EXECUTIVE SPOTLIGHT: Sophos’ John Shier

Ransomware is a sneaky type of malware that can wreak havoc on your computer system. It’s like a digital kidnapper that takes your personal data hostage and demands a ransom in exchange for its release.

This malicious software can enter your system through a variety of ways, including phishing emails, malicious attachments, or network vulnerabilities.

Once it’s in, it can either lock your computer screen or encrypt your files, making them inaccessible. Ransomware-as-a-service is a particularly nefarious business model that allows malware developers to profit from their creations without even distributing them.

Sophos, the cybersecurity company, has released its annual “State of Ransomware 2023” report, and the results are in!

In 76% of ransomware attacks against surveyed organizations, adversaries succeeded in encrypting data. That’s the highest rate of data encryption from ransomware since Sophos started issuing the report in 2020. Yikes!

But, there’s a glimmer of hope: the rate of ransomware attacks declined slightly in Asia Pacific and Japan (APJ) in 2022. Only 68% of organizations surveyed said they were a victim of ransomware, compared to 72% the year before.

In an exclusive interview with Buzz Capital, Sophos Field CTO (Commercial) John Shier shared a few of his thoughts on the burning issues surrounding ransomware today.

We live in a reality where enterprises have a ‘do not pay’ policy in place yet most of them still pay the ransom to cybercriminals. Has this “inevitability” attributed to the spike in the average ransom paid in the private sector? Can you give us an insight into what is driving the ransom figure upward?

JS: Ransom payout rates consistently hover around 50% and this includes everything from the low thousands to multi-million-dollar ransom demands. The reality is there are many sources of data on ransom payments, so finding the ground truth is very difficult.

There are many criminals that are happy accepting lower sums and they make up the difference in increasing the quantity of attacks. Some larger groups will demand exorbitant prices yet settle for much lower amounts after negotiation.

Higher demands are less likely to compel an organization to pay, so keeping prices lower is advantageous to most cybercriminals. The catch with paying a ransom is that an organization still needs to go through the recovery process, which in some cases can cost as much as the ransom demand, if not more.

Victims of ransomware almost always see either a rise in premiums or a specific exclusion of ransomware from their insurance policies. In this scenario, where do they turn to? Are there any options still available to them?

JS: As the cyber insurance market stabilizes after a period of turmoil, organizations can still qualify for policies, but they will need to prove that they have successfully applied the appropriate controls that were missing and likely led to their victimization.

During the application process, businesses will be audited to understand their prevention and detection capabilities before an insurance policy is approved. The remaining level of risk will determine whether the company will be covered and the resulting premium.

If an organization takes steps to reduce its risk, it can expect the premiums to reflect this increased security posture, but previous claims might prevent them qualifying for a lower premium.

Whether enterprises get their data back or not, whether they are covered by pricey cyber insurance or shelling out from their own funds, ransomware actors always get the payout, and this only motivates them to continue their attacks. Beyond building a stronger cybersecurity posture and better-trained workforce, what do you think is a more concrete strategy?

JS: There needs to be a multi-pronged approach to tackling ransomware. Prevention technologies and baseline security hygiene need to be in place to shrink the target pool.

To further limit the number of victims, organizations must invest in detection and investigation products and/or services so that human-led attacks are neutralized before they develop into ransomware attacks.

Together, robust prevention and detection raises the attacker’s costs and buys the defenders time. Another key element to disrupting ransomware is disrupting the cybercriminals’ ability to monetize their attacks.

Cryptocurrencies have made paying multi-million-dollar ransoms far too easy and regulating their use could prove helpful in stemming the tide of ransomware.

What does an effective disaster recovery plan look like for an enterprise that has been hit by ransomware successfully?

JS: An organization’s ability to recover is dictated by its response plan. A well-crafted and tested response plan will ensure both minimal downtime and exposure. Therefore, the most effective plan is one that exists, is up to date, and has been tested.

While many organizations have some sort of generic plan, many don’t have one that is specific to ransomware, or worse yet, have one at all. The framework of the DR plan can be generalized but the specifics need to be tailored to the organization and the type of outage.

Recovery from a fire, botched update, or ransomware can differ greatly. The plan needs to consider all the people, processes and tools that must be activated in the event of a ransomware attack. Without a specific, tested plan, there is a risk that the recovery becomes lengthy and incomplete.

In their continuous evolution, hackers are now directly hitting the backup options of their victims, forcing these enterprises to pay the ransom. How can enterprises safeguard themselves before this happens? Are immutable clouds and disks the only solutions?

JS: Reliable backups are crucial to any recovery effort, especially when ransomware is involved. It can mean the difference between being forced to pay a ransom or not. For a backup strategy to be successful, organizations should adopt the 3-2-1 rule. The 3-2-1 rule suggests having at least three copies of your data; using two different types of backup media; and keeping one copy offline, and preferably offsite. Having a copy of your backups inaccessible to the attackers is the only way to ensure its integrity and availability. The only backup you will ever regret is the one you didn’t make, and the second most is the one you didn’t test.

A few RaaS entities are reported to have set their sights on macOS and Mac computers. Are we expecting this threat to escalate this year?

JS: Cybercriminals are always looking for new platforms to attack to cause the most disruption that they hope will result in higher payout rates. The threat will only escalate if they are seeing success with this new tactic, and it is relatively simple to pull off. For everyday cybercriminals, the effort involved with adding another platform to attack might prove too complicated, whereas more capable groups would likely give it a go. The best case scenario for attackers is to find a cross-platform threat that is easy to deploy. While these attacks do exist, they are not as widespread. Nevertheless, it’s imperative that defenders consider all platforms when implementing security controls.

What does a common incident response playbook look like today? What needs to change, and which elements must enterprises double down on?

JS: Understanding the current situation is important. Collect the information you already know: what has been detected and what machines and/or networks are impacted? Your visibility will dictate how rich your information is, which will determine how confident you can be in understanding the full picture. This will, in turn, inform what response actions you need to take versus the ones you can take. Depending on your capabilities, the answer might not be the same. Enterprises should double down on protection. The more they can prevent, the less work they’ll face. However, we know that prevention isn’t enough, so they will need a plan for when things go wrong. Ideally, they’ll have the tools and processes in place to know when that time comes.