Ransomware remains a risk and the best defence is to be prepared for attacks and the aftereffects, writes Rob Di Pietro, Cybersecurity and Digital Trust Leader at PwC Australia.
In a world where the physical and digital continuously overlap, where almost every system and service we take for granted is connected, where we literally carry the internet in our hands, cybersecurity has never been more important.
In Australia, 2022 offered a data security reality check. It was the year of the data breach.
And while the proliferation of serious data breaches has shone a light on the need to enhance cybersecurity across Australian institutions, organisations and households, it’s likely we’ll see this trend remain in 2023.
At its core, the data theft trend is ultimately a slight pivot from the ransomware tactics we’ve come to expect.
“To effectively target the ransomware scourge, a coordinated international approach is required.”
– Rob Di Pietro, Cybersecurity and Digital Trust Leader at PwC Australia
Because, while the aim of the game remains the same, the modus operandi of ransomware criminals (and cyber criminals more generally) continues to shift. They have realised that when it comes to effort, less is more.
As recent high-profile attacks have shown, data is the real prize. Why go to the hassle of encrypting systems if you can grab the data and run, then extort the victim? When a cyber criminal has the names, addresses, passport numbers and health details of millions of customers, the existential threat posed to an organisation is much greater than the inconvenience and revenue loss caused by locked up systems.
This is not always the case, of course, especially when it comes to critical infrastructure operations, but if the target organisation relies on personal data for their business, the reputational and financial impacts can be just as catastrophic.
That’s why business continues to boom – with few signs of abating – for ransomware criminals. And the term ‘business’ is not a throw-away line. Large-scale ransomware enterprises are just that, with reputations to uphold and clients to appease.
This may also go some way to explaining their shifting MO. Shutting down hospitals and threatening water supplies may present a threat to life, which does not play well with the public consciousness. And while the use of personal data for nefarious purposes could be just as damaging, the absence of the potential for physical harm has the façade of a ‘softer’ approach.
A key example of this shift played out in practice in the 2021 ransomware attack on Ireland’s Health Service Executive, in which the Conti ransomware gang handed over a decryption key. Lindy Cameron, CEO of the UK’s National Cyber Security Centre, described the action as “a public relations move to lessen criticism”.
The Australian Cyber Security Centre’s Annual Threat Report 2021-22 also notes that: “The availability of ransomware-as-a-service offerings affords cybercriminals a choice about the tools they can use. Ransomware syndicates also continued to professionalise by using third parties to negotiate with victims, assist them in receiving their ransom payments, and arbitrating disputes between actors”.
This is cold comfort for victims of ransomware attacks and, to be honest, for every organisation. Because anyone and everyone could find themselves a target – and Australia is a lucrative market.
In effect, ransomware is a particularly vexing issue for policy makers. Teamed with the (mostly) extraterritorial nature of offenders, who often operate with impunity in jurisdictions that turn a blind eye, the task is tough. But it is not impossible.
Political will is the first step and, domestically and globally, there is a lot. This is heartening, given that to effectively target the ransomware scourge, a coordinated international approach is required.
There is no doubt Australia has been a leader in the space and the news that our nation will chair the newly established International Counter Ransomware Task Force (ICRTF) is indicative of this. The ICRTF emerged from the recent Countering Ransomware Initiative Summit, which was hosted in Washington DC – a coalition of like-minded nations committed to building information and capability sharing and resilience, reducing disruption and cracking down on illegal financing of ransomware.
Having been thrown headfirst into the murky workings of cybercrime during her tenure as Minister for Home Affairs and Cyber Security, Clare O’Neil has also called on other nations to join the fight, in recognition that “we need a globally focused capability to combat cyber threats, including ransomware”.
On home soil, taking a proactive stance, she has been clear that policy mechanisms can only go so far – that the time really has come for organisations to step up and take responsibility for their cybersecurity. And if they don’t, massive fines for serious or repeated cyber breaches may follow, not to mention the ‘cyber Darwinism’ that will become increasingly common in an age where consumers and shareholders will talk with their feet.
Ransomware tactics will continue to morph and, for the foreseeable future, these attacks will remain a risk all organisations need to grapple with. Therefore, the best defence for organisations is to be prepared, not just for an attack but also for the aftereffects. And to be transparent, not just in the event of an attack but when it comes to cyber posture and protections more generally.
Rob Di Pietro is PwC Australia’s Cybersecurity and Digital Trust Leader