NotPetya, WannaCry and BadRabbit.
No, these aren’t the names of Coachella’s headliners (though you could’ve fooled me). They’re the names of ransomware attacks from 2017 that have so far resulted in combined damage bills in the billions of dollars, footed by hundreds of organisations, both public and private, across more than 60 countries.
[If you’re unfamiliar with the branch of malware that is ransomware, here’s a fantastic in-depth explanation from Vince Tabora.]
Hospitals having to turn away emergency room patients, banking customers unable to access their money and major shipping ports unable to load or unload cargo- these are just some of the crippling effects achieved by holding hostage the data required for operations. Well, more accurately, first by encrypting such data and then selling the decryption keys back to the infected host.
Arizona Beverages, the company behind Arizona Iced Tea, was targeted by such an attack in March 2019. It caused sales operations to practically grind to a halt according to a source interviewed by TechCrunch.
“We were losing millions of dollars a day in sales. It was a complete shitshow.”
It is suspected that the ransomware, which reached over 200 of their servers and networked computers, was delivered via a malicious email attachment.
The recent growth of ransomware strains and attacks are no coincidence. A number of factors have contributed to this, here are two of interest-
- The online hacker group known as TheShadowBrokers obtained a treasure trove of tools and exploits developed by the NSA, dumping and selling them throughout 2016 and 2017.
- The invention of digital scarcity, in the form of cryptocurrencies, as a way to transfer value over the internet (anonymously and pseudonymously) and monetize security vulnerabilities.
Counting the Costs
The greatest cost of a ransomware attack for a victim is rarely the ransom itself (if paid), but the damage caused to an organisation’s operations and the costs to get back up and running. From necessary security upgrades, lost revenue, reputational damage and staff re-training, the bill can quickly spiral. FedEx, Maersk (shipping) and Merck (pharmaceuticals), just three of the many victims of the NotPetya attack, are expected to eventually be out of pocket a combined 1.5 billion dollars.
The most egregious part of all of this is that ransomware isn’t always targeted. It may organically and indiscriminately spread through the digital plumbing that connects your organisation to one of your suppliers, customers or employees. Additionally, it’s worth noting that the marginal cost of pushing ransomware to an additional organisation to close to zero. It also makes no difference in the cost to an attacker whether your company is worth thousands of dollars or billions of dollars (although the expected ransom amount will greatly differ).
Information Technology is laying the groundwork for a fundamental shift in the factors that determine the costs and rewards of resorting to violence.
-Davidson & Rees-Mogg
Lessons from the Industrial Age
The seminal book, The Sovereign Individual, by Davidson & Rees-Mogg describes the changes in power that have, and will continue to, occur as western societies transition from the Industrial Age to the Information Age due to advancements in micro-processing. One of the most notable predictions in the book is the demise of labour unions within manufacturing, brought about by their declining strategic power to extort higher wages for low-skilled work, in a time of increasing technological advancement.
We can gleam similar insights from the strategies employed by organisations in this period. While labour unions posed a physical threat to the means of production, ransomware poses a digital threat to the means of production. Disruption or damage to resources, employees, assets, manufacturing, distribution and reputation are all still cause for concern.
[To be clear, I do not hold a view on the topic of labour unions, I’m simply breaking down some of the basic strategies already widely employed.]
We’re in an age where size no longer provides the same strategic advantage it once did. It’s crucial to be aware of the industries, geographies and business models whereby an increase in size can correlate with an increase in exposure to virtual attacks. Small firms have lower limits for extortion. A bad actor seeking ransom can only ask for as much as an organisation can afford without going under, otherwise both leave empty handed. Hopefully such actors understand basic Game Theory. Implementing a threshold, in which you split into independent divisions or companies, once a certain size is reached reduces the contagion. Obviously, some organisations only make economical sense at scale. That’s why we’ve seen large infrastructure, such as major hospitals and municipal governments, continue to act as low-hanging fruit for targeted ransomware attacks.
Hiding in Plain Sight
“Most information technology is highly portable…can function independent of place and increases the mobility of ideas, persons, and capital.”
Davidson & Rees-Mogg
As more and more organisations evolve to become technology companies at their core, jurisdictionally-agnostic with global reach, they employ methods to match theses new needs. Distributed satellite offices without a HQ, a remote workforce of freelancers, outsourced suppliers and distributors, leased equipment and infrastructure, contracted service providers and subscriptions- the form in which an organisation can exist is becoming opaque. Such measures, when combined, compound to reduce the digital visibility of your operations.
Keep a Low Profile
A brand-centric organisation carries value in the form of goodwill. Goodwill is something to that must be constantly protected and an attacker knows this. It’s been revealed that Marriott hotels, through its subsidiary Starwood, have now potentially exposed 327 million passport numbers between 2014 and 2016 in a massive data breach. Granted this was not caused by ransomware, the reputational damage is still the same and the company will be attempting to rebuild trust for decades to come. Now imagine if the same thing were to happen to INTL FCStone. Ever heard of them? I hadn’t. Probably because they don’t need me to know who they are in order to be successful. But, they did $29 billion in revenue in 2017, are headquartered in NYC, all this with less than 15K followers on twitter. As a back-office financial services organisation, they don’t need to be shouting the loudest on the internet to generate business. Becoming a well-oiled cog in the machine for someone else’s end product or producing a product or service that can be white-labeled greatly reduces this vector.
Hopefully you now have a basic grasp on the methodology, scale and targeted vulnerabilities of ransomware attacks. The larger, more visible and entrenched an organisation is, the easier it is for an attacker to identify, find and choose to target said organisation. Strategically building organisations with this in mind may help in reducing or avoiding this threat over time.