03 Jun It’s Ransomware Season. Is There A Target On Your Back?

Black Kite’s new algorithm can predict the likelihood that you’ll get hit

– David Braue

Melbourne, Australia – Jun. 3, 2021

An ongoing spate of ransomware attacks has shown, more than ever, that any company can be hit by a ransomware attack at any time — with JBS, Colonial Pipeline, Scripps Health, New New York’s Metropolitan Transport Authority (MTA) and others falling in recent weeks.

There’s no question that ransomware is becoming a plague of epic proportions — Cybersecurity Ventures recently predicted damages would pass $250 billion annually by 2031 — but what if your company could measure its susceptibility to ransomware, and predict with certainty whether you’re likely to get hit?

Bob Maley can help.

As chief security officer at cyber ratings service Black Kite, he and his team have been analyzing cyber risk for years — and they recently developed a metric that has proven remarkably accurate at predicting whether a company is likely to fall victim to ransomware.

Based on an evaluation of 23 key security and risk controls, the company’s Ransomware Susceptibility Index (RSI) measures a target company’s security maturity and generates a percentage measure that reflects its maturity.

Lower scores are better, and Maley recently told Cybercrime Magazine that retrospective verification — checking RSI scores for companies after they were found out to have been hit by ransomware — has confirmed the index’s specificity.

Cybercrime Radio: Ransomware Susceptibility Index (RSI)

Bob Maley, Chief Security Officer at Black Kite

“We went through the research and created the algorithm,” he explained, “and then we started monitoring the dark web and public news sources for cases of ransomware. And we started to see that there was a direct correlation, especially if the RSI was over 0.6.”

The high-profile compromise of Taiwanese manufacturer Quanta in April — from which the REvil ransomware gang stole blueprints and pushed Apple to pay them millions or face their public release — provided a case in point, with the company’s RSI score working out to 0.63.

Another company whose data appeared online after a major attack — a major healthcare provider — posted an extremely high score of 0.92 but its data disappeared before its identity could go public.

“We never saw anything in the press about it,” Maley said, “and the data and everything disappeared from the dark web. We’re assuming that somebody paid the ransom.”

Close the windows and lock the doors

The RSI methodology has not only proven uncannily accurate at predicting the likelihood of a company being hit by ransomware, but also provides a list of mitigations that might help the analyzed company avoid becoming yet another statistic.

“When we do research we’ve seen that small to medium businesses don’t take advantage of a couple of things in email security that are really simple to do,” Maley said, citing the example of DMARC anti-spoofing technology that is free and relatively easy to set up.

“We see so many companies that don’t take advantage of that,” he said, “and I wish people would go out and just do that right away.”

Given the scattershot nature of ransomware infections this year — and their significant success — Maley said it is clear that many cybercriminals had forgotten about early promises not to attack healthcare facilities during the chaos of the COVID-19 pandemic.

“I’ve seen people criticize them by saying how disingenuous they are to say they only want to hit companies that can afford it,” he explained, referencing the controversy around the Maze ransomware gang’s initial effort to qualify the extent of their malicious activities.

“But it doesn’t matter if they are disingenuous or not — they’re criminals. They are bad actors, and they’re looking to get money from anybody that they can.”

A storm of hospital ransomware attacks later in the year confirmed that many in the ransomware community had far fewer scruples — and were happy to create “plausible deniability” by selling the ransomware-as-a-service capabilities to all comers.

“If you look at that gang, they had a very astute way of marketing on the dark web,” Maley said. “And you can criticize them for doing that, or you can understand that they are our adversaries — and they’re very adept at pivoting.”

As the FBI ramps up its anti-ransomware capabilities and one major infrastructure operator after another falls victim to ransomware gangs, the current climate has become a free-for-all where nearly any cybercriminal could launch their own ransomware attacks — on any company, at any time.

“They get inside, and the first thing they’ll do is exfiltrate your data,” he said. “The next thing they do is encrypt it — and then say they want a ransom or they’re going to release it.”

This very predictable chain of events had given Black Kite considerable experience working with clients to measure their exposure to ransomware gangs’ threats of publishing confidential data.

Again, Maley said, the application of mathematical algorithms helps the company “quantify what the probable financial impact of a cyber event would be [from] access to the crown jewels in your organization, or access to data that you have shared.

“It helps you understand what those levels [of exposure] are,” he said. “And it can be significant.”

– David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.