The threat from ransomware continues to occupy CISOs. For every security advance made to battle it, cybercriminals devise a way to thwart it. But there can be no surrender in this arms race — because the damage to organizations can be existential.
For a recent episode of CISO Insights — “Ransomware 3.0: Can Anything Stop These Bad Actors?” — hosts Dan Lohrmann of Presidio and Earl Duby of Auxiom reviewed the latest ransomware developments with a panel of experts: Erika Gifford, of Verizon Threat Research Advisory Center, Darrin Kimes, a consultant for Verizon Threat Intelligence, and Allan Liska, a ransomware researcher at Recorded Future.
The nature of the ransomware threat now
It is notable, several panel members said, that increasingly ransomware attacks do not involve encrypting and holding the victim organization’s data hostage; Liska estimated that almost a third of recent ransomware attacks did not involve encryption.
And some threat actors do not even bother to steal the data — they merely claim to possess it and demand payment.
This type of attack highlights how important it is for organizations to know what is on their network. The attacker might claim to have seized valuable data, but Gifford said that if the organization is savvy, it can view data the attackers offer as “proof of life” and recognize that it’s old data — the attacker had been bluffing.
Still, the threat of the name-and-shame game continues. Instead of encrypting data, the attacker threatens to disclose the breach publicly, as well as offer the data up for sale — a double whammy that injures the organization’s competitiveness and reputation.
It is also critical to know what data third-party partners have access to, because too often, attacks are made on those third parties. “There’s a lot of [third-party] companies out there that don’t do good data hygiene and they’ve been hit,” Gifford noted.
The threat for smaller organizations — local and state level — has never been greater. Larger organizations now typically have excellent, recent backups and other resources. But counties, school districts and the like often do not.
The panel members discussed the possible motivations for attacking such small entities — beyond the fact that a successful attack is easier.
Giffords proposed that it is a way to gain “bragging rights” — since successful ransomware attacks are easier to achieve against small entities, the ransomware group’s success numbers are higher. That can make them more attractive to others who want to “join their as a service.” But also, she added, “it could be … these lower municipalities and things of that nature are paying some sort of ransom.”
Lohrman noted, while an attack against a large company can yield millions, the smaller attacks still offer rewards of hundreds of thousands of dollars.
Lohrmann, who co-authored the book Cyber Mayday and the Day After, noted in particular the threat to critical infrastructure like water systems, which are often run by small municipalities. Time and again, small entities are one-man shops, and the resources are too limited to hire a cybersecurity consultant.
While it is often attacks on hospitals that grab the headlines, 80% of the victims of recent ransomware attacks have been privately owned businesses, according to Kimes.
“Whether big, small, medium, the attacks just keep on coming,” Lohrmann said.
In perhaps what is emblematic of the times, the panelists noted the rise of “kinetic” threats, or violence as a service. Some ransomware groups, Kimes noted, are using threats of violence if ransoms are not paid. “What they’re doing is offering to pay someone local … to literally throw bricks through windows of C-suite executives.”
If ransomware is the problem, what’s the solution?
The panel agreed that the first step toward minimizing the threat of ransomware is to understand your organizational weaknesses. “We continue to preach,” Giffords said, “know what’s on your network, understand where your liabilities are.” Often, the solution is not complicated. Of the four major attacks in 2024 that the panel had discussed, half would’ve been thwarted by MFA.
Antiphishing and other cybersecurity training were mentioned, too, though panel members acknowledged employees grown tired of cybersecurity training programs and are prone to “just click through.” Still, education is essential; organizations should take a hard look at their programs, make them more engaging, perhaps by adding real-life stories, Giffords suggested.
To improve prevention, Kimes offered, if the organization has the resources, try to hunt on the dark web for credentials. And hiring experts to do a red team/blue team exercise because “you need to know what your company looks like to the threat actor.”
For organizations in need of help for low or no cost, panelists mentioned turning to cisa.gov/stopransomware and nomoreransom.com. Also, it’s wise to keep an eye on the CISA Known Exploited Vulnerabilities Catalog to help prioritize an organization’s patching program. Another group that can help is the Multi-State Information Sharing and Analysis Center, or MS-ISAC.
But what to do if the attack’s already been successful?
Some states, like Wisconsin, said Lohrmann, do have a volunteer cyberforce — “almost like a National Guard” — that can help. Consider, too, calling in the FBI for help. In some cases, the Bureau has a recovery key, according to Kimes, and can help smaller entities rebuild.
Check out the full recording of this important panel and learn even more about what ransomware threat actors are up to and how to stop them.
Editor’s note: An editor used AI tools to aid in the generation of this article. Our expert editors always review and edit content before publishing.
Brenda Horrigan is executive managing editor for Informa TechTarget’s Editorial Programs and Execution team.
