This is the question we posed. "If you were 'king,' and had all the power you needed, how would you go about defeating the entire ransomware industry?"
Responses varied widely. Some decided to take the whimsical path and proposed personal powers, others thought to be more 'practical.'
Resigned to the fact
Many expressed a broad resignation as to the likely futility of defeating ransomware and instead boldering defenses.
Sean Duca, Vice President and Regional Chief Security Officer, Asia Pacific and Japan, Palo Alto Networks, for instance said, "Ransomware is constantly evolving so instead of focusing on the threat, I'd much rather emphasise on prevention." Gilad Bandel VP Product and Marketing at Arilou automotive cyber-security added, "Since attackers will always exist and in many case are beyond the reach of the legal forces the proposed course of action is protection in many senses such as secure by design, intrusion detection/prevention systems effective CERT-IR teams, etc."
It probably can't be fixed
Many of our panel were resigned to the fact that it really can't be fixed.
Casey Ellis, Founder and CTO, Bugcrowd, "The problem with ransomware is the minute you find a way to wipe it out and make it more difficult, the bad guys don't pack up and go home. They find a way around it. It's like an arms race that goes on and on."
Garrett O'Hara, Principal Technical Consultant, Mimecast added, "In all seriousness: No King can stop all ransomware attacks regardless of how benevolent he is, or how good his intentions are. A good king would understand this and act accordingly."
Ellis continued, "At the risk of oversimplifying, many of the pervasive and longstanding security issues that have persisted for decades explain the rise of ransomware. Ransomware exploits often take advantage of older infrastructure and software. It also depends on inattentive or unsophisticated users to activate attacks with an errant click or download.
How we are falsely trusting?
Ellis: "I would mandate that people who design software include ways to make insecure decisions more obvious to non-technical users. Software manufacturers don't always build the solution in a way that can help users understand the technicalities.
"What we have seen through ransomware incidents is that these manipulative attacks also take advantage of the victim's trust in a domain or application — tricking them into thinking that they're visiting a site they trust. Just like phishing emails, users should know not to click on or download things unless they understand the source."
Duca was adamant that "Cybersecurity needs to be a zero-trust game. So my immediate three priorities would be to:
Educate people and businesses on the value of their data
This sounds simple but not many people truly understand how valuable their data can be to cybercriminals. According to The Australian Cyber Security Centre(ACSC), Australians are reporting cybercrimes every 10 minutes with an average loss of $700 - that is a lot of money to lose regularly.
If people won't allow themselves to be robbed in broad daylight, there's no reason to allow or encourage (with poor cybersecurity) this behaviour online. A good way to start is with training and education programs in schools, businesses, and organisations to raise awareness and understanding.
Protect what matters to us and our businesses
No one can ever really predict a cybersecurity crisis and we need to do more to protect ourselves. No one willingly leaves their front doors open to encourage theft so similarly, we should keep our online front doors shut and reinforced with locks for safety.
This is especially critical for businesses: Put in place an effective cyber resilience plan that follows the trail of your data - one that alerts you when there's ransomware tries to make a move on it. If and when attacked, you can disconnect that system from your entire network, to limit the blast radius and give yourself time to prevent it from affecting the rest of your organisation. Steps like these can help mitigate the worst effects of an attack with minimal downtime.
We all have a role to play in cybersecurity
Cybersecurity is a team sport where everyone (individuals, businesses, and the authorities) need to work together to safeguard the data and integrity of assets belonging or connecting to any organisation's network or even to our home networks.
The more united we are in our approach against cyber attackers, the harder it will be for them to put our finances at risk, steal our information, and disrupt our livelihoods."
Similarly, Stephen Burke, CEO and founder of Cyber Risk Aware added, "I would offer ransomware decryption keys 'to the kingdom' by making available all of the collected decryption keys that are available owing to those who have already paid a ransom. I would offer them free of charge to any newly affected company or individual."
Further, Burke offered, "I would also issue an edict mandating all companies to:
Ensure backups are in place and are regularly tested.
Keep copies of backups off the network
Provide Security awareness for staff on what ransomware is and how it is their actions that cause over 86% of infections by opening and clicking on emails.
Patch systems all systems AND software so vulnerabilities can not be exploited."
Casey Ellis adds, "Crowdsourced security provides an added layer of defense, as a crowd of good-faith hackers can uncover vulnerabilities before the bad actors can take advantage of them. Having a vulnerability disclosure program is vital for businesses today."
Putting on his kingly robes, Garrett O'Hara opines… A benevolent king would work to:
Create consistent cyber security standards and processes across the kingdom, and wisely use incentives to ensure organisations align to them. The king would use positive rewards to motivate businesses to ensure their cyber security standards don't jeopardise the kingdom's subjects. Perhaps a front row seat at the next jousting tournament. The king would also punish businesses who were careless with their cyber security practices, giving fines or time in the dungeon to repeat offenders.
Make sure all his subjects were educated on the risks of ransomware. He would use advertising approaches to cut through people's busy lives and make sure they know what could happen if they click on the wrong link, open an attachment that is dangerous, or provide their details to a rapscallion.
Use the best available technology to protect his citizens. Make sure they have good email security protection that can see if links or attachments are bad, or if an email is a scam. Make sure they have good web security, and EDR. And he would make sure that as new campaigns were happening that threat intelligence was shared with his trusted subjects so they could be proactive in protecting themselves and their businesses.
Ellis adds, Bottom line: organizations, private and public sector, must educate their employees around the risks, and simultaneously ensure that their software and hardware are up to date. And it is very important for software manufacturers to design their applications with the non-technical user in mind.
Penalties and remedies
Going hard at the problem, Gilad Bandel suggested, "If by any chance an attacker is caught by the authorities, harsh punishment should be inflicted." If only we had the international treaties to prosecute these people, but too many countries will protect their citizens.
Max Henderson, Incident Response Lead/Senior Security Analyst, Pondurance was more expansive - "The most important piece comes down to extradition, as we see the Dridex gang was indicted yet still operates on a massive scale. We frequently see ransomware groups generate killswitches for computers in nearby countries/languages, likely out of fear for legal retaliation. Additionally there's visibility pieces such as tracking Tor and VPNs to true source IP's."
Being a 'King'
When pressed for a 'kingly' response, Henderson responded, "I'd relinquish power and establish democracy." As if that would work!
Finally, going to a degree of extreme, Garrett O'Hara said, "I would ban the internet and then remove all computers, servers, smartphones and tablets from the kingdom. I would issue an edict outlining our return to paper, pens and the mighty abacus. The underground market in devices that springs up would be quashed and those subjects found selling illegal hardware would be sentenced to ten years of watching "CSI: Cyber" in government controlled rehab centres. The worst offenders would undertake community service helping stranded astronauts, international down-on-their-luck royalty and recent lottery winners as they figure out how to spend their newly gained riches."
We were really hoping for a couple of magical bullets to arise from this discussion, however, it seems we're stuck(?) with all the standard advice - educate the users, be vigilant and have great backups.