The Department of Justice (DOJ) famously declared 2021 as the “worst year” for ransomware attacks, but it seems that title could be in 2022’s hands very soon.
Despite some rare wins in the war against hackers over the past 12 months — from the government’s seizure of $2.3 million in bitcoin paid out to the Colonial Pipeline hackers, to its successful disruption of the notorious REvil gang — the ransomware threat continues to grow. Over the past few months alone, we’ve seen threat actors ramping up attacks against public sector organizations, including hospitals, schools and in the case of Costa Rica, entire governments. The private sector is also battling a worsening ransomware threat, with attackers claiming a number of high-profile victims such as AMD, Foxconn and Nvidia.
Enable multifactor authentication on everything you have. Katie Moussouris, founder, Luta Security
Founders of early-stage startups will undoubtedly find it concerning to see even well-known organizations failing to protect themselves from ransomware despite their seemingly endless resources, particularly as it’s unclear exactly where these companies went wrong.
“It could be a zero-day or it could be a failure to implement multifactor authentication (MFA) or an MFA bypass,” said Brett Callow, threat analyst at Emsisoft, during a panel discussion on the TechCrunch+ stage at Disrupt 2022. “There’s no standard answer, and that is what makes this problem so difficult to deal with.”
Luckily for founders, it appears startups have somewhat of an advantage over such well-established organizations. “In some ways, they are at an advantage, as the attack surface isn’t as large and the technology stack is newer,” Callow said, though he added that things tend to deteriorate over time.
Katie Moussouris, founder of Luta Security, agreed: “If you look at some of the biggest tech companies, they took advantage of their newer code base and tech stack to leapfrog some of the older technology companies that maybe had been working at it for some time [ … ] I think that sometimes startups can have an advantage, but sometimes they don’t.”
She pointed out that sometimes the lack of a focused and comprehensive plan at fast-growing companies may make it difficult for them to cover all bases. “I accidentally hacked Clubhouse during the height of its popularity. There were some security issues, and when I tried to report these issues, it took forever to get hold of a person. They hadn’t chosen to invest their early hires in hiring for security, and they already had millions of followers or millions of users,” she said.
This is an example of why it is critical for startups to not only invest in security early but also to invest in security in proportion to the responsibility they have, Moussouris said. “What kind of data do you have? How many people are you trying to protect? When startups do the unicorn thing and grow exponentially, they can often be at a massive disadvantage because they have not put those investments in place for security and privacy.”
Founders may find it difficult to figure out where to begin and protect against ransomware given there is no one-size-fits-all solution that promises to keep hackers out. However, both Callow and Moussoris believe an important first step is ensuring the basics are in place. “Enable multifactor authentication on everything you have,” said Moussouris. “Enable it on every account that you have.”
Calow added that MFA is the “most significant” policy any organization can implement to improve its security posture. “It’s a matter of stacking security layer upon security layer. MFA in conjunction with staff training, in conjunction with other things all serve to reduce risk,” he said.
While both panelists agreed that MFA remains the holy grail of cybersecurity for organizations looking to ward off ransomware, they disagreed on whether the ransom demand should ever be paid.
“If there were an existential threat to my business, where my business would not exist anymore if I didn’t pay the ransom, well, then obviously, I would have to pay the ransom,” said Moussouris. “There are some circumstances where, you know, people will have very few choices left to them.”
Callow, on the other hand, believes that the U.S. government should put more regulation in place to ensure that companies aren’t paying these hackers simply because it is the least expensive option. “We already see some organizations choosing to pay to prevent their data from being released online, or simply because it is the cheapest option,” he said. “I think this is an area around which there could be some additional regulation.”