[BreachExchange] How Ransomware Encourages Opportunists to Become Criminals

Thu May 20 15:11:17 EDT 2021

https://www.darkreading.com/attacks-breaches/how-ransomware-encourages-opportunists-to-become-criminals/a/d-id/1340953?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

"I don't have to be faster than the bear, I just have to be faster than the
slowest runners," commented a cybersecurity executive to me over lunch last
month. This philosophy of not being an easy target has been the cornerstone
of many successful cybersecurity practices over the last two decades. It
has been highly effective for organizations that have the skill and funding
to outpace their peer organizations and has delayed inevitable consequences
to their organizations.

Cybercriminals have historically been opportunists playing a numbers game.
Mass attacks with low success rates have long provided sustainable streams
of ill gotten revenue. While opportunistic crimes are very common, there is
an uptick in targeted, thoughtful attacks that read like the plot to
Ocean's 11.

In March, The Record interviewed Unknown from the REvil/Sodinokibi group,
which offers ransomware-as-a-service to criminals to carry out extortion,
data theft, and system destruction attacks to gain money from victims
and/or buyers. In response to the question of whether it targets those
carrying cybersecurity insurance policies, Unknown responded, "Yes, this is
one of the tastiest morsels. Especially to hack the insurers first — to get
their customer base and work in a targeted way from there. And after you go
through the list, then hit the insurer themselves."

Not long after, Chicago-based commercial insurer CNA got hit with a
ransomware attack. The latest update from CNA in April confirms a
"sophisticated ransomware" attack occurred. It has also committed that
"once our investigation is complete, we will notify any impacted parties as
appropriate."

What we know at this point is criminals have developed sophisticated
tactics (the ransomware), distribution mechanism (like REvil), and patience
for bringing down bigger prey (like CNA.) The ability to breach one of the
largest organizations that exist to underwrite cybersecurity risk is
compelling evidence that the bear is now chasing the faster, tastier
runners. If the criminal networks possess a listing of companies insured
and the amount that they are insured for, they have created a menu of the
tastiest morsels to target.

With criminals developing appetites for the fast runners of the past, the
individualism of private organizations must transform into a collaborative
herd community to survive this evolutionary change in the predators. The
well-funded and less-funded organizations need to develop sustainable
methods for sharing information with each other and collaborating with law
enforcement to increase painful deterrence for the criminals.

In the past, well-funded organizations in most industries have had little
motivation to help less-funded peer organizations. An exception to this has
been between financial institutions. In the "2020 FBI Internet Crime
Report," the agency recovered more than 82% of the $462 million in losses
from financial institutions. This industry invested early in collaboration
mechanisms and protocols between one another and law enforcement and serves
as a prototype as an effective collaborative herd.

Cybercrime is a subtype of crime, and lessons we have learned in reducing
crime rates in the physical world apply in the cyber world. Private
organizations need to work with law enforcement agencies to establish
workflows and communication tactics akin to neighborhood watches.
Establishing sustainable methods for private organizations to communicate
with each other and with law enforcement agencies is critical to improving
arrest and conviction rates.

In the case of the CNA breach, it is my hope that CNA, its insured, and law
enforcement already have vigilant safeguards and surveillance in place to
produce the evidence needed to prosecute these crimes and make future
crimes less attractive.

As cybercriminals evolve, corporate and private citizenry must also change.
We must be ready and able to look beyond our singular interests and invest
in the protection of our entire community. As we work to protect the common
good, the fast and the slow both become safer.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210520/edaa1773/attachment.html>