Earlier this year, the FBI released data which was interpreted by many in the tech press as saying phishing attacks were significantly more costly to organizations than ransomware. This conclusion has been challenged, and there’s now something of a counter-narrative available. (Note that this is an uncensored interview and contains language that’s likely to be offensive.)
To understand what’s being discussed in this article, it’s important to understand the relationship between access brokers and other players in the ransomware ecosystem. To wit: the ransomware ecosystem is enormous and specialized, and one of those specialties—the access broker—is obtaining and then selling access to compromised networks.
Because of the specialization that occurs in the ransomware ecosystem, the people who actually infect the network with ransomware are often different than the ones who gain initial access to a network (unless you’re dealing with a large, vertically integrated cybercrime gang, or a nation state actor). Software supply chain hacks thus have ripple effects, as those hacks feed the access brokers, who in turn make that access available to ransomware gangs.
The interview with Wazawaka shows that, despite the paucity of ransomware reporting to the FBI (and thus the low numbers in the FBI data), ransomware (and its close cousin, straight-up extortion) are still a significant and very real threat for organizations of all sizes.
More Profitable Than Selling Drugs
Wazawaka goes on to say that ransomware makes criminals more money than selling illicit drugs, and that might well be accurate. It certainly lines up more closely with the other data available about the true costs of ransomware than the data provided by the FBI earlier this year.
None of this is to say that phishing is not a threat, of course. A key quote from this Ars Technica article: “Already regarded among the most advanced, the attacks were also done at a massive scale,” demonstrates that phishing techniques are an important part of the toolkit initial access brokers use.
It’s entirely possible that initial access to your network will not come because a hacker found some misconfiguration in one of your deployed applications, or exploited some unpatched vulnerability. Initial access is increasingly accomplished using sophisticated phishing techniques. But the existence of the wider ransomware/extortion ecosystem means that the people who install ransomware or copy data for extortion may not be the same people who breach your network in the first place, and that should worry everyone.
Criminal specialization makes it unrealistic to expect to solve organizational cyber security by devolving responsibility down onto users. In other words, you can’t just rely on training and punishing people who make mistakes: the bad guys have the skills to get in to your network if they really want to. For many of them, it’s all they do, all day long, for years. They are experts.
Information security is then a game of detecting them when they do get in, limiting the damage they can do once they get in, being able to evict them quickly, understanding how they got in, and then preventing that recurrence.
