By Staff Writer.
“One example of a threat affecting all organisations is that of ransomware”, said Mr. Teo Chee Hean (Senior Minister of State and Coordinating Minister for National Security) at the Singapore International Cyber Week (SICW) 2022 Opening Ceremony.
With the Asia-Pacific’s premier event on Cyber security returning to a full physical setting (complemented by virtual) after two years of hiatus, much attention is focused on the evolution of the threat landscape during the Covid-19 pandemic years.
“The digital and cyber space has become ubiquitous, indispensable and so much a part of our lives today. COVID-19 has accelerated the adoption of digital technologies, making them a part of everything that we do,“ he said.
“However, precisely because the digital domain has become a more important and indispensable part of our everyday lives, threats in the digital domain have become much more serious and more challenging,” he added.
For example, “earlier this year, a ransomware attack on Costa Rica crippled essential services in the country, forcing the Costa Rican government to declare a state of national emergency,” he pointed out.
For the latest observations on this ransomware threat, we hear from the speakers at the SICW 2022 Summits “Tackling the Ransomware Scourge – Global Cooperation for a Transboundary Issue” and “Digital Infrastructure – Common Stakes”.
The following are some of the themes that emerged.
Shared responsibilities and common stakes
Delivering the keynote at SICW 2022’s session on tackling ransomware, Hon Tim Watts MP (Assistant Minister for Foreign Affairs of Australia) highlighted the October 2021 hacking of the Papua New Guinea’s government.
While the threat “has become ubiquitous in the developed world”, he said, digitalisation for economic development also meant that developing countries have become targets of ransomware actors.
This “shared threat of ransom” across developed and developing economies means that combatting the ransomware has to be a “shared responsibility,” he added.
Referring to the ongoing Russian-Ukraine conflict, Mr Viktor Zhora (Deputy Chairman and Chief Digital Transformation Officer
State Service of Special Communication and Information Protection of Ukraine) stressed the importance of countries contributing to lessons learned.
“Cyber attacks can switch from one country to another. Today they attack Ukraine, tomorrow it can be another country, so it is important that Ukraine contribute” what it knows about the malware, the TTPs (Tactics, Techniques and Procedures), he said.
It is also “beneficial to study the threats landscape together”, according to H.E. Nathalie Jaarsma (Ambassador at-Large for Security Policy and Cyber, The Kingdom of the Netherlands).
“Strengthening the global cybersecurity architecture will require a multi-stakeholder approach,” said Mrs Josephine Teo (Minister for Communications and Information) at the opening of the SICW 2022 Summit.
“Ultimately, we are all better served by having a strong global cybersecurity architecture that gives our people and businesses the confidence and trust to engage in the digital domain.”
“This means all of us doing our part to help our cyberspace remain open, stable, and interoperable,” she added.
A pandemic
“Ransomware had spiked during the pandemic”, said Mr Gregory Bunghardt (Acting Director of Cyber Policy, Department of Public Safety Canada).
More than that, with billions of damages caused by ransomware, the threat can be said to be “also a pandemic”, said Dr Regine Grienberger (Cyber Ambassador, Federal Foreign Office, Germany).
In fact, today’s digital era means that “anything that can be ransomed,” said Mr Jeff Moss (Founder of Black Hat and DEF CON Computer Security Conferences).
According to Global Trends in CSA’s “Singapore Cyber Landscape 2021”, ransomware was one of the significant trends “that characterised the cyber landscape of 2021” which saw such attacks “‘graduate’ fully from once sporadic and isolated incidents, into legitimate national security risks[1].”
Ransomware is a business
“Ransomware is a business primarily”, said Moss, and we are now seeing the rise of “ransomware-as-a-service,” added Mr Koneru Kalyan Chakravarthy (Cyber Security Practice Leader, Microsoft).
Reportedly high-profile ransom demands point to the lucrative nature of malicious operations. Unsurprisingly, with these “successes”, the malware value chain have evolved to specialised groups. There are phishing-as-a-service, access-as-a-service, and naturally ransomware-as-a-service (“RaaS”).
