In the midst of the ongoing fight against COVID-19, global governments and businesses face yet another viral threat—one from which no one is immune. Ransomware attacks have escalated over the last two years to the point that Interpol now considers them to be a worldwide pandemic. In an urgent call to action issued in mid-2021, Jürgen Stock, the Secretary General of the global security organization, said that fighting ransomware has become a task too large for any organization or industry to do alone. Without a global response, he said, nothing can curb the exponential growth of the ransomware crime spree.
In October, the White House’s National Security Council convened a global virtual cybersecurity summit, and the 30 participating nations committed to forming a NATO-like coalition focused on cyber defense. But the experts Toptal consulted say corporate leaders must engage in the battle against ransomware too.
“This has got to be more than just a bunch of governments and international organizations such as Interpol,” V.S. Subrahmanian, a world leader in cybersecurity research and counterterrorism, and a professor and faculty fellow at the Roberta Buffett Institute for Global Affairs at Northwestern University, tells Toptal Insights. Ransomware prevention has to “include major companies, and it has to include the people thinking about these things very deeply, such as independent or academic researchers.”
Ransomware attacks have escalated to the point that Interpol now considers them to be a worldwide pandemic.
Slowing the growth of the ransomware ecosystem and defending the global economy will protect companies both now and in the future. Even companies with gold-standard cybersecurity checklists in place are not immune to today’s ransomware menace. And corporate leaders who believe they can buy their way out of an attack may be disturbed to learn that only 8% of those who pay hackers get all of their data back.
“Right now attackers are constantly evolving their strategies to evade or overcome defenses, so this is a constant battle,” says Subrahmanian, who co-founded SentiMetrix, a data science and social analytics company that partners with US government agencies, Fortune 500 companies, and leading universities. “The number of attacks is going up and all enterprises are under threat.”
The Current State of Play
The sudden switch to remote work and increased dependence on cloud computing during 2020’s COVID-19 shutdown exposed weaknesses in many companies’ networks and created more points of entry for malware—malicious software programs that allow hackers to lock up an organization’s data, remove it from the company’s computers, and hold it hostage on external servers.
The total amount American organizations paid to ransomware attackers more than doubled between 2019 and June 2021, according to estimates from the US Treasury Department’s Financial Crimes Enforcement Network (FinCen). The average ransom payment demanded of each victim has also exploded, from just shy of $1 million dollars in 2019 to more than $5 million in 2020, according to Unit 42, a global threat research and malware analysis group owned by cybersecurity firm Palo Alto Networks.
In one of the most crippling attacks in recent history, hackers forced the shutdown of the supply of gasoline to much of the Eastern Seaboard of the US for five days in 2021, until Colonial Pipeline Co. paid $4.4 million in ransom. Around the same time, Chicago-based insurance giant CNA paid ransomware attackers $40 million, setting a new high-water mark for an individual attack.
In late 2021, global HR software solutions leader Ultimate Kronos Group was hit with an attack that left major employers scrambling to find alternative ways to pay their workers—two weeks before the Christmas holidays. The amount of ransom demanded hasn’t been made public, but it’s likely to be massive, considering that UKG reported earnings of $3.3 billion in 2021.
The exponential growth in the profits for criminals is attracting more opportunists from all over the globe. China is known to be a cybercrime hotspot; other active countries for hackers include Brazil, Poland, Iran, India, the United States, Russia, and the Ukraine.
Today’s Ransomware Attacks Are Increasingly Ruthless
Ransomware attacks used to follow a very simple procedure: “You would be attacked. Some of your files would be encrypted. You’d have to pay a ransom in Bitcoin in order to get those files back,” says Subrahmanian. These types of attacks began in the late 1980s, when computer viruses were distributed on floppy disks to unsuspecting victims who would have to send cash to anonymous P.O. boxes to unlock their computers. As global business moved online, so did the schemes.
Over the years, organizations realized that frequently backing up files to external hard drives or cloud servers neutralizes the threat of data lockdowns. “So what the ransomware threat actors did was to change their modus operandi,” Subrahmanian says. “When they carry out an attack, they don’t just encrypt your data. They also steal some of it.”
Leveraging stolen data, hackers now regularly employ up to four types of extortion during attacks. The first is encrypting the victim’s data and exfiltrating (removing) it to a server controlled by the cybercriminal. The second is threatening to publicly release the organization’s proprietary secrets or information that might injure the company’s reputation. A third type of extortion involves threatening a Denial of Service (DOS) attack, which shuts down an organization’s public-facing websites.
