Ransomware is the software phenomenon that has come to define the bleakness of our age. Where previous forms of malware – viruses, remote access Trojans, spyware – were seen as alien forms that had to be kept out at all costs, ransomware seems gradually to be overturning belief that defence is even possible.
Symptomatic of this is the pragmatic way many businesses roll over and accept it as a sort of ‘gotcha’, an overhead to be managed like any other. Ransoms are being paid, a once unthinkable capitulation that is fast becoming normal in some business sectors.
Ransomware should be a huge opportunity for companies selling defence, but it’s not always turning out that way. Many companies must confront cynicism that their products even work while others have found the strain of innovating to keep up with ransomware creators difficult to cope with. For the cybersecurity sector, ransomware is as likely to shake out the winners from the losers.
One company that refuses to throw in the towel is Imperva. Founded in Israel in 2002 by noted Israeli tech figures Shlomo Kramer (of Check Point fame), Amichai Shulman and Mickey Boodaei (co-founder of Trusteer), relocating the company’s HQ to the US headquarters hasn’t dimmed its pugnacious enthusiasm for the fight.
Its new EMEA regional vice president is Spencer Young, appointed last June to head Imperva’s determined push beyond the US. After a career that has taken in director and sales roles at Verity, IBM, Xerox, Coverity and, most recently, systems management outfit Kaseya, with Imperva he’s landed smack in the middle of a sector being driven by all-out technological war.
Months on, his enthusiasm seems undimmed by selling Imperva’s expanding product range to fix the decidedly odd security problem of stopping professional criminals from earning a living.
“The thing that’s impressed me the most is the tightness we have with our customers,” says Spencer. “It is a phenomenally logical company. It’s met every expectation I’ve had.”
Once best known for its expertise in web application firewalls, the company now offers a suite of products and services, including breach prevention, database, cloud and file security and, through its Incapsula wing, DDoS mitigation.
Ransomware represents yet another front and the perfect job for SecureSphere File Firewall, a real-time product designed to monitor how devices or users are accessing data. As part of the company’s larger file auditing and permissions architecture, this can be set to trigger should access exceed thresholds of the sort ransomware would easily breach. Unusual access can quickly be blocked.
It’s a capability that many organisations still lack to this day despite the evidence that it should now be part of mainstream data asset protection. But in ransomware, Young spies something that seems to be restructuring the criminal economy, usurping even the commercial value of data itself.
“It appears in some cases, like the recent MongoDB attack, that the criminals here have decided that there is more money to be made by extortion than through the sale of the data on the dark web.
“But then again, even if a company pays the ransom, there is no guarantee that the hackers won’t also try to monetize the data.”
For a while, the damage being done by ransomware happened invisibly, out of sight. When incidents came to light, they were viewed as cautionary tales that shamed naively-defended organisations, usually small businesses.
As ransomware surged around 2015, it started to dawn on people that any organisation could fall into its clutches, no matter how big. What differed was their ability to react, recover and learn the hard lessons needed to reduce the risk of a follow-up. As figures start to trickle in, Osterman Research reckons that almost 40 percent of businesses were hit by ransomware in 2015, a figure that will have risen substantially since then.
If the criminals are enjoying boom times – helped by the increasing normalisation of paying ransoms for operational reasons – the defenders have been left wondering what to do. Is this the new normal?
“The more companies that pay, the more money cybercriminals stand to make. Paying the ransom will also make your organisation a greater target for ransomware as threat actors will know you have shown willingness to pay in the past,” says Young.
“Whether paying a ransom is legal or illegal it’s not likely to stop payments and ransomware. What needs to happen is for companies to take steps to prevent ransomware in the first place.”
On top of that should be factored hidden costs such as downtime, loss of productivity and organisational disruption as the source of an infection is hunted down.
In his view, paying up can end up as a rationalisation for weakness and a failure to understand ransomware as an operational as well as a security problem. According to Young, ransomware isn’t an inevitable, supernatural force and must be resisted.
Ultimately, it falls to do security professionals to do something. Key to this is accepting that some attacks will get through but that these can be contained as part of a long-term strategy to deny ransomware a foothold.
“A lot of security teams are worried about getting so many alerts. They really struggle with prioritising what’s real and what’s not. The first thing it’s forcing them to do is work out where the data is.”
Ransomware is just the latest security threat to crest corporate defences, suggests Young, after a decade of attacks culminating in advanced persistent threats and targeted malware. The danger here is of overload and disorientation, and in seeing this new threat as a simple extension of what happened in the past.
“There are so many products and service provider and they don’t have time to evaluate the solution. CISOs get annoyed when they meet vendors who claim to solve every single problem out there.”
What is clear is that defenders should not see ransomware as a form of malware that will simply fall out of fashion. With profits and ransom payments still rising, payment channels largely unpoliced, and a global environment short on political co-operation, it will continue to evolve and spread, and eventually start launching larger and more co-ordinated attacks on corporate targets.
“The key criterion CISOs need to meet here is to be pre-emptive by automating detection of ransomware, then isolating the threat. The added benefit of being able to isolate the attack, also saves huge costs through reducing downtime to systems and networks.”
