The recent series of high-profile ransomware attacks underscores how vulnerable critical infrastructure is and the impact cybersecurity can have on American society. This is not a new development, according to research from FortiGuard Labs, organizations across the globe saw a sevenfold increase in ransomware during the last six months of 2020, and that trend has not abated. While some of this may be the result of state-sponsored activity, the increasing revenue generated from ransomware has attracted a growing number of cybercriminals.
In response, the White House announced the formation of a cross-government task force to develop and coordinate defensive and offensive measures against ransomware. Solutions being discussed range from revising cybersecurity regulations to updating security infrastructures to offering rewards for identifying threat actors.
Because this is a problem that crosses political, geographic, and technology borders, dealing with the increasing volume and impact of ransomware will require an integrated response involving government and the private sector. Three general areas need to be addressed.
Securing Government Data and Critical Infrastructure Against Ransomware
One: The Role of the Private Sector
Preventing ransomware from infecting a network or detecting an active infection and blunting its impact are technical problems for which effective commercial cybersecurity solutions exist. Here is what we know:
- Vulnerable endpoint devices are the most common attack vector because many victims lack up-to-date endpoint protection. However, ransomware attacks can be detected and blocked at the point of attack—especially by endpoint defenses that look at software behavior instead of signatures, known as Endpoint Detection and Response (EDR) solutions.
- Once ransomware gains a toehold in a network, it can spread laterally within the victim's network due to inadequate security control configurations (excessive account privileges, inadequate monitoring, etc.) and a lack of network segmentation. Implementation of a Zero Trust architecture and access policies can help minimize the spread of malware within an infected network.
- Many ransomware exploits leverage known vulnerabilities for which patches exist. Organizations need to be diligent in patching and updating their technology.
- Not every system can be patched. In such cases, organizations need to update their security devices to automatically block exploitation attempts using known vulnerabilities and attack patterns, a technique known as a "hot patch."
- Cybercriminals are also starting to spend more time on the reconnaissance and weaponization phases (left of boom) of the cyber kill chain before launching ransomware operations. As a result, attacks may happen more rapidly and with surgical precision. Automated tools enhanced with Artificial Intelligence and Machine Learning technologies can now detect and respond to such threats in real-time.
- Up-to-date data backups stored offline offer a viable alternative for recovering encrypted data. There are countless commercial solutions for creating and maintaining such backups. However, organizations need to be aware of new efforts by some ransomware operators to get around this practice. For example, our FortiGuard Labs research team recently discovered a new Darkside variant that can search multi-partition environments to find backups. As a result, backups should be stored off-network.
- Stored data and data at rest should also be encrypted. A new ransomware strategy leverages the threat of 'doxing' (publishing stolen data) or selling it online if a ransom is not paid. As a result, backups alone are insufficient to prevent significant damage to an organization or its customers. Encrypted data, however, can effectively counter this strategy. Encrypting data and then decrypting it in real-time when needed would prevent a malicious actor from readily exploiting or leveraging stolen data to further extort payment.
- Many victim organizations have limited or no incident response capability in place, even though time is of the essence in responding to ransomware to minimize its spread and aid in recovery. Advanced tools leveraging automated behavioral analytics and capabilities such as deception technologies can ensure that malicious behavior is readily identified even when actively seeking to evade detection.
Two: The Role of Government
While mature and viable commercial solutions and best practices exist to prevent, detect, and respond to ransomware attacks, prevention will never be foolproof—even if organizations and individual users implement strong cybersecurity measures. The growth of ransomware reflects challenges that require government and potentially international cooperation to address.
- Most ransomware activity emanates from a small number of nations who appear unwilling or unable to crack down on this criminal activity—or who may be complicit in and benefit from it. And increasingly, the line between a nation-state (Advanced Persistent Threat) attack and one mounted by a criminal enterprise is becoming blurred. Dealing with these geopolitical havens requires government action.
- The rapid growth of cryptocurrency worldwide has fueled the ability of ransomware actors to readily monetize their activity. Cryptocurrency markets largely have not been subject to the type of oversight that has evolved to counter illicit transactions in other financial markets. Applying existing tools such as 'Know Your Customer,' Anti-Money Laundering, and Combating Financing of Terrorism rules can thwart the exploitation of cryptocurrency as an easy tool for malware perpetrators to exploit.
- Given the growing impact of ransomware on critical infrastructure and citizens' daily lives, governments can decide whether to treat it as a high priority for law enforcement and intelligence collection. The US began to take such steps in the May 12 Executive Order (EO 14028). Additional steps could be taken, such as empowering and resourcing law enforcement to more rapidly partner and pursue cybercriminals, whose actions typically cross jurisdictions and political boundaries.
- Governments can also decide whether to ban ransom payment, which would fundamentally affect the financial viability of ransomware as a criminal activity. However, banning payment could also increase the operational impact on a victim organization and its customers. As a result, such a measure could be considered in conjunction with a more substantial government role in aiding recovery, as is done in the US for the victims of state-sponsored terrorism.
- Even if a government decides not to ban ransomware payment, it could consider mandatory breach reporting and mandatory ransomware payment disclosure requirements. Most experts agree that ransomware incidents are under-reported. Better data collection on the magnitude and rapidly changing characteristics of the ransomware problem is necessary to better understand and more effectively counter this growing epidemic.
Three: Public-Private Partnership
While there are distinct roles for the private sector and for government in dealing with ransomware, there are aspects to addressing this issue in which a partnership is essential.
- Defining what constitutes 'due diligence' or a reasonable standard of care to prevent ransomware infection and shaping 'the carrots and sticks' that drive implementation are areas where government and market forces, such as the insurance industry, have a role to play. For example, the government can decree or mandate standards and minimum levels. The insurance industry can also require adherence to specified cybersecurity standards and best practices as a condition for coverage.
- Whether cyber insurance coverage against ransomware on balance helps or hurts in the fight against ransomware is an open question. Anecdotal data suggests that the ability of a ransomware actor to learn whether a prospective target has a cyber insurance policy, and even what the coverage limits are—facts that by law may be public records for many local governments—may make them a more attractive target because of the possibility of a ready payout by the insurer.
- Incident response is another area where government and the private sector are better together. Most victims don't have a response strategy in place or know who or where to call. Strategies for dealing with ransomware should include prevention, training, and incident response. They should consist of detecting an attack, the first steps to take to limit its impact, having pre-established chains of command and communications in place, maintaining business continuity, preserving a crime scene, and publicly reporting an incident.
In sum, while government and the cybersecurity industry each have a role to play in developing solutions, enterprises and individuals must do their part to implement them. The challenge is that ransomware is a complex and growing problem that must be addressed holistically and through unity of effort. But the good news is that there is growing recognition of the importance of dealing with this problem, and there are viable and practical solutions to addressing the challenge. We just need to bring them together.
Learn more about how Fortinet Federal helps Federal agencies efficiently protect U.S. government data and critical infrastructure against advanced nation-state threats.