MDR- is anyone safe?
There is no doubt Ransomware has changed the face of cybercrime. Cyber-attacks were once considered low down on the risk register for the average organisation who delivered mail, sold sportswear or cars. But we have recently seen companies in these sectors suffer the consequences of being hit in cyber-attacks. They were targeted not for their intellectual property or customer information specifically - although this is often a consequence of such attacks - but because taking away their ability to access their own data removed their ability to operate. Whilst ransomware gangs usually exfiltrate (steal) the data from the victim before encrypting it to become inaccessible, the contents of the data itself are usually of insignificant value to them. The value is in its significance for you and your requirement to access it to operate.
The House Analogy
Imagine a scenario where a specialist burglar has already gained entry to 100 properties. They haven’t explored them yet and don’t have time to do so. A few are of specific interest to them so they focus on those properties themselves but then sell the already gained access to another burglar to those they are less interested in. The other burglar is less focused on a specific target and will exploit any access they can find. This is a similar principle that we see in cyber-attacks. Perhaps the second burglar is not as sophisticated as the first and therefore could not gain the access themselves but now they have it they have the tools to exploit it. Being the victim of a cyber-attack in this sense could almost be put down to bad luck. Not initially on a target list, but not patching vulnerabilities or having any cyber security controls in place makes them low hanging fruit. After all, what business can simply ignore the end result of a Ransomware attack?
To answer this we must first recognise that the Ransomware ecosystem is complex and has many different actors of varying capability. Attacks can come from a variety of sources and a target can be selected specifically or by chance.
An equivalent comparison could be a physical burglary that is either targeted or opportunist. Perhaps the house has been chosen specifically or the burglar simply happens to notice a building with a door left open. We all consider ourselves to be at risk of being burgled and do not leave our premises unsecured EVEN THOUGH we don’t own very expensive assets. Anything of value is of interest to the opportunistic burglar. If we leave it unlocked somebody may take it; not because they pre-meditated the theft, but simply because it was left available to steal.
It is true of course that more sophisticated cyber criminals such as so-called Nation State sponsored APT groups with large amounts of resources at their disposal may craft specific attacks, buy or write zero day software exploits and perform large amounts or reconnaissance before attacking a chosen target. They will often infect and spend time on a network undetected whilst they plan the execution of their attack. Less sophisticated groups however, without the same level of skills and resources may buy the access already obtained by somebody else. The latter are less likely to have a specific target in mind.
Imagine a scenario where a specialist burglar has already gained entry to 100 properties. They haven’t explored them yet and don’t have time to do so. A few are of specific interest to them so they focus on those properties themselves but then sell the already gained access to another burglar to those they are less interested in. The other burglar is less focused on a specific target and will exploit any access they can find. This is a similar principle that we see in cyber-attacks. Perhaps the second burglar is not as sophisticated as the first and therefore could not gain the access themselves but now they have it they have the tools to exploit it. Being the victim of a cyber-attack in this sense could almost be put down to bad luck. Not initially on a target list, but not patching vulnerabilities or having any cyber security controls in place makes them low hanging fruit. After all, what business can simply ignore the end result of a Ransomware attack?
So cyber-attacks are a threat to every organisation at least those who rely on digital data and platforms. If you cannot operate without your data (which is more than likely the case) then Ransomware or any kind of disruptive cyber-attack is a concern. Whilst it may not be as high up the risk register as perhaps a pharmaceutical company doing vaccine research, a crypto currency exchange or global bank, it is no longer a threat than any organisation can consider themselves immune to and ignore.
According to the 2022 “Verizon Data Breach Investigations Report,” ransomware attacks surged dramatically in 2022; ransomware was involved in 25% of all breaches.
https://www.verizon.com/business/resources/reports/dbir/
Learn More at: Security – Proact UK
