Many nations maintain hard-and-fast policies of not negotiating with terrorist organizations, especially when it comes to paying ransom. However, the situation is quite different in the cyber-world.
A majority of businesses across APAC are choosing to pay up after falling victim to ransomware attacks – with 88% in Australia and 78% in Singapore, respectively.
Meanwhile, the manufacturing sector is a hot target. And many nations in Asia Pacific are manufacturing powerhouses for the rest of the world.
As Colonial Pipeline and JBS Foods disclosed they paid millions in ransoms recently, this begs the question – to pay or not to pay after a ransomware attack?
It’s been found that paying the ransom will not always lead to the systems being restored and even when systems are restored in part or full, the financial cost of operational downtime while the files and systems are still locked down will often be far higher than the minute cost of the ransom demanded.
Why is Asia Pacific – particularly the manufacturing industry – such a great ransomware harvesting field for bad actors? What can governments and enterprises do to improve defenses against the growing ransomware threat, during and after the COVID-19 pandemic?
CybersecAsia sought some answers from Sanjay Aurora, Managing Director, APAC, Darktrace.
Why is APAC being plagued by ransomware attacks, and seeing an uptick in ransomware detections?
Attackers go where the money is, and ransomware has become an incredibly lucrative means of revenue generation for them. What’s more, the barriers-to-entry for these attacks are lowering every day, thanks to a growing market of ‘Ransomware as a Service’ (RaaS) providers who are proliferating on the dark web, becoming widely available among cybercriminals looking to make a quick buck.
This has been exacerbated by our growing reliance on technology for businesses to function, accelerated by the era of remote working due to COVID-19.
With organizations more reliant on online operations than ever, they are more likely to pay a ransom to get their systems back up and running, presenting an opportunity for attackers to hit organizations where it hurts.
Why is the manufacturing industry a hot target for cybercriminals and how can governments step in to help?
Sanjay: Against critical infrastructure and utilities, cyber-attacks have the potential to disrupt supplies, harm the environment, and even threaten human lives. This level of disruption can serve as an incentive for organizations to pay up a ransom, and as we saw with the Colonial Pipeline attack, a chance for attackers to parade on a global stage.
When it comes to manufacturing, we’ve seen a growing trend of attackers exploiting the convergence of IT and OT systems to pivot from one to the other, and we’ve even started to see attackers now able to target OT systems directly rather than pivoting through IT systems.
Government agencies around the world are doing important work to raise awareness, improve regulations and provide threat intelligence, and should continue to focus on elements of the attack cycle that individual victim organisations have no control over, such as law enforcement action.
Governments should also strive to enable secure architecture design, good cyber security hygiene, and network monitoring across organizations, while aiming to arm the public sector with cutting-edge technologies capable of detecting and stopping attacks in their earliest stages.
How can businesses bolster their defenses amid accelerated digital transformation efforts and the normalization of remote work that’s causing ransomware to rise?
Sanjay: Increased connectivity, rapid adoption of new technologies and the rise of increasingly dynamic and remote workforces have opened new doors for hackers – but we must not let this hinder innovation.
Balancing the opportunity for digital transformation with its inherent risks is a task that extends far beyond enforcing security rules. It’s also about embracing emerging technologies capable of watching over critical data and keeping pace with rapid changes to the digital estate – the modern organization has too many variables for static or siloed security.
That’s why thousands of CISOs today augment their human teams with AI, shifting attention away from prevention and predicting the attackers’ next moves and focusing instead on understanding the ‘normal’ behaviour across the digital estate, and constantly enforcing that normal when malicious activity arises. This technology can identify the subtle indicators of this malicious activity wherever it emerges, and thwart them before attacks have the chance to spread, and before damage is done.
When the C-suite invests in these technologies, which spot and stop threats at the earliest signs of compromise, organizations are given the resilience to continue to innovate, grow and develop while keeping their digital environments safe from attack.
Humans are the weakest link within a business entity’s cyber-defenses. Would innovative technologies then be the answer to stop cybercriminals in their tracks?
Sanjay: It is clear from recent attacks on Colonial Pipeline, JBS and Kaseya that we have entered a new era of ransomware. Attackers are laying low in the supply chain to launch mass attacks with maximum return on investment, or infiltrating organizations via sophisticated phishing emails which easily slip past traditional email gateways, then launching computer speed ransomware which leaves security teams outpaced.
This is no longer a human-scale problem – attacks move too quickly for people to respond. In many cases, perimeter defences won’t work because the attack comes from the inside.
To combat the modern era of ransomware, organizations must strive for machine-speed resilience. This means embracing cutting-edge AI technology capable of not only watching over critical data and keeping pace with rapid changes to the digital estate, but responding to attacks proportionately before any damage can be done.
That’s why thousands of organizations today leverage Autonomous Response AI, a world-first technology which combats the most sophisticated ransomware attacks out there and responds within seconds of the threat emerging. Today, ransomware is the top use case for this technology, and this machine-speed response to an emerging attack is rapidly becoming the de facto way to avoid ransomware attacks.
What is your opinion on paying ransomware demands? Are there ‘bigger picture’ questions to ask when we think about our responses to ransomware attacks?
Sanjay: The focus on ‘to pay or not to pay’ can often lead us astray from the greater problem at hand – the focus needs to shift from reactive to proactive approaches to ransomware prevention and response. We need to focus on detecting and responding as early as possible to reduce the incentive for the criminal organizations to strike in the first place.
What’s more, paying a ransom doesn’t always ensure that systems will be restored. Only in a minority of cases does paying the ransom lead to partial or full restoration of an organization’s data and systems. Secondly, even when systems are restored in part or full, the financial cost of operational downtime while the files and systems are still locked down will often be far higher than the minute cost of the ransom demanded – sometimes, the cost of even an hour of downtime can be hundreds of thousands of dollars.
Today, it’s important to stop asking the question of to pay or not to pay and instead ask what we can do to stop tomorrow’s threats today. That’s why thousands of organizations around the world are using AI technology that detects even the most novel and sophisticated threats out there, and stops them before systems can be held to ransom.