Interview with Richard Stiennon on Ransomware Patterns in 2020... So Far

by Chuck Harold

The renowned author of Security Yearbook 2020, Richard Stiennon, made a short stop with Chuck Harold to talk about ransomware attacks, root causes and the emerging patterns during Covid-19 pandemic. Hope you will find useful. This talk makes sense for Enterprise IT to explore Zero Trust Isolation solution with Airgap (airgap.io). Let us know what you think of the chat.

You know, we’re going to talk about ransomware today. And wouldn’t you seen a sudden rise in this post COVID? Or during COVID? I suppose…what is going on with that? Why are the ransomware attacks going up?

Well, first of all, you got to realize that ransomware has got this underlying driver, right. It’s a great profit machine for cyber criminals. So they take advantage of things that people are likely to respond to like a political discourse or news, a hurricane, any disaster in COVID of courses, the biggest disaster of the internet age. And so people are more likely to click on the types of phishing attacks that they that ransomware comes through, usually, so the link in an email, a link on Twitter doesn’t matter.

They just want you to click on something so that they can take advantage of your probably misconfigured and vulnerable device that you’re reading your messages on and get a foothold on you and your corporate network possible.

I see. I would have thought with people sitting at home with with less to do in one way. Right? They would have been more savage of these things. But I guess it’s it is the perfect convergence for for ransomware attacks. Now, tell us a typical pattern. We have the phishing, we have the initial email, but there’s, there’s more of a pattern behind all this and how they do this. Explain that to us.

Yeah, ransomware attacks are kind of a combination of a lot of tools put in place at once. There’s the initial infection that’s going to get on your machine, typically. And then unfortunately, even though people are working from home, they’re still connected to the corporate network via a VPN. So from there, typically, when somebody is on the corporate network, they have, you know, unrestrained access to everything on the corporate network. So any wormlike capability inside on your machine can propagate the ransomware. Because the key to successful ransomware attack is to get everything right, get as many desktops, laptops and servers. So they can encrypt all the files on it before they deliver their message of essentially extortion, right, pay us ransom, will give you the keys, and you can decrypt your information.

So why aren’t the current security solutions sufficient to defend enterprises against ransomware?

Well, I would argue that the companies that you have known, experienced breaches in the past and have sophisticated security teams that have deployed lots of technologies aren’t getting hit by ransomware.

Or a zero day if they actually are going to expend a zero day exploit against these machines. And even if one machine gets infected, it shouldn’t be able to infect all the other machines on the network. So you’re and that’s why we see so many successful ransomware attacks for you know, outside the mainstream of financial services companies, so you know, even credit bureaus etc.,, don’t have the most sophisticated controls and security in place, but for sure state and local governments, school districts, those are the ones that are getting hit the hardest.

All these are excuses that that are no longer any good, right? You can’t just say we’re vulnerable, and we can’t afford to protect ourselves because they just either had a disastrous ransomware attack where they paid a disastrous amount of money in order to get their data back. You kind of have to blame the victim. But on top of that, now, there are even better solutions coming into place. It called zero trust networking or zero-trust network access, or ZTNA.

Focus on the Infection Propagation, Not so much on the “First Victim”

If you’ve got 10,000 employees, it’s fine to deal with one employee that clicked on the wrong thing. You know, for some reason, their machine wasn’t updated, patched or has security software running on it. It’s just one instance, right, you’re not going to pay millions of dollars in ransom to get that data back.

But the final layer, now I’m talking about is layered defense and ransomware just cuts through all the layers. The final layer is your disaster recovery system. And you’re telling the world whenever you admit to a breach through ransomware, that you actually can’t recover a machine that’s been encrypted. It should be a push of the button. And you should test that regularly every month, you should be testing to see if he could recover machine to its most recent state. backup and recovery is predates the internet. And we all know machines are not reliable 100%. And you’re going to have instances where the machine crashes, the disk is corrupted, and you don’t have your data, same end result is is getting infected with ransomware. So you should be able to back it up.

Just the last few weeks, we’ve had attacks Tyler Technologies, 911 Emergency Services getting breached by ransomware attacks. Would these be examples of you know, poorly maintained systems? if you’re running a 911 and not making sure that’s the most secure stuff that’s really wrong here.

About 10 years ago, you didn’t see these types of attacks. They weren’t rampant. And it’s not like the attackers said “I found a 911 service that is vulnerable”. It’s the attackers are spewing activities everywhere. So you’re gonna get exposed to them. It’s background radiation. And occasionally, a particular service or group gets infected, and it spreads throughout everybody and all of a sudden, services are down because the actual servers that provide it are encrypted, and they stop working.

So despite all these plans, the attacks are happening. Sometimes mostly it’s human error. But in the moment, let’s say you’re not really protected, how should an enterprises and CISOs respond when under attack, it’s almost really not possible to shut off all your endpoints? Just I don’t know how they’re gonna handle this if you’re being attacked.

Check out Airgap Ransomware Kill Switch blog by Airgap CEO Ritesh Agrawal.

You Are Not Alone

Yeah, if you’re, I mean, if you recognize that you’re in an attack, you should, for instance, shut off your VPN concentrators. So post COVID, everybody’s working from home. Most companies just ramped up their investment in these big piece of hardware on the corporate network. So in those are just open doors to now a huge attack surface, which is all of your employees working from home, in secure Wi Fi, you know, are the neighbors can attack them, where the kids are doing things in securely on the same Wi Fi network, and you’re just opening up your network to all these dirty systems. So shut it down if you if you recognize an attack is ongoing, unfortunately, usually don’t most of these organizations haven’t deployed the technology to recognize attacks when they’re going on.

They’re the ones that you see in the reports. The average dwell time for an attacker on a network is170 days or something. The ones that can’t see that they are under attack are the ones that also fall victim to ransomware.

So everything is Internet of Things. IoT devices are everywhere. It makes us more vulnerable. I get that. But what’s the best way to protect against? You know, IoT devices? I’m really worried one day I’m gonna wake up my, my refrigerators gonna kind of own my network, because nobody puts password on refrigerator, right?

Security Agents Cannot be Installed into those IOT Devices

I am tracking 117 IoT security vendors. And they fall into all the same categories that we had for traditional IT. So there’s network behavior analysis, there’s patching configuration management, firewalls, that would be embedded in a in an IoT device that was more expensive, like a medical device or car. But all these tiny sensors deployed in your house and your plant floors can handle that level of agent that would reside on them, you can’t install it.

So you have to, you know, airgap those from the rest of the network, probably the most promising technology I’m see coming forward is adaption of zero trust networking, which you know, puts a middle layer but it’s cloud based between all of your eye to device, IoT devices, and the rest of your network and anywhere else.

Disclaimer: The text body above is adapted from the video interview. Refer to the video for the complete conversation accuracy.