According to an NPR report, the U.S. suffered from roughly 65,000 ransomware attacks last year — most recently and notably the Colonial Pipeline, which temporarily shut down oil production on the East Coast. Casey Cegielski, the J.W. Woodrow Sr. Professor in Systems and Technology in Auburn University’s Harbert College of Business, discusses the nation’s recent surge in ransomware.
How does ransomware differentiate itself or function compared to other modes of cybersecurity issues?
Ransomware events are portrayed as nefarious, dark web assaults by rouge hacker groups. That’s not always an accurate picture. Roughly 90% of all corporate ransomware events can be considered to be self-inflicted. That is, end-users typically click on a link in a phishing email. It’s frequently that simple. Most companies are not eager to disclose this fact because it could make their employees look like contributors to the damage.
The key point here is that it is of critical importance to educate end-users and help them to understand the importance of following the organization’s information security policy. Having employees follow the information security policy is a significant contributor to helping an organization avoid a ransomware attack.
Who is most vulnerable and what are the most common attacks/threats?
Beyond having employees follow their organization’s security policy, it’s also important to note that in most cases a single entity or organization is not the intended target of an attack. Ransomware phishing emails are mass distributions that are sent out to hundreds of thousands of email addresses. To acquire a list of 100,000 email addresses is relatively easy and inexpensive. From there, one would create an official-looking email to send with a disguised link.
Organizations trying to avoid ransomware attacks will frequently conduct ransomware phishing tests to verify compliance with their information security policy. For example, a realistic-looking, but fake email pretending to be from Amazon might be sufficient to elicit a response that could trigger a ransomware attack. The email might begin by getting the attention of the reader by conveying that, “Your scheduled package delivery has been delayed.” The email might then ask the reader to click the link below to “see your new scheduled delivery date.” Once the reader clicks on the link, that can initiate the ransomware attack and make the organization vulnerable. That type of phishing email works really well with frequent online buyers and is especially effective around the holidays. You’d be shocked how many employees might respond to that type of phishing email.
How should organizations/individuals best protect themselves against ransomware?
There is no information system that is totally immune to being compromised by an attack. All systems have vulnerabilities that can be exploited. Active testing, persistent monitoring and ongoing remediation are all generally accepted practices that help reduce the likelihood of occurrence.
The threat landscape is in constant flux and thus, organizations must continue to actively monitor their exposures. Beyond user training and education, it’s important to ensure that email applications are properly configured. There should at the very least be a current and almost continually updated list for source IP addresses that are not verified as legitimate business associates.
It is also important to realize that not every ransomware event is initiated by a phishing attack. It is important to know that there are also server-side vulnerabilities that need to be addressed. Interestingly, though, those types of server-side events make up a relatively small percentage of the total number of ransomware-type events. Suffice to say, the biggest bang for the buck in terms of preventing a ransomware attack is typically end-user education and training.
What do organizations stand to lose from these attacks? Money? Control of their digital infrastructure?
Those things plus potentially everything in between. Damage can be localized to a single workstation and the resident data stored on that workstation all the way to a partial or total loss of functionality of critical systems that support entire business processes. The damage is determined, in many cases, by the extent of propagation for the ransomware through the infrastructure. Oftentimes, drives are being encrypted, rendering the data and applications on them inaccessible. Without the correct key to decrypt the drive, the device that has been attacked effectively becomes a really expensive paperweight that is no longer useful for its intended purpose.
In the wake of the Colonial Pipeline cyberattack, do you suspect that other major networks that control our infrastructure could be at risk?
Absolutely. Most companies, even those under the umbrella of critical infrastructure, don’t do an effective or foolproof job of policy enforcement through implementation of technical internal controls.
How can the FBI recover Bitcoin, which was used in the Colonial Pipeline ransom?
Some form of cryptocurrency recovery has been reported in the media but we don’t know all of the details. While there is a way to track the movement of crypto coins through the registers, the Department of Justice seems to have done this recovery process in part through the use of subpoenas. What’s missing in the story the media is telling is the intricate details behind the recovered cryptocurrency. We simply don’t have a complete picture of the cryptocurrency recovery process.
Casey Cegielski is the J.W. Woodrow Sr. Professor in Systems and Technology in Auburn University’s Harbert College of Business. He teaches introduction to information security, systems risk analysis and information technology auditing. In 2006, with support from KPMG LLP, Cegielski developed the nation’s first interdisciplinary cybersecurity and information assurance program in a college of business.