Former Head of GCHQ Highlights Need for Getting Basics Right, Plus Government Action
One of the unfortunate success stories of the coronavirus era has been ransomware, as evidenced by its ability to dominate headlines during a pandemic. Credit criminals’ ability to find innovative new ways to extort victims, develop technically and sidestep skills shortages by delivering ransomware as a service – plus too many potential targets still failing to get the basics right.
So said Robert Hannigan, the former head of U.K. intelligence agency GCHQ, in his opening keynote speech Tuesday for the annual Infosecurity Europe conference. Due to take place in-person in London, this year’s conference was instead delivered virtually “due to the U.K. government’s restrictions,” organizers say, as Britain – like many other nations – has recorded a surge in COVID-19 infections attributed to the delta variant.
Expect ransomware to remain a chief threat – and concern – for at least the next few years because of criminals’ proven ability to keep refining their approach, said Hannigan, who served as GCHQ’s director from 2014 to 2017, during which time he established the U.K.’s National Cyber Security Center.
“A number of states are tolerating, and sometimes benefiting from, this tidal wave of ransomware attacks, and that needs to change.”
Take the May attack against Colonial Pipeline Co., which was tied to the DarkSide ransomware-as-a-service operation. In the RaaS business model, affiliates take the operator’s crypto-locking code and use it to infect victims, and that has helped attackers disrupt larger targets and demand bigger ransoms. In Colonial Pipeline’s case, it paid attackers $4.4 million in bitcoins, although unusually, the FBI was able to recover some of that payoff.
The Colonial Pipeline hit is “a great example of the development of that business model,” showing how criminals have “cracked the skills issue – you don’t need to be brilliant anymore to mount a quite sophisticated cyberattack; you can buy it as a service,” said Hannigan, who’s now chairman of New York-based cybersecurity services firm BlueVoyant International.
Criminal groups’ refined business models and extortion tactics have also helped drive the massive increase in ransom amounts many ransomware-wielding criminals now demand. “For example, the double extortion approach of stealing data as well as freezing systems, so that even if you’ve done the right thing and backed up, there’s still a threat of blackmail and exposure of data – that’s a new development,” Hannigan said. “But I think on the technical side, there have been some really, in some ways, impressive developments in the kind of ransomware being delivered, especially against the manufacturing and industrial sectors.”
One example: how Honda got hit last year by attackers. “They came in through the corporate system, as we understand, but ended up disabling operational technology, and I think that’s interesting because criminals have realized that by going after OT, by going after manufacturing, that they are hitting a sector that really can’t afford to stop operating, and needs to pay up to keep going,” he said.
Defenders: Get the Basics Right
What can be done to better blunt ransomware attacks? From a defender’s standpoint, “getting the basics right is still where I think the industry needs to be, Hannigan said (see: Solve Old Security Problems First).
In particular, he cited poor password management and a failure to patch known vulnerabilities in a timely enough manner as major concerns, together with inadequate uptake of multifactor authentication.
What may help, he said, will be not just upskilling security professionals, but also more outsourcing, including a greater reliance on the cloud. Plus, there’s potential for organizations to simplify, gain greater visibility and automate many more tasks.
Lock Down Supply Chains
The security of organizations that are part of supply chains will also need to improve, he said. Examples abound, including the SolarWinds attack that came to light last year, as well as NotPetya, a fake ransomware attack in 2017, attributed to the Russian government, that wiped devices in Ukraine and beyond. Similar to SolarWinds, which has also been attributed to the Russian government, NotPetya was spread via a backdoor added to M.E.Doc, a little-known but widely used accountancy software tool developed by a Ukrainian company called Intellect Service.
“This was a company that had not patched its service for several years. So from the outside, it was absolutely obvious that this was an open target and a brilliant way into a large number of customers,” Hannigan said. “That’s why people like supply chain attacks. That’s why criminals and nation-states pay for them: because they have access. They’re not interested in the company itself – it’s the access they give to a massive number of customers.”
Unfortunately, the efficacy of such attacks means that organizations that rely on supply chains cannot focus on assessing only the biggest vendors with which they work, but must also look at the smallest. And some very large companies, Hannigan says, rely on supply chains that count well over 10,000 vendors.
“You may think that your most critical vendors are your top 100 – the ones you spend most of your money on, the ones that are integrated into your systems, the software-as-a-service providers and so forth,” he said. While they can be a risk, chances are they’re also spending significantly on security. Accordingly, the threat may not be the top 100 most critical suppliers, but the 9,080th one, “because that may be a small company that has one person doing cybersecurity, if anyone. They may have outsourced it. They may not really have a cybersecurity posture,” he said. “But that is exactly the kind of company that an attacker will look for, and will scan for – find a weak way into your networks.”
Diplomatic Moves Also Necessary
Beyond defenders doing more basics correctly and better evaluating and reducing supply chain risks, Hannigan says a full fix for ransomware will also require government action aimed at altering some nation-states’ tolerance for ransomware.
“I’m really struck that DarkSide ransomware cannot be installed in machines that are running language settings for, I think, around 16 countries, including Cyrillic for Russia, and many of the other language settings for countries in the former Soviet Union,” Hannigan said.
“That doesn’t necessarily mean it’s a state operation. But I think it does point to the fact that a number of states are tolerating, and sometimes benefiting from, this tidal wave of ransomware attacks, and that needs to change,” he said. “The cost of doing this has to rise for those states, before anything is going to really get much better.”