No Easy Answers to Ransomware Riddle

Imagine you’re a director of a real estate company tasked with hiring a new chief executive. “Understands best practices in information security” might not be on your list of must-have qualifications. But maybe it should be.

The Securities and Exchange Commission this week announced that it settled charges against First American Financial Corporation stemming from a cybersecurity vulnerability that allegedly left more than 800 million sensitive images unsecured. First American didn’t even get hacked. It was bad enough, in the SEC’s eyes, that the company’s internal controls didn’t prompt employees to inform the C-suite.

Welcome to corporate management in the age of ransomware. This year, attacks on the Colonial Pipeline and plants owned by meat supplier JBS have drawn attention to the mounting threats posed by data hostage-takers. Companies disclosing that they’ve been targeted by recent ransomware attacks and may suffer adverse operational and financial impacts also include Allied Healthcare Products (sub. req.) and carpet manufacturer Dixie Group (sub. req.)

Cybersecurity specialists say online criminals are just getting warmed up, with targets such as water and power infrastructure ripe for attack. The fact that the most nefarious networks of e-criminals are operating in Russia and former Soviet republics makes going after them directly extraordinarily difficult.

According to security firm Recorded Future, a successful ransomware attack occurred about every eight minutes in 2020. Another analysis found that victims paid some $350 million in cryptocurrency ransom last year to perpetrators holding their data hostage. That represented a year-over-year increase of more than 300%. Worse, a recent Cybereason survey of more than 1,200 security professionals worldwide found that about 80% of businesses that paid ransom demands experienced a second attack, of which 46% believed the subsequent ransomware to be caused by the same hackers.

The spike in online thievery has left President Biden and his administration sounding the alarm on cybersecurity, urging businesses to fortify their defenses. The federal government has taken concrete steps to beef up security, including writing legislation that would pour $500 million into cybersecurity on the state and local levels. Biden also signed an executive order in May requiring companies that sell software to the government to disclose breaches of their systems.

Meanwhile, the SEC can use its authority to motivate corporate laggards to bring their cybersecurity defenses up to par. Sanctioning companies like First American for insufficient controls suggests the agency isn’t playing around. But while that strategy may work on public companies, the SEC lacks authority over private businesses. Unfortunately, that group owns most of the country’s infrastructure assets.

The Justice Department’s announcement that it recovered a sizable chunk of the Colonial Pipeline ransom did offer one intriguing possibility for deterring hackers: hitting them in the e-wallet. The FBI seized control of an online account holding nearly 65 Bitcoins, valued at approximately $2.3 million. Given that hackers prefer to deal in cryptocurrency, a reliable approach to disrupting those payment flows could deal a serious blow to the online extortion racket.