These are really aggressive cyberattacks and the people who carry them out have more power than nation-states. Austin Dimmer, DevSecOps expert
A new, fourth type of ransomware extortion—so-called “external extortion”—emerged in 2020 in a first-of-its-kind attack against a private company that runs 25 mental health clinics in Finland. Not only did attackers demand money so the company could regain access to its systems and avoid having its internal data published, the criminals also extorted tens of thousands of individual patients, threatening to publicly release their confidential therapist notes and treatment records if they didn’t pay an average of 200 euros each.
“These are really aggressive cyberattacks and the guys that have been carrying out these attacks, they have more power than nation-states now,” Austin Dimmer tells Toptal Insights. An expert in DevSecOps (development, security, and operations) who has built and managed secure networks for the European Commission, Lego, and Publicis Worldwide, Dimmer has seen his share of cybercriminals’ work. “They are just remorseless and show no mercy.”
A Complex Network Makes Attackers Hard to Catch
The decentralized and complex nature of the ransomware marketplace makes apprehending attackers incredibly difficult. The web of people who perpetrate a single attack goes far beyond one malicious software developer who creates the malware. Developers rarely carry out attacks themselves. Rather, they dump their wares onto the dark web for purchase or rent. At that point, distributors contract with the developers for the right to deploy the software and carry out attacks.
Then, once a ransom is paid, a network of cryptocurrency money launderers steps up, scrubbing the funds and distributing the profits back to the developer(s), distributor(s), and other actors.
Even when ransomware attackers are found and apprehended, monetary restitution for victims is generally minimal. In the Colonial Pipeline case, for example, the FBI was only able to trace cryptocurrency transactions to recoup about half of the $4.4 million in ransom paid.
Predicting and Preventing Future Attacks
With little hope of tracking down criminals and ransom funds after a ransomware attack is completed, Subrahmanian is focused on prediction and prevention. He and his team at Northwestern are currently developing a predictive system that can anticipate the type and timing of future ransomware attacks before data is compromised.
His software uses artificial intelligence to track communications and trends on the dark web and social media to identify new malware being developed and to note when it is being promoted to potential distributors.
Subrahmanian aims to pinpoint not just when but also how hackers will try to infiltrate systems. His initial findings showed that of the thousands of possible vulnerabilities that are identified in security checklists and by consultants, hackers only target 9.3% of the weaknesses. This means that organizations may be wasting 90% of their IT security efforts on the wrong protections.
Although it is nearly impossible to anticipate the actions of anonymous hacking groups and individuals who are spread out globally, monitoring the aggregate communications flagged for connections to cybercrime can be indicative of growing areas of threat. Like watching the flow of financial markets to predict trends, Subrahmanian hopes that observing the broad market of ransomware activity will help researchers recognize emerging malware and its potential targets so organizations can take proactive steps.
Innovative Ways the Private Sector Can Help Fight Cybercrime
Without the kind of reliable forecasting that Subrahmanian’s team is trying to create, the front lines are still a harrowing place for organizations to operate. But these four strategies may help company leaders fight back right now:
Reduce Profits for Ransomware Attackers
If ransomware attacks continue to deliver huge paydays to cybercriminals, Dimmer believes that most government and law enforcement efforts are doomed to fail. There’s simply too much opportunity for profit, he reasons, especially considering that other such economic opportunities may not exist in some of the countries where hackers are based.
To weaken this economic driver, companies should consider adopting internal rules against paying ransoms and support legislation that would make paying ransom illegal, say Subrahmanian and Ismael Peinado, Toptal’s Chief Technology Officer. “Just think about why we’re having these attacks. Because attackers are getting the money. And why is it getting worse? Because they keep getting the money,” says Peinado. “Why don’t we pay ransom to people who go into banks and take hostages? For the same reason.”
It may sound controversial to criminalize actions taken by ransomware victims, but Subrahmanian notes that companies that pay cybercriminals to rescue their data may already be breaking international law if the attackers are from countries with international sanctions against them or are affiliated with organizations that sponsor terrorism. A report on cryptocurrency payments to hackers that tracked the destination countries of cryptocurrency payments for ransomware showed that at least 15% of payments ended up in the hands of banned entities, in violation of international laws.