Darkside, the ransomware operator that was reportedly behind the Colonial Pipeline incident, is a RaaS. Other notorious groups include REVil (or Sodinokibi) which was among the top 5 criminal groups tracked by cyber security researchers, until it was dismantled by the Russian government in January 2022.
Cross-domain challenge
In many ways, the Wannacry ransomware that struck in May 2017 was a watershed moment, opening the public’s eyes to the indiscriminate spray-and-pray tactics of the destructive cyber attack.
More recently during the pandemic years, while large organisations critical to the economy’s infrastructure – such as Colonial Pipelines – fell prey to ransom demands, small and medium businesses were not sparred. With their less than robust cyber security posture, they found themselves in the cross hairs of the ransomware operators.
“For our efforts to be effective, the ransomware threat must be tackled as a cross-domain challenge,” said Mr Teo.
Counter Ransomware Task Force (CRTF)[2] , announced by Mr Teo at SICW 2022, is one example. Comprising senior Government representatives from the technology, cybersecurity, financial regulation, and law enforcement domains, the task force will deliver a report recommending strategies that the Government can take to improve its counter ransomware efforts.
Under-reporting
“Cyber incidents are severely underreported,” said Mr Bunghardt.
Reports and statistics on ransomware may represent a snapshot picture of the incidents in a particular country or industry, and only where disclosures have been made.
Often organisations may hold back from disclosure – often due to (vague nature of breach reporting, fear of regulatory penalties, guidelines on information sharing arrangements) or information sharing.
Interestingly, Mr Craig Jones (Cybercrime Director, Interpol) highlighted that information sharing across government agencies is sometimes complicated by data protection regulations.
To encourage organisations to report cyber incident, Deputy Secretary Marc Ablong PSM (Deputy Secretary, Strategy and National Resilience / Cyber Security Coordinator, Department of Home Affairs, Australia) offered that there is a need to move away from the “blame game” and provision for reporting on “a safe habour basis”.
Ransomware payments
When the United States Department of the Treasury, The Office of Foreign Assets Control (OFAC) issued its “Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments” [3] in October 1, 2020, it generated much debate.
Organisations not caught under this sanction regime may be tempted to accede to the ransom demands.
However, while there is also no guarantee that the “decryption” key will work, or that a copy of the data had been sold, organisations that have no backups may find themselves left with no other option but to pay.
In this on-going debate about whether to pay, a common concern is raised: that payments fuel the ransomware crime wave.
More worryingly, Moss pointed out that the emergence of “ransomware broker” may become entrenched in the cybersecurity ecosystem.
In conclusion
- According to CSA, 137 ransomware cases were reported to the agency in 2021, an increase of 54% from the 89 cases reported in 2020.
- Globally, recent trends suggest that ransomware attacks are on a decline.
- For example, Checkpoint’s research notes that “overall, the number of ransomware attacks has fallen worldwide by 8% compared with the third quarter of 2021”[4].
- Similarly, digitalshadows reports that “Q3 2022 saw ransomware activity slow, with overall activity declining 10.5% from the previous quarter.” [5]
Regardless, the complexity of the overall cyber threat landscape will only grow as more and more of our daily activities are performed online. If there is one take-away from the ransomware incidents, it is that regular cyber awareness training goes a long way to remind ourselves that we are often the first line of defence against the ever-evolving adversary.
References
[1] https://www.csa.gov.sg/News/Publications/singapore-cyber-landscape-2021
[2] The Task Force is chaired by Mr David Koh, Chief Executive, Cyber Security Agency (CSA) and comprises representatives from the CSA, Government Technology Agency, Infocomm Media Development Authority, Ministry of Communications and Information, Ministry of Defence, Ministry of Home Affairs, Monetary Authority of Singapore, Singapore Armed Forces and Singapore Police Force.
[3] The OFAC sanctions prohibit U.S persons from engaging in transactions, directly or indirectly with individuals or entities on the sanction lists (which cover such countries as Iran, North Korea amongst others) – and where making ransomware payments to banned individuals and regions could result in fines of up to $1 million.
[4] https://blog.checkpoint.com/2022/10/26/third-quarter-of-2022-reveals-increase-in-cyberattacks/
[5] https://www.digitalshadows.com/blog-and-research/ransomware-in-q3-2022/