Why the security industry can't fix the ransomware problem
Ransomware is one of the most pressing cybersecurity problems, but there's no high-tech fix.
Ransomware has grown to one of the biggest cybersecurity threats facing organizations, but the security industry might only be able to do so much to help. At the RSA security conference in San Francisco this week, the Department of Homeland Security's top cybersecurity official Christopher Krebs called it "the scourge of the Internet," and CrowdStrike co-founder Dmitri Alperovitch dubbed 2019 "the year of ransomware."
Get what matters in tech, in your inbox every morning. Sign up for Source Code.
But people who came hoping to learn about some high-tech fix for one of cybersecurity's fastest-growing problems are going to be disappointed. Almost none of the conference's hundreds of panels focuses on ransomware, which locks up data and devices until victims pay a demand, typically in bitcoin. Firms that claimed to have sophisticated technology to counter the problem have been exposed for simply paying the ransom demand.
That's because one of the biggest cybersecurity threats pummeling organizations happens to have a pretty boring solution.
Brett Arsenault, Microsoft's chief information security officer, said that it's not a mystery how to protect an organization from ransomware. The first step is not letting it in, which can be accomplished through basic measures such as regularly patching your systems and teaching employees not to fall for phishing emails, he said. The second step is to have backups in place to restore your systems in case they are infected.
"People still underestimate and undervalue the pedestrian part of this job," he said. "Hygiene is still key. I see people spending all this money on widgets that are akin to having a massively awesome alarm system on the front of your house, but it means nothing if you leave your back door open all the time."
Out of more than 500 panels being held throughout the week at the RSA security conference in San Francisco, only one on the agenda was explicitly focused on ransomware (a second, about the city of Atlanta's ransomware recovery efforts, was canceled). The panel, sponsored by network security firm SonicWall, was in a packed 70-seat makeshift briefing room on the expo floor, with dozens of people sitting on the ground. SonicWall Senior Product Marketing Manager Brook Chelmo spent the 30-minute talk sharing insights from his conversations with two ransomware attackers. Their advice to companies trying to protect themselves: Use proper passwords, enable multifactor authentication, hire good cybersecurity employees, and watch out for misconfigured firewalls.
In other words, to protect yourself from one the most dangerous threats, you have to cover the basics.
That explains why so many ransomware victims have been municipal governments, school districts and hospitals, said Ryan Lasalle, North America lead at Accenture Security. These organizations often lack the budget and personnel to keep computer networks up-to-date and protected. In many cases, these organizations don't have a trained employee dedicated to cybersecurity.
That's not to say that large savvy organizations don't need to think about ransomware. The threat is particularly serious because of the massive damage it can cost, both in terms of financial losses and safety risks, Lasalle said. One manufacturer that Accenture works with has determined that a ransomware attack would cost them $1 million an hour in lost revenue, he said. "Even if you're a Fortune 500 company, you don't want to be losing $25 million a day," he said.
Get in touch with us: Share information securely with Protocol via encrypted Signal or WhatsApp message, at 415-214-4715 or through our anonymous SecureDrop.
But for organizations that have the basics covered, there's little else they can do besides plan for the worst-case scenario. The questions then become things like do you pay the demand or ignore it? Do you buy cyber insurance to help cover the costs?
Arsenault said his team at Microsoft went so far as to consider if they should stockpile bitcoin, the preferred ransom currency of attackers. "A thought was should we buy a bunch of bitcoin now, because if we had to pay a ransom in the future, the price of bitcoin is going up. We thought about it and talked to our CFO, and she was like … 'No. You should make sure we have a process and know how to do it and invoke it at the time, but we're not going to hedge,'" he said.