Dr. Josephine Wolff: Ransomware

[0:00:29]

JOSEPHINE WOLFF: So I think the systems that we would say are most vulnerable are the ones that need to be continuously operating. So if you think about a business like a law firm or, perhaps, even a university, a ransomware attack can be very disruptive. It can lose you a lot of money. It can stop a lot of important things. But it’s not actually going to be the same degree of impact as having to shut down a hospital, having to shut down a fuel pipeline, having to shut down the kind of infrastructure that needs to be able to operate constantly around the clock. And so the businesses, the sectors that are most vulnerable, I would say, are the ones that really cannot afford to shut down for any period of time, where there are patients who are relying on them, where there are suppliers or vendors who need their services constantly. And those are the ones where, I think, we see the most pressure to pay a ransom to recover as quickly as possible.

[0:01:37]

JOSEPHINE WOLFF: So a very wide range of risks depending on who’s targeted. And we’ve seen a pretty diverse set of possible victims and outcomes over the past few years. So if you think back to when there was a series of ransomware attacks that were targeting local governments – we saw the city of Atlanta, the city of Baltimore, several others that had many of their computer systems shut down. And it meant that people couldn’t pay their parking tickets, couldn’t complete home purchases because there were all of these online portals where they needed to be able to access paperwork or fill out forms. So that’s sort of mundane, but also very noticeable interruption in your life if you can’t pay your water bill through the city portal. And then there are interruptions like we saw with the Colonial Pipeline shutdown, where people can’t get gas, or the prices rise very precipitously. We’ve seen impacts in hospitals during the course of the COVID pandemic, where there’s been a lot of ransomware targeting the health care sector. And patients are being routed to other health care facilities. Or hospitals are being forced to revert back to using paper charts rather than their electronic medical records because they can’t access those medical records. So there is a really wide array of different impacts this can have on people’s everyday lives depending on who’s been hit and which systems go down.

[0:03:09]

JOSEPHINE WOLFF: So I think on the private sector side, we see a variety of different safeguards. We see a lot of emphasis on creating backups of systems, which for a long time was the kind of crucial advice we gave people about ransomware. Make sure you have lots of offline backup. So if all of your data is encrypted, you can go and reboot your systems without having to pay a ransom. And what we’re seeing now is even if you do have backups, it’s often a very laborious and time-consuming process to get them sort of ready and usable if your whole system has gone down. So there is much more effort now. I’m thinking about things like network segmentation. How do you divide up your computer network so that even if attackers are able to compromise one piece, they’re not able to compromise the entire network that your organization relies on?

We’re seeing a lot more interest in purchasing cyber insurance policies that cover these types of costs so that victims know that even if they get hit, they will have some lost protection for the resulting costs. We’re seeing a lot of interests in things like multi-factor authentication. And how do we try to make it harder for people to access our systems in the first place? And we’re seeing a lot of emphasis on phishing. And how do we train employees not to click on suspicious attachments? How do we make sure that sort of the initial compromised sections where the ransomware first infects system are being tamped down a little harder? On the policy and the government side, I think we’re just starting to see the federal government get interested in the question of, how do we make sure that critical infrastructure providers have better ransomware protections in place? And we’ve seen a little bit of that sort of just in the past few weeks from the Biden administration talking about how they’re going to require pipeline companies to report ransomware attacks, that they’re going to be issuing a set of security guidelines for some critical infrastructure operators. So I think there, we’re just starting to see a little bit more interest from the government in what they can be doing to help shore up the private sector.

[0:05:23]

JOSEPHINE WOLFF: It’s definitely not enough. And we know that because we’re still seeing really devastating ransomware attacks on a very regular basis. But the question that I think is really hard to answer is, is it enough to focus more and more and more on defensive mechanisms? And I think there’s a lot of progress that can be made by trying to ramp up defenses. But I also think that, ultimately, because there are so many vulnerabilities in computer systems and no way to close off all of them, this is going to come back to a conversation about, how do we make this a less profitable enterprise for criminals? How do we try to cut down on the number of ransom payments that are being made? How do we try to regulate the cryptocurrencies that criminals rely on to receive these payments? And that’s an area where I think we need to still be having a lot of very hard conversations and trying to think really deeply about what’s the best approach long term, not just in the immediate – here’s a victim who needs to get their systems back up and running – but where do we want to be two years, five years, 10 years from now?

[0:06:37]

JOSEPHINE WOLFF: So to safeguard vulnerable targets, I think we need to do a much better job of separating out the parts of computer systems that they use to send email or process payroll or run their websites and communicate with the public from the parts of their system that they use to operate infrastructure like pipelines or medical machinery in a hospital or processing plants for meat manufacturers – that we’re seeing much too much integration of all of those systems. So for instance, you could imagine a ransomware attack directed at Colonial Pipeline that just meant that their email systems were down for a few days, or they couldn’t process payroll or their website went down. But instead what we saw was they actually had to shut down a very large piece of their fuel pipeline. And that, to me, suggests that they had not isolated that sort of operational or infrastructural component of their network well enough from the part of the network where they were interfacing with the outside public and were most vulnerable to compromise.

[0:07:54]

JOSEPHINE WOLFF: So I would say, for me personally, I keep backups – both online, cloud-based backups and offline, external hard drive-based backups – so that if my personal computers are affected, I feel pretty confident I can restore all of the contents on them very easily without having to pay a ransom. That’s easier for me than it is for a large company because my network is not so extensive, the data is not so enormous as to make that a really onerous task. And then the other thing I do is sort of adhere to all of the standard cyber hygiene stuff – the multi-factor authentication, the not opening email attachments from strange addresses, being really careful about what I download and install on my computer and taking really seriously the possibility that even though I’m not a high-value target, there is still enough of this kind of malware floating around that I have to keep an eye out for it and try to be vigilant.

[0:09:01]

JOSEPHINE WOLFF: I think the thing that I would leave you with is that there’s still a tremendous amount we don’t know about the ransomware landscape. So it’s just this month that we’ve started to see government officials saying pipeline companies are going to be required to report ransomware attacks. And think about what a small piece of the overall industry that is. And think about what a sort of small lift that is for that piece of the industry just to have to report that this is happening and you’ll have some sense of how much of this is going on that we don’t know about, that we have no window into – either sort of how much is being demanded, how many ransoms are being paid, who’s being targeted. And that one of the reasons, I think, it’s been very hard to get people in the policy space to take this threat really seriously up until now is because it’s been such an invisible threat for so many people, that there hasn’t been good transparency, there hasn’t been good data collection. And therefore, it hasn’t been something that seemed urgent or large-scale or important enough to invest resources in.