What’s more, paying doesn’t guarantee that hackers will hold up their end of the bargain. According to a recent survey of more than 5,000 IT leaders around the world by the cybersecurity firm Sophos, organizations that paid up got an average of just 65% of their data back. Only 8% of victims were able to recover all of their files.
Focus on SecOps Instead of Checklists and External Audits
Technology leaders trying to protect their companies often employ security best practices checklists, invest in the latest security software, and hire expensive security auditors to test network vulnerabilities. Unfortunately, Peinado—a global cybersecurity leader with 20 years of experience working with government organizations, startups, and large, high-growth companies—says that is the wrong approach.
Chasing after checklists and certifications and focusing on simple regulatory compliance can devour an institution’s IT resources while creating a false sense of security among corporate leadership. With the additional points of entry to systems and the reliance on cloud computing, gaining access to networks is no longer as difficult as it once was, he says. Yet security firms still spend countless hours checking for vulnerabilities in networks that might never be a target of hackers. “At the end of the day, they lose focus of what real hackers do, which is that if you secure one way into your house, they just find another way to break in,” he says.
Instead, Peinado recommends that technology leaders integrate security directly into engineering operations and do away with the constant cycle of testing and patching. These types of security operations, referred to as DevSecOps or SecOps, integrate security directly into a company’s software development operations and foster an environment of nimble responses to new threats, he says.
For example, when a new function or feature of a company’s website is built and launched publicly, a new set of vulnerabilities for hackers emerges. In a traditional work cycle, developers would create the functions of the new website in a silo and then submit them for testing by internal (and sometimes external) security experts. Security would then be patched and laid over vulnerabilities found after the fact.
In a SecOps environment, the engineers and developers building the site or functionality sit alongside a security engineer to ensure the proper level of security is integrated as the product is developed. This integrated approach makes SecOps developers more aware and accountable in a way that is simply not possible in more traditional procedures, says Peinado.
Leverage Contingent Cybersecurity Talent
Dimmer, who works with clients as part of Toptal’s developer talent network, says he receives mixed reactions when trying to introduce the SecOps point of view into clients’ processes, often because of skill gaps on internal IT teams—systems get more difficult to use as you make them more secure. Success means not just having the right systems in place, but also having the trained personnel to use them, he says.
Staffing high-value tech roles such as security engineers continues to be a pain point for companies. Nearly 1 in 10 organizations surveyed for a State of Security Operations report by TechBeacon said a lack of skilled talent was the No. 1 cybersecurity challenge in 2021—and nearly 30% said it was among their top three obstacles.
Premier tech talent can be hired through contingent networks, such as Toptal, to help fill those gaps. In-the-trenches developers and tech leaders like Dimmer have been in high demand for decades but are even more so now due to a massive shortage of cybersecurity workers. The Information Systems Security Association estimated a gap of 4 million professionals in the industry in 2019, and its survey of IT leaders in 2021 found that the gap has since widened.
Some corporate leaders may be hesitant to use outside talent for the most sensitive security projects, such as including freelancers in the trenches of SecOps. But outsourcing some portion of security operations to external talent is, in fact, already the norm: More than half of organizations surveyed by TechBeacon reported that they use a combination of in-house and external resources to tackle their cybersecurity functions.
The Future of Fighting Cybercrime
So far, Subrahmanian’s early-warning AI software has proven to be 70% effective at predicting ransomware attacks in experimental models, he says. If testing continues to go well, he hopes to publish forecasts for real-world attacks beginning in mid-2022.
His research also focuses on the gap between when vulnerabilities in software are identified and when software patches and security updates are widely available to the public. Initial findings from this research reveal that nearly half of malware attacks take place during this period, which, on average, lasts about 132 days. This extended period of vulnerability makes his pursuit of an effective predictive model even more critical to stopping hackers at the onset of new threats.
In the meantime, Big Tech is stepping up. Google has committed to spending $10 billion over the next five years to help secure the software supply chain and expand the use of zero-trust systems, security frameworks that require all internal and external users to be authenticated continuously. Microsoft is offering $150 million in technical services to help local governments in the US upgrade their defenses. And Amazon has pledged to start offering the same security awareness training it gives its employees to the public and make two-step authentication free for all Amazon Web Services (AWS) clients.
Fighting ransomware as an ever-evolving threat will take a global village, says Subrahmanian, and companies—big and small—have to be part of it.