The ransomware epidemic
Ransomware has been with us for well over a decade. But it reached a nadir during the pandemic. As corporate attack surfaces expanded with digital investments, security controls were often dismissed in favour of productivity gains. Under-protected home workers and remote access infrastructure became an unwitting access point. It didn’t help that many engaged in riskier behaviour at home than they would in the office.
At the same time, ransomware-as-a-service offerings attracted a new breed of affiliate groups into the sector, increasing the volume and variety of threats. Initial access brokers (IABs) often provide the entry point – whether via vulnerability exploitation, phishing attack or RDP compromise. Then the affiliates take over, using legitimate tooling to move laterally to find and exfiltrate data and deliver their ransomware payload. Major organisations are singled out in sophisticated “big game hunting” attacks while SMBs suffer in even greater numbers. Double, triple and even quadruple extortion have become commonplace ways to force payment. And some of the most aggressive groups like Conti and REvil make billions.
Ransomware is now present in 25% of data breaches, a 13% year-on-year increase. The volume of reports to the FBI, itself representing just the tip of the iceberg, jumped 109% from 2017 to 2021.
How bad is supply chain cyber risk?
This matters, because ransomware actors are always looking for a bigger pay-day. Supply chains are an
attractive target because they can offer either a poorly defended access vector and/or an opportunity to
multiply illicit profits by infecting many organisations through a single supplier.
Supply chains are a complex web of interdependent organisations. Many participants in these networks
probably don’t even realise how many suppliers, partners and contractors they have. They could be roviders of IT hardware, software and services. They could be open source code repositories. They could even be nondigital suppliers ranging from law firms and accountants to building maintenance providers. Supply chain risk is everywhere.
Some examples of big-name supply chain breaches are instructive:
IT management software provider Kaseya was compromised in 2021. A sophisticated attack saw hackers exploit an internal software vulnerability to push out malicious updates to its MSP customers. They in turn infected downstream customers with ransomware. An estimated 1,500-2,000 organisations were impacted.
IT management vendor SolarWinds was hacked by state operatives in late 2020. Similar to the Kaseya incident, attackers used the firm’s privileged access to customer networks to infect countless customers. Malware inserted into the Orion software was used to compromise at least nine US government departments.
A little-known HVAC company was compromised by a third-party back in 2013. They stole its access credentials for client Target, to access the US retail giant’s IT systems and carry out one of the biggest card breaches ever seen.
The Log4Shell exploit highlighted ongoing challenges around the security of open source code and components.
It’s still causing problems for firms unable to comprehensively locate the presence of Log4j across their systems, due to complex software dependencies. Many DevOps teams use third-party components to accelerate time-tomarket for their software. But these often introduce vulnerabilities or deliberately planted malware. According to a recent report, the average application development project contains 49 vulnerabilities spanning 80 direct dependencies, while 40% of bugs are found in indirect dependencies.
Not all of these examples involve ransomware. But they highlight the potential impact of supply chain
compromise. The risk is real.
Against this backdrop, Trend Micro found that 79% of global IT leaders believe their partners and customers are making their own organisation a more attractive ransomware target. That’s perhaps unsurprising, given that 52% of global organisations have a supply chain partner that has been hit by ransomware.