Stop calling ransomware infections attacks, says researcher

ransomware, blackmail
Image by Kaptnali from Thinkstock.com

Infosec pros demand precision in their work, as well they should. Part of that precision is relying on threat information that allows CISOs and risk officers to make knowledgeable decisions on allocating money, personnel resources and technology to meet challenges.

But sometimes too much knowledge can be a dangerous thing — or not very informative.

That’s what security researcher Brad Duncan argues in a blog posted on the SANS ISC InfoSec Forum on the weekend. Specifically, he urged researchers to stop calling ransomware infections “attacks,” which he argues implies they are targeted. Unless there’s evidence of targeting, he says, they should more appropriately be called “incidents.”

An issue of semantics — especially if you’re a victim?  Not necessarily. Duncan points to a recent ransomware survey by a research firm which breaks down ransomware attacks by industry. One conclusion of that report is healthcare is hit more than others. But, asks Duncan, does that mean healthcare is targeted more than other sectors? No, he says. The evidence is ransomware is largely spread through malware campaigns. Therefore one question is whether healthcare is being hit more than others because the sector is inherently more vulnerable. If so, Duncan says, the industry is more likely to get infected during massive campaigns that indiscriminately targeting everyone.

The media — including myself — like using exciting words, and “attack” is one of them. Certainly when your team is busy defending something out of the ordinary you don’t care if it’s an incident or an attack. Unfortunately there’s aren’t widely-accepted cybersecurity definition of the terms, although some sources suggest an “incident” