Ransomware Becomes Endemic. How Should We Respond?

5–1–2023 (Monday)

Hello and welcome to Cyber Risk at Deal Speed, your weekly video update on the one big thing in cybersecurity for private equity investors and the management teams of their portfolio companies.

I’m your host, Shay Colson, Managing Partner for Cyber Diligence at Coastal Cyber Risk Advisors.

And you can find us online at coastalcyber.io

Today is Monday May 1st, a month that’s really seemed to sneak up on us. Or at least me!

We’ve got a few tidbits coming out of last week’s RSA conference that are worth triangulating and then applying to our portfolio companies and potential investments, so let’s dig in.

Is Ransomware Endemic?

Axios reporter Sam Sabin has a solid piece out looking at perspective on this issue from leaders and leading vendors at RSA. And when I say leaders, I mean people like NSA Director Rob Joyce and vendors like Sophos, IBM, and Flashpoint.

What do they say about ransomware and what should we do with that information?

First, Joyce notes that Russian hackers are weaponizing ransomware in their invasion of Ukraine, targeting not just in-country assets, but also the Ukrainian military and civilian supply chains, and aligned Western countries and companies.

Additionally, data indicates that ransomware has moved beyond just a nuisance and into a persistent (and growing) threat.

Sophos notes that 68% of their the incidents they saw involved ransomware - the leading attack by a mile (second most-common was “non-ransomware network breaches” at 18%). Beyond that, Sophos notes that 73% of their Incident Response investigations involved ransomware.

At the same time, ransomware negotiation vendor Coveware published a report noting that while average and median ransomware payments have dropped slightly, volume has increased as has the size of the targeted company.

Now, larger companies are being targeted, and Coveware notes that 45% of companies hit end up paying the ransom (at an average of $327K).

These numbers are staggering!

At the same time, we’re seeing previously unknown vulnerabilities (this week it’s been a vulnerability in print management software PaperCut) being used to deliver ransomware and other attacks. Microsoft confirmed that Clop ransomware is using this zero day to compromise new victims.

And - as a reminder - the impact of these attacks is real, and long lasting, as we’re seeing in the ongoing litigation between Roomba parent company (and now Amazon acquisition) iRobot and Expeditors International - who got it with an assumed ransomware attack last February.

The Wall Street Journal reports that the attack has already cost Expeditors $47M in extra charges at shipping depots and ports, and an additional $18M on incident response. This doesn’t include litigation costs, and a small note towards the end of the article notes that "Expeditors said it can’t estimate for other potential litigation or claims, adding that it isn’t fully insured for cyber incidents because, as with earthquakes and terrorism, ‘it is not deemed economically feasible or prudent to do so.’”

So what do we do with all of this doom and gloom news?

If we assume that ransomware is endemic, we have to adjust the way we run our businesses to better manage this risk. It means looking at the attack vectors being used and shoring up our defenses. It means becoming more resilient and encouraging (or potentially requiring) our partners to do the same.

If we do nothing, we’ll be in the position Expeditors finds themselves in - not insured, not acknowledging the incident, and having to fight customers over lost revenue in court more than a year later.

That’s no way to tackle this threat.

You can find all the links to the stories we covered below, find back issues of these videos and the written transcripts at cyberriskatdealspeed.com, and we’ll see you next Monday for another edition of Cyber Risk at Deal Speed.

Links

https://www.axios.com/2023/04/28/ransomware-attack-cybersecurity-rsa-conference

https://www.politico.com/newsletters/weekly-cybersecurity/2023/05/01/how-hackers-are-saving-ai-00094590

https://news.sophos.com/en-us/2023/04/25/2023-active-adversary-report-for-business-leaders/?utm_source=substack&utm_medium=email

https://www.coveware.com/blog/2023/4/28/big-game-hunting-is-back-despite-decreasing-ransom-payment-amounts?utm_source=substack&utm_medium=email

https://twitter.com/MsftSecIntel/status/1651346653901725696

https://www.wsj.com/articles/a-cyberattack-forced-a-logistics-company-to-temporarily-halt-operations-dde27a19

Previous
Previous

Changing The Ransomware Narrative: When The Cover Up Is Worse Than The Crime

Next
Next

Attack or Mistake? Avoiding the Self-Own