Ransomware Changed the Rules

Why I think it’s driving security improvements at companies

Recently I reposted this old tweet and said I still believe it to be true:

There has been push back from a number of angles so I feel the need to clarify specifically what I mean.

The threat of a ransomware attack, either targeted or random, is goading companies to take real security steps because the risk of a cyber security failure is no longer limited to reputation, or borne by customers, but is an existential risk to the company itself.

Things I don’t mean:

Advancing the state of the art of cyber security

Ransomware can be mitigated by having offline functioning backups. This is not new technology, nor even state of the art. It is simply best practice that very few places bother to invest in. The ability to restore from backups completely mitigates the ability of the criminal to extort the victim. Working backups negate ransomware’s leverage.

Companies buy more silver bullet boxes

The protections against ransomware are effectively cyber security standard recommendations: segment networks; apply patches in a timely fashion; ensure least privilege; have working regular backups; reduce attack surface (eg disable Office macros, use modern browsers, remove java and flash plugins, etc)… There’s no secret magic solution, like APT stoppers or audit requirements like checkbox periodic penetration tests. Companies must implement real security practices to mitigate the risk ransomware poses directly to their bottom line.

Write ransomware to secure things!

I’m not advocating the development or deployment of ransomware to improve security. I’m saying that the existence of ransomware has changed the cyber security game so that now every company is aware that their business is at risk from cyber attack. Not an abstract risk such as “reputation”, or an externality such as a risk that impacts customers and/or credit card companies, but a risk that directly threatens the data and critical infrastructure of the company.

Ransomware is so amazing cybersecurity solutions are improving

Again, the solutions that work against ransomware are the cyber security basics. The fundamentals to which businesses have mostly been paying lip service. Infosec budgets get spent on gadgets rather than on solutions that will actually help. There are many reasons for this failure to address the real security needs of the business, but an important one has been the abstract, ephemeral, and external nature of the threat. Why worry about APTs if you’re not a defence contractor? Why care about stolen credit cards, or PII, when the impact is felt by others?

The Perfect Incentive: Universal Value

The business’ data is important only to competitors and the business itself. This is where ransomware is the perfect incentive: it extorts the business with the one universal thing all businesses value – their own data. While some organisations have data that has intrinsic value that third parties will pay for (e.g. defence contractors), all organisations value their own data. Ransomware exploits this fundamental truth.

The very high global visibility of recent ransomware (and ransomware-like) events, such as WannaCry and Nyetya, serve as reminders of the extremely real nature of the threat. They serve to remind organisations that ransomware is indiscriminate, highly effective at breaching companies, and that relying on “paying the ransom” is not a viable strategy.

The Perfect Incentive to Improve

As an incentive to address cyber security risks, ransomware is perfect. It is global, highly visible, its victims are arbitrary, and the solutions are well known, well understood, and can be implemented using existing mature technology. The threat posed by ransomware is real, directed at the business itself, understandable by non-experts, and visible outside the infosec echo chamber. These are the reasons why ransomware incentivises organisations to honestly practice cyber security fundamentals.

Support more analysis like this.