sponsored attacks are growing.

Wiper malware like NotPetya wipes out data whether or not a ransom is paid, which leaves victims totally at a loss with no recourse. Ransomware used to be simply a tactic, but now with the ecosystem and business model that has developed around it, ransomware can be used as a weapon of war. In the wake of Russia's attack on Ukraine, governments have issued warnings about the potential for more attacks, particularly because any organization can end up being collateral damage in a cyber war. Malware doesn't pay attention to country boundaries, and the reality is that ransomware could travel around the world in seconds.

Ricardo: Ransomware is still a top of mind threat due to its prevalence, how it is readily available, and the impact that it causes. As we have seen in criminal groups for the past few years, more tools and services have been identified. This is an issue as it enables low-skilled actors the potential to cause disruption.

Also an important aspect is that critical infrastructure has been one of the most targeted sectors by criminals as well. Just this month Costa Rica declared a national emergency due to attacks from Conti ransomware on government bodies.

What should CISOs be thinking about now when trying to protect against ransomware threats?

Joe: First, it's important to highlight cyber hygiene. It's easy to say that staff is the weakest link because they click on links in phishing emails, but I take the opposite view. Staff can and should be your first line of protection. Every organization should have employee training programs that are interesting and easy to use. With an alert set of employees, you can avoid many of the attacks that try to get into your environment. Fortinet has free cybersecurity training to help people recognize the social engineering tools and techniques that are successfully used by cybercriminals.

When people talk about security, they usually focus on technology, but it's also a question of psychology. It's essential to get everyone to realize that they are potential victims of cybercrime at any time. Then they can recognize suspicious activity and emails more readily. 

Of course, organizations also need to set up a technology barrier. Most ransomware enters the environment via email. Even if you have staff trained to recognize social engineering, it's still possible that some form of phishing or, more likely, spear-phishing email can get through. Spear phishing is more difficult to spot because it looks like something from someone you know. Organizations should invest in email protection to back up staff and act as a solid second line of defense.

Ricardo: CISOs should be holistic in their security posture, meaning that processes and people should be a major focus of the information security program. Almost half of the organizations that are hit by ransomware and pay the ransom, are hit again. Not only does paying a ransom encourage copycat crimes, but there’s no guarantee of a swift return to business-as-usual. 

How can artificial intelligence (AI) and machine learning (ML) help fight against ransomware at the endpoint or across the network?

Joe: Today organizations need far more than antivirus solutions. IT teams should take a proactive approach with real-time endpoint protection, detection, and response (EDR) coupled with zero trust access, segmentation, and encryption. A good EDR system can analyze what's happening with a laptop and detect anomalies, such as extra read-writes to the disk that could be malware trying to encrypt the disk. The EDR solution can then can quarantine it so it can't encrypt. Thanks to artificial intelligence (AI) and machine learning (ML), EDR can detect this type of anomalous activity that could be malware or data leakage from insiders that are copying and removing files.

Any organization that doesn't have real-time protection at the endpoint dialed in needs to do it now. AI is important because it can correlate events across different devices and see things that humans can't detect. It then alerts analysts who can figure out what's behind it.

The bad guys aren't standing still, so you can't either. Because ransomware attacks are getting faster, organizations should consider switching from collections of point products to integrated solutions that are designed to work together and that can take in threat intelligence in real-time. An integrated cybersecurity mesh platform can detect threat patterns and fingerprints, correlate massive amounts of data to detect anomalies, and automatically initiate a coordinated response.

The centralized management and broad visibility that this type of platform provides can help ensure that policies are enforced consistently, configurations and updates are delivered promptly, and a coordinated threat response can be launched when the system spots suspicious activity. And if you have a system in place, it needs to be constantly updated with a threat intelligence service.

Ricardo: This is where consolidation can play a big role enabled by cybersecurity mesh architectures. As the old adage says “garbage in garbage out.” We can have very good AI/ML models but if the data is not enriched, its useless. A mesh architecture, such as the Fortinet Security Fabric uses data from different platforms, products and services to enable the policy enforcement point to make the best decision based on the risk policy.  

What is one key takeaway that CISOs should know to understand how to protect against ransomware better?

Joe: Like I said, security is about both technology and psychology. Organizations need to analyze the tactics that attackers are using. Trained analysts have instincts that machines don't have. Every organization should have a cyberattack response plan in place. And once you have a plan, you need to practice it. The last thing you want is to be opening up the plan for the first time when you're in the middle of an attack. I think of it like CPR. You want to have taken a class and practiced CPR reasonably recently so you can spring into action in an emergency. When it comes to a cyberattack, you need to know how to shut down systems and perform backup and restore operations. You don't want to be performing these tasks for the first time when you're under pressure to get your business back up and running.