The pressure for security leaders to manage more with less continues to mount amidst a backdrop of increasingly frequent and sophisticated cyberattacks. While ransomware attacks have grown significantly in the past few years, they are becoming increasingly prevalent in areas such as critical infrastructure, supply chain, and financial institutions. According to the Cybersecurity and Infrastructure Security Agency (CISA), 14 of the 16 US critical infrastructure sectors experienced ransomware incidents in 2021.
The financial implications of ransomware attacks have also become more severe in recent years, with these attacks causing more widespread damage than other single-target attacks. As a result, both government and technology vendors are responding with increased measures to fight these attacks. The question remains, however, whether these measures are enough.
In March 2022, CISA launched the Ransomware Vulnerability Warning Pilot (RVWP) program, aimed at helping critical infrastructure organizations defend against ransomware attacks by fixing vulnerabilities. Although this is a positive first step, organizations need to develop a comprehensive security plan that incorporates multiple layers of protection and includes employee training and well-defined and enforced security policies.
The RVWP initiative was launched to assist those critical infrastructure providers that do not employ best security practices. However, attacks of opportunity are common. Ransomware operators often use watering-hole attacks, spear phishing, and malicious advertising to gain a foothold in network environments. These tactics exploit humans and are difficult to mitigate with network scanning and reporting, meaning critical infrastructure will continue to be impacted by ransomware.
An example of malware’s spread is GootLoader, a popular malware that gives threat actors initial access to the victim’s IT environment. GootLoader uses search engine optimization (SEO) poisoning to infiltrate networks, which can compromise legitimate WordPress websites. While this malware does not specifically target critical infrastructure entities, the list of terms seen in the GootLoader landing pages shows that critical infrastructure providers and workers could be vulnerable.
To mitigate these risks and become more cyber resilient, there are several critical first steps that the industry can take:
1. Training: CISA should expand the RVWP program to include free end-user training and phishing simulations for critical infrastructure providers through third-party security providers.
2. Improving search engines: The industry needs to encourage search engine companies to proactively search for and remove malicious ads and search results from their platforms. CISA could also implement a program to scan for and report malicious ads and search results directly to responsible teams at the major search engines for rapid mitigation.
3. Understanding malware: Security teams need better insight into ransomware operations’ kill chain. For example, remapping dangerous file extensions to open in Notepad instead of executing an application can disable many types of malware.
Adding these measures could have a far greater impact on stopping the proliferation of ransomware than the RVWP program alone. Security leaders must continuously evaluate and improve their cybersecurity measures to protect critical infrastructure against ransomware and other cyberattacks. The severity and frequency of ransomware attacks are only increasing, and the consequences are far-reaching. Therefore, it’s vital that the industry collaborates and takes a proactive approach to this issue before it’s too late.