Solving the Ransomware Crisis

Ransomware attacks are trivial to execute and there is little, if any, risk and no penalties for the attackers. As a victim, there are no good choices once an organization is hit by ransomware. You can ignore the ransom demand and restore your data from backups and take your chances with the risk of data exposure. At the same time, the reality is that it doesn’t pay to pay--it is not a guarantee that you will get all of the data back in a usable state.

In addition, when you pay the ransom you are essentially funding these criminals who are acting as terrorists. The chances are that you are funding additional research and development of the next exploit or ransomware variant, so paying the ransom just makes the problem bigger.

Organizations that pay the ransom also risk putting a bullseye on their backs—making themselves attractive targets for future ransomware attacks because they have established that they’re willing to pay. The only good option is to avoid having your data stolen or encrypted in the first place, which is why it needs to be a global priority to solve this crisis.

The US government has created a Ransomware Task Force—which Cybereason has been invited to be a part of—comprised of representation from various government agencies and spanning public and private sector to collaborate on addressing the ransomware dilemma. The Ransomware Task Force has three focus areas that can summed up as Preparation, Disruption, and Response.

How can we make sure companies have the right defenses in place, do a better job of disrupting ransomware attacks and operations, and respond effectively when attacks occur? Our participation is focused primarily on disruption. I believe that when we all come together we will be able to really disrupt these criminal groups. 

Ransomware is big news this week after a DarkSide ransomware attack forced Colonial Pipeline to shut down operations. The pipeline supplies fuel to roughly half of the United States and a few major airports, so the loss—even for a few days—has had a significant impact and repercussions throughout the country. According to reports, Colonial Pipeline paid a ransom of nearly $5 million USD to DarkSide to obtain the decryption key and restore systems and get the pipeline flowing again as quickly as possible. Cybereason had reported on DarkSide and knew how we could help protect our customers against it.

While many have been focused on Colonial Pipeline, the city of Tulsa, Oklahoma also had to shut down several public services after getting hit with a ransomware attack this week. The point is that Colonial Pipeline is by no means the only victim. In the past couple months we have seen both Acer and Apple hit with $50 million ransomware demands—combined with the double-extortion threat of having their confidential intellectual property leaked or sold if the ransom is not paid. The Colonial Pipeline attack shows that critical infrastructure is at risk as well. And again, those are just the high-profile attacks that have made global headlines. 

We have hit a pivotal point in cybersecurity, and these attacks are a reflection of a much bigger issue. Ransomware is a growing threat that can halt productivity and cripple economic stability. These attacks are a serious threat that affect all governments, organizations, and individuals, and fighting against ransomware is going to take a team effort. 

The Ransomware Task Force has developed an initial report of findings and recommendations. It is fairly comprehensive and is currently being translated into multiple languages and circulated more broadly with agencies and companies around the world for additional feedback.

The recommendations made by the Ransomware Task Force are very thorough. One issue the members of the Ransomware Task Force recognized is that we need to foster cooperation and sharing of information. A ton of work was invested to make sure there is no victim blaming and ensure there are no negative repercussions for victims to share and collaborate with law enforcement. The perspective of the Ransomware Task Force is that ransomware is a global issue, and that it will take a global coalition of governments and private companies to address the threat effectively.  

One of the core values we operate by at Cybereason is “Win as One.” Everyone has their own job to do, and they are working toward their own goals and objectives, but it is the combined efforts of everyone together that enable us to do great things and achieve our goals. It is a situation of one plus one equals three, or maybe four.

I am encouraged by the formation of the Ransomware Task Force because it embraces the concept of “Win as One” on a grand scale so we can work together to help defenders end ransomware. That same value is what we need on a national and global level as governments, law enforcement, cybersecurity vendors, universities, and cybersecurity professionals collaborate to find effective strategies to fight ransomware. 

We are just getting started. Ransomware attackers will continue to develop new and creative ways to exploit systems and extort ransoms, and it is going to take a significant effort to solve the ransomware crisis. Let’s flip the scenario and disrupt their operations. Let’s reverse the adversary advantage and empower defenders. We do need to work together to disrupt their operations. It is then that we can truly make a difference. I am confident that if we work together, we can find solutions and win as one. 

Lior Div
About the Author

Lior Div

Lior Div, CEO and co-founder of Cybereason, began his career and later served as a Commander in the famed Unit 8200. His team conducted nation-state offensive operations with a 100% success rate for penetration of targets. He is a renowned expert in hacking operations, forensics, reverse engineering, malware analysis, cryptography and evasion. Lior has a very unique perspective on the most advanced attack techniques and how to leverage that knowledge to gain an advantage over the adversary. This perspective was key to developing an operation-centric approach to defending against the most advanced attacks and represents the direction security operations must take to ensure a future-ready defense posture.

All Posts by Lior Div