Evidence-Based Strategies to Lower Your Risk of Becoming a Ransomware Victim

BitSight research demonstrated some organizations are more than eight times as likely to become ransomware victims.

Ransomware: the financially-motivated cyber attack du jour

May 2021 is proving that the ransomware trend is running ahead nearly unabated. In the US, the Darkside APT group crippled the largest fuel supplier in the northeast, causing a system wide shutdown affecting nearly the entire US east coast’s fuel supply for several days. In Europe, a double whammy hit the Irish health system when the Health Service Executive, Ireland’s health care operator and its Department of Health suffered a ransomware attack forcing a shutdown within its IT infrastructure.

• The health sector is regarded as a vulnerable sector to cyber incidents and crises. In the ENISA Threat Landscape report, it was found that more than 66% of healthcare organizations experienced a ransomware attack in 2019. “In 2019, 45% of attacked organizations paid the ransom. The 45% of organizations that were attacked and paid the ransom, half still lost their data.” (source)
• In Oct 2020, the first case of triple extortion was seen in the real-world. When a Finnish psychotherapy clinic was breached, attackers not only extorted the clinic to regain access to its files, but also to avoid the records being published - double extortion. The attackers went one step further by extorting individual patients regarding publishing their records. (source)

The collateral consequences of ransomware also include cost to insurance companies who underwrite cybersecurity policies. While they conduct diligence in the form of cyber risk assessment questionnaires and assessment of cybersecurity performance data—BitSight cyber insurance clients underwrite more than half of the global cyber premium—no security ratings provider has conducted a correlation to ransomware study with definitive results. Until now.

Key takeaways from BitSight research

While no organization is immune from determined cyber criminals, there are best practices for minimizing the likelihood of being victimized. Chief among them is a relentless focus on core security hygiene - that common practice of ensuring cybersecurity controls, practice, and people are performing effectively every day. While best practices are widely acknowledged, it’s clear performance excellence is only being achieved by a few leaders.

BitSight’s research team analyzed hundreds of ransomware events since Nov 2018 to estimate the relative probability that an organization will experience a ransomware event. The analysis looked back over five six-month periods benchmarked against companies with high BitSight rating (750+) for security effectiveness.

Overall, the data shows that organizations with a rating lower than 600 are 6.4x, and organizations with a rating between 600-650 are 4.6x more likely to be a ransomware victim compared to the benchmark of organizations with a 750+ rating. BitSight continuously and non-intrusively assesses organizational cybersecurity performance by evaluating security performance observations across 23 different categories, including compromised and exposed systems, critical vulnerabilities, patching rates, software security, and other key issues. BitSight processes more than 250 billion security measurements on a daily basis to provide an objective security rating (using a 250-900 scale) based on its observations that is independently verified to be correlated with breach risk.

Risk Based on BitSight Rating

Digging deeper into what BitSight calls individual risk vectors, patching cadence (the elapsed time between software patches becoming available compared to when patches are implemented) is a strong security program performance indicator. The more time that passes between patch available and patch implemented indicates lower performance. Unsurprisingly, poor patching performance correlates to a nearly sevenfold increase in ransomware risk for companies with a C grade or lower. TLS/SSL certificate and configuration management offer comparably strong security program performance indicators. Companies with a C grade or lower in TLS/SSL Configurations are nearly four times more likely to be a ransomware victim and companies with a C grade or lower in TLS/SSL Certificates are roughly 3 times more at risk of a ransomware incident,

Risk Based on Patching Cadence Grade

In the above chart and the two that follow, letter grades provide a quick way to understand how a company is performing in each risk type, and also provides a meaningful way to compare risk type performance of one company to another.

Letter grades are directly correlated to how well a company is performing, relative to all companies in the BitSight inventory. Below is a table that outlines how each grade correlates to their performance, relative to their company size:

Risk Based on TLS/SSL Certificate Grade

Risk Based on TLS/SSL Configurations Grade

Looking for a deeper understanding of the relationship between our security data and ransomware incidents, the BitSight data science team tested all the confirmed vulnerabilities used in the BitSight rating for correlation with ransomware incidents. Using a statistical analysis, they found five interesting cases where presence of a particular vulnerability indicated heightened risk of a ransomware incident.

CVE-2014-3466 and CVE-2019-0800 are the Poodle and Drown SSL vulnerabilities, these are both related to obsolete SSL protocols and by themselves pose no serious threat to companies. However, tens of thousands of companies have been running servers that allow these obsolete protocols. Similarly CVE-2012-6708 is an older jQuery vulnerability which is an unlikely attack vector and has been detected in nearly 20 thousand companies.

The vulnerability CVE-2018-13379 and a group of vulnerabilities associated with PulseSecure VPN devices are more interesting. CVE-2018-13379 is associated with Fortinet VPN devices and has a CVSS score of 9.8. For PulseSecure devices, there are seven vulnerabilities from 2019 which are often seen together; of these CVE-2019-11510 is the most significant having a CVSS score of 10.0 which is the highest possible value. Both of these vulnerabilities are very likely attack vectors and were specifically called out by US Government agencies: CVE-2018-13379 by DHS and CVE-2019-11510 by the NSA.

Conclusion

Overall the research demonstrates the correlation of BitSight’s overall rating and performance against three risk vector ratings that provide clear ransomware risk indicators. Furthermore, analysis of specific vulnerabilities complements observations made regarding patching cadence resulting in increased ransomware risk.

The BitSight rating and three specific risk vectors provide strong ransomware risk indicators. Overall, the rating and risk vectors offer a statistically valid reflection of overall security practices. In other words, organizations whose practice is to have long elapsed times between updates becoming available and patches implemented is very likely representative of practices in other security domains. Therefore, while rating and risk vectors offer specific evidence. The elevated ransomware risk will simply shrink by improving patching cadence. Risk reduction will come from an overall improvement in practices.

Regarding vulnerabilities, BitSight data concludes that there are two main possibilities for the correlation between the select vulnerabilities and the likelihood of suffering a ransomware event:

• Hygiene matters. Presence of the described vulnerabilities is an indicator of security performance for an organization. This is especially true for older vulnerabilities that should have been patched long ago, and eleven of the seventeen vulnerabilities have CVE dates from 2018 and older. Organizations that fail to patch vulnerabilities older than two years (and one could argue, older than a few weeks) have gaps in governance, operations, management, asset inventory, or other fundamental IT management and security practices.
• Certain vulnerabilities matter. Ransomware used to be delivered mainly through phishing attacks; however, modern, large-payment demands often abuse recent vulnerabilities in widely-deployed technology that will yield them easy access to the target’s infrastructure. These include the vulnerabilities in Fortinet, Citrix and Pulse Secure (CVE-2020-11510), all of which may give attackers access to a perimeter security gateway.

The research demonstrates how daily security program performance matters. As organizations deploy anywhere from 20 to 50 discrete security controls, leadership teams everywhere are asking the question, “Is my organization protected?” The answer is not about how much you spend, but rather how diligently controls are maintained. Cyber attacks rarely employ novel, never before seen techniques, like zero day attacks. It is far more common for attackers to acquire customizable tools available on the dark web to exploit a series of vulnerabilities and weak controls to wreak havoc.

Interested in how effective your security controls are against combating risk? Contact BitSight to get started managing your risk landscape.