Ransomware: Emergent Threat or Opportunity?

The ransomware surge complicates the risk management picture, but it may also help bring priorities into focus.

If you’re responsible for risk management in federal computing, here’s a new thing to keep you awake at night: ransomware. Malware attacks that hold systems or data for ransom have increased exponentially in the past few years, affecting government agencies, hospitals, police departments, and businesses. A new kind of cyber attack is the last thing we need. We’re still struggling to keep data from falling into the wrong hands, and now attackers are accomplishing their ends simply by keeping our data out of our own hands.

But maybe this is what we need, or at least, it may not be all bad. My team had a conversation about ransomware recently with Brett Leatherman, FBI Assistant Section Chief for Cyber Security, and I came away with a different perspective. Ransomware is not a new, new thing: it’s more like a data breach on steroids. And ironically, ransomware may present an opportunity to educate our organizations about the threats we face and help us get the resources and commitment we need to shore up our defenses.

As serious as the long-term consequences may be, most data breaches don’t stop us in our tracks. We can maintain business as usual while we do forensics, analyze risks, and plan a response. But, as Brett Leatherman points out, “Once ransomware hits you, you don’t get a ‘do-over.’” Ransomware takes down operations hard and fast. Even if you pay the ransom, you’ll need to scrape and restore your systems to ensure the malware is gone. Earlier this year, TechNewsWorld reported that 72 percent of companies infected with ransomware couldn’t access their data for at least two days, 32 percent couldn’t access their data for five days or more, and the costs of downtime often exceed the cost of the ransom. (And you shouldn’t pay the ransom because, as Leatherman says, “Then you’re betting on the criminal’s integrity.”) The FBI also believes that ransomware attacks are underreported because organizations fear reputational damage. But if your hospital can’t treat patients, if your police department can’t take calls, or your agency can’t provide services, your reputation will be damaged whether or not your customers know the cause.

There’s a lot of denial going around about data breaches. Lots of organizations think it won’t happen to them because they’re too small or they’re below the radar—what Leatherman calls “security through obscurity.” In reality, studies show that smaller, often less well-defended organizations are prime targets for attackers. However, since most breaches go on for months before they’re discovered, there is no immediate pain to shake the sense of complacency.

In contrast, we have seen ransomware attacks serve as a wake-up call for better security because there are immediate, mission-threatening consequences, and Brett Leatherman says the FBI is seeing the same. After an attack, decision-makers from the board and C-suite on down are finally engaging in security. As security professionals, we need to seize this moment and make a strong business case for the resources and programs we need, laying out the costs of prevention versus costs of down time, third-party remediation, possible regulatory actions, reputational harm, and even potential litigation. Because ransomware hits everyone at every level, not only are you now more likely to get the resources you need, you should also be able to get everyone from executives to network defenders and physical security involved in defense and response planning for breaches of all kinds. And a good defense doesn’t have to be expensive. For example, Leatherman says there are a lot of robust free tools available to help track network behavior and find anomalies.

The bottom line is that if you experience a ransomware attack, your defenses have been breached, whether you call it a “data breach” or not. Ransomware gets in by the same routes as any other malware—mostly spear phishing and exploit kits, according to Leatherman—so an attack of data encryption proves that you are also vulnerable to one of data exfiltration. If you can combine that proof of risk with a persuasive business case for effective, affordable defense while the pain is fresh in everyone’s mind, the long-term results of a ransomware attack could actually be positive for your organization.