By Mike Rogers – Cyber-criminals had a banner year in 2017, with ransomware variants like WannaCry, Petya and NotPetya bringing major organisations such as National Health Service trusts in the UK, Spain’s Telefonica and the National Bank of Ukraine to their knees.
These devastating, widespread attacks highlighted the reality that cyber-crime has grown into a sophisticated and well-resourced global industry.
The costs to businesses of dealing with professionalised cyber-crime are immense. Research from Cybersecurity Ventures estimates that damage from global ransomware attacks soared to $5-billion in 2017, up from $325-million in 2015. This includes the costs of data loss or destruction, business interruption, forensic investigation, restoration of services, reputational harm and the costs of training employees to respond to attacks.
Blurred lines
The sheer scale of the damage inflicted by recent malware attacks is partially influenced by the growing maturity of the tools that hackers have at their disposal. Starting in late 2016, there have been several major leaks and publication of NSA and CIA cyber espionage tools, code, exploits and techniques.
This has given cyber-criminals access to tools that were developed using the resources of the world’s most powerful intelligence agencies.
Throughout 2017, we increasingly saw state sponsored hackers pursuing types of attacks, like ransomware and cybercurrency theft, that would previously have been the domain of non-state hacking groups.
We are also seeing state actors hiding behind what initially appears to be common ransomware attacks in order to achieve a geopolitical objective. For example, the NotPetya attack that initially targeted Ukrainian businesses and state organisations is widely believed to be the work of a state sponsored Russian cyber warfare group).
The sharing of the tools and techniques between private and state hacker groups is blurring the lines between these organisations. This is providing private hacker collectives with increasing capabilities that widen the reach and increases the damage caused by their attacks.
At the same time, this makes it more difficult to conclusively identify state sponsored attackers – providing them with plausible deniability in the event that they are called out.
Profitable business
What’s more, many global cyber-criminal syndicates have created profitable businesses selling cybercrime services and software such as on-demand distributed denial-of-service (DDoS) attacks and toolkits that automate malware and ransomware attacks, on to other criminals.
The tools of cybercrime are becoming commoditised at a rapid rate.
The result is that criminals who don’t have the technical skills needed to craft their own malware or to launch a sophisticated attack can also profit from cyber-crime. The support they get from their cyber-crime-as-a-service provider can often be as good as the service legitimate companies get from their IT service providers.
Looking ahead to the rest of 2018, we can expect to see these trends from last year accelerate. It’s becoming easier and cheaper for enterprising criminals to launch attacks with a profit motive. Of course, we’ll see cyber-criminals continue to target bank account info, credit card data, (and now cyber-currency exchanges and wallets), personal identity information, and personal health information with the aim of reselling it on the black market.
Cyber-extortion attacks, whether traditional ransomware or more targeted extortion like the one where hackers threatened to leak the new season of Orange Is The New Black if Netflix didn’t pay them off – will also become more common.
Stealing a company’s confidential data or intellectual property and threatening to leak it if a ransom is not paid is likely be a bigger business this year
The effect on SA
In South Africa, we have started to see local threat actors using cyber-espionage, cyber-extortion and cyber-attacks as tactics.
Data breaches have been used to assist certain organisations to further their interests when they’re embroiled in labour, political or commercial disputes with other parties.
While most of these local incidents have been enabled by phishing or social engineering attacks, many South African businesses have also been impacted by the same global malware attacks that have dominated the world’s cybersecurity headlines in the past year.
These trends have significant implications for South African businesses. It is becoming increasingly clear that small and medium businesses, who were not major targets for cyber-criminal syndicates in the past, will face a growing range of threats.
Today’s malware tools make it quick and easy to spread the ransomware to hundreds of thousands of computers, compared to the focused effort of targeting a single company for a big payday.
Indeed, the business model for ransomware is about shaking down lots of companies in the hope that a small percentage will pay a few hundred dollars (or a fraction of a cyber coin) to get their data back. Cyber-criminals may find that smaller businesses with looser security and weaker data protection processes are better targets than larger companies.
To remain abreast of the threats, businesses need to take a multi-layered approach to enterprise security that encompasses technology, process, policy and people. It’s not just an IT problem, but an enterprise risk management issue. Risk teams and the IT department should be supported with the resources they need to keep the enterprise safe.
Since information security is a specialist field and skilled resources are scarce, most South African organisations will need to work with a third-party security service provider to plug the gaps in their own capabilities. It’s also important to have contingency plans in place to protect the board, management, and the company from loss and liability wherever possible.
Mike Rogers is the CEO of Tarsus SecureData