The Ransomware Battle is Shifting - And So Should Our Response

Written By Shay Colson

10–21–2024 (Monday)

Hello and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.

I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.

Today is Monday, October 21, 2024, and we’re seeing some new takes on old topics this week - ransomware. No funny quips - let’s jump right in.

“The ransomware battle is shifting — so should our response”

This past Friday saw an interesting OpEd in the Financial Times from Anne Neuberger, currently the US Deputy National Security Adviser for Cyber and Emerging Technology entitled “The ransomware battle is shifting — so should our response.”

Other news outlets had headlines that were a bit more blunt, including CNBC who wrote “The government is getting fed up with ransomware payments fueling endless cycle of cyberattacks.

Obviously, we continue to see ransomware attacks - and the struggle to recover. You may recall that we mentioned Japanese electronics and watch company Casio getting hit with ransomware last week - but only owning up to it once the attackers leaked their stolen data on the dark web.

Since then, Casio’s week has gone from saying that they have “no prospect of recovery yet” late last week to now saying they’re hoping to have their systems back on line “by the end of November.” For a company that does about $2B a year in revenue, that’s quite a long time to be down.

In reading Neuberger’s FT piece, I’m struck by a couple of things:

  1. It’s not clear to me how Ms. Neuberger thinks the ransomware battle is shifting. She calls out the usual players by name - Russia and North Korea, and includes some statistics on volume of attacks, amount of ransom paid (in USD, naturally), and some passing shots at cryptocurrency and the money laundering services that enable these crimes. But none of this is new - so what’s the shift in these attacks? I get the shift she’s trying to propose in the response, but the premise falls flat to me.

  2. Her suggested response is big on rhetoric and thin on actions. I want to first give credit to the document she cites in the OpEd from the White House about security controls that are effective in combatting ransomware attacks.

    These controls are:

    1. Have regular backups that you test;

    2. Update and patch your systems;

    3. Have an IR plan., and test it;

    4. Get a pen test done; and

    5. Segment your networks.

      These are great controls and should be in place at your organization. But the memo is from April of 2021 - again, leading me to wonder what’s changed in the response, as well as in the attacks?

      The hand-waving at “Enhanced co-operation within government and between countries, civil society and private industry” doesn’t seem to be a thing, and if it is, doesn’t seem to be working.

      It also seems to be a strategy around treating the symptoms, and not the cause.

  3. Third, and perhaps most interestingly, is Ms. Neuberger’s position on cyber insurance, and - in particular - policies  “covering reimbursement of ransomware payments — incentivise [SP - it is the FT, after all] payment of ransoms that fuel cyber crime ecosystems. This is a troubling practice that must end.”

    Given that she - in just the line before - had suggested “The insurance industry can also play a constructive role, by, among other thing, requiring and verifying implementation of effective cyber security measures as a condition of underwriting its policies,” this doesn’t seem to be a feasible plan. After all, cyber insurance against ransomware is the big driver for the industry, and asking the practice of paying ransoms (which are often negotiated down, by the way) to end seems like a nonstarter for insurers.

Her conclusion indicates that she’s clearly aware of the true issue (imploring readers to “pressure safe haven jurisdictions to take action to stem this destabilising activity”) but it feels like the US Government simply isn’t taking actions that would materially address the issue.

The UK risks falling into that same trap, with their proposed Cyber Security and Resilience Bill. The key comment on this proposed legislation is a good one “Given that ransomware and similar cyberattacks are often a "traumatic experience" for the victims, […] the effectiveness of the bill will depend on nuances such as making sure the government has adequate resources to help cybercrime victims come forward, rather than victimizing them even more.”

I think we can take a page out of their book and quit blaming the victims, but instead target the criminals.

Fundraising

From a fundraising perspective, we saw a total of more than $10B in newly committed capital, with a good handful of announcements over $1B each - indicating to me that there’s still investments to be made, even in the run up to the election.

With that, a reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.

Links

https://www.ft.com/content/3b172a2a-4be5-4ef4-87cb-7fdcdee2ad99

https://www.cnbc.com/2024/10/18/that-must-end-government-urges-new-thinking-on-ransomware-payments.html

https://techcrunch.com/2024/10/17/casio-says-no-prospect-of-recovery-yet-after-ransomware-attack/

https://therecord.media/japan-casio-delays-watchmaker-ransomware

https://www.casio.com/jp/support/info/2024/1021/

https://www.whitehouse.gov/wp-content/uploads/2021/06/Memo-What-We-Urge-You-To-Do-To-Protect-Against-The-Threat-of-Ransomware.pdf

https://www.databreachtoday.com/ex-ncsc-chief-uk-cyber-incident-reporting-good-step-a-26557

Shay Colson
Previous

On Staying Focused (or “When to Ignore the Headlines”)
Next

The Double-Edged Sword of Breach Notification Laws