But is that the case? Is Ransomware genuinely dead and buried? And if it is, what comes next? I reached out to our partners at Cybereason for a better idea on the current state of Ransomware’s status.
Ross Rustici, Cybereason’s Senior Director for Intelligence Services, was kind enough to take the time to clear things up for me. Rustici said IBM, F-Secure, ISACA isn’t wrong, Ransomware usage is declining but that it’s too soon to celebrate it’s demise entirely.
“I think overall, Ransomware as a category, is falling back to the pack,” Rustici said. “It isn’t the go-to for every cybercriminal anymore because it is less successful over time, but to say Ransomware is dead is an overstatement. It’s just simply no longer the front-runner.”
But why is that? Rustici said the security industry (i.e., companies like Cybereason, Cylance, and others) came together to collectively tackle the problem head-on by releasing free tools and software that people could utilize successfully.
“It was the first time the industry came together and fought the common good. Irrespective of profit margins,” Rustici said. “There was a lot of cooperation across companies that typically doesn’t happen.”
But it didn’t eliminate the problem. Ransomware is still painful for those infected or those who will be in the future. Ultimately it’s made Ransomware attacks more targeted. Ransomware attacks have become more about quality than quantity.
“Ransomware attacks are more targeted in who you try and make the victim,” he said. “There’s more planning involved in making a Ransomware attack successful.”
So who’s still vulnerable? Rustici said three industries are at the top of the list:
- Municipalities
- Healthcare
- Manufacturing
“The vast majority of cybercriminals are going after the lowest hanging fruit,” he said. “These are people and organizations that have huge networks and data that’s very important to them but insufficient IT budgets.”
Entire municipalities, like the City of Atlanta, were taken offline last year after Ransomware attacks.
“You had Atlanta, you had the attack on the BART in San Francisco,” Rustici said. “Those are only a couple of examples.”
Overall the Ransomware attack that hit the City of Atlanta cost taxpayers there up to $12 million when all is said and done. The attack on San Francisco’s transit system resulted in $50,000 worth of free fares issued to subway riders.
On the healthcare side of things, Rustici mentioned the WannaCry attack that brought down large parts of the United Kingdom’s National Health Service (NHS). While the attack only cost around £180,000, it illustrated a more significant problem.
“Most of the machines infected there were still running Windows XP, and they hadn’t been updated in years,” he said.
However, the negligence can’t be blamed entirely on small IT budgets. Rustici said a lot of the time people forget to treat these computers like computers and often treat them as parts of a more massive machine instead. It’s not that software updates aren’t considered, it’s that they’re forgotten entirely.
“You’ve got all this specialized medical equipment, that mostly gets shipped with the software in it and then it’s very rare that it ever gets updated and almost never gets a security update,” Rustici said.
The same goes for the manufacturing industry.
“Manufacturing is the same way. When you buy those assembly lines, when you buy those computers, they’re connected to things,” Rustici said. “They allow you to do things like quality control and quality assurance, but they don’t get patched because people see them (the computers) as parts of a machine. They’re especially susceptible to these type of attacks because it’s a blind spot from an InfoSec or IT perspective.”
So what’s next? What’s the next looming threat on the horizon?
Rustici said he isn’t sure and that only time will tell. However, that said, it doesn’t mean there aren’t things out there in the wild that you shouldn’t ignore.
I think that Cryptominers are a big thing. We started seeing them a lot in the tail end of 2017,” Rustici said. “It’s continued to expand in the first half of 2018, but I don’t think it’s going to last.
“When I’m personally looking at the data, I think it’s a blip, and it’s ultimately going to be a short run. That’s mostly in part to the volatility of the cryptocurrency market itself. At some point, it’s not going to be profitable to mine this stuff and not generating this much currency for them, so they’re going to take the same resources that they’re currently expanding on dropping the crypto miner and start trying to steal banking account details. They’ll do something that has a higher potential for return.”
Rustici said, ultimately, the cybersecurity threat landscape seems to be cyclical.
“It’s got a 4 to 5-year cyclical pattern,” Rustici said. “Worms came back. They were huge in the late 90s, and they petered off, but 2017 was the year of the resurgent worm because of the exploits that were released.”
As to why the cybersecurity industry is so cyclical, Rustici believes it’s because of the sheer amount of turnover in the infosec world and how young its workforce is.
“Older hackers like to go retro to confuse the new kids,” Rustici said. “Old stuff gets thrown against networks.
“The older, seasoned guy tend to be far sparser in the security industry because either they’ve graduated up to CISOs and they’re not hands on keyboards anymore, or they’ve moved out of the industry altogether.
“Those guys will laugh because it’s something they were dealing with when they were young and fresh and the new kids they’re training or in charge of never even considered this as an intrusion vector before.
“Word Macros is an excellent example of this that was resurgent last year. Most of the people who are manning SOCs started really in security after Microsoft disabled MACROS by default, so they were confused because they didn’t know what a Macro is or what it did or why it was important.”
Beyond that, the next significant threat to the cybersecurity landscape is yet to be seen.
“Nobody knows because the cybercriminals haven’t figured it out themselves yet,” Rustici said. “We won’t know until they do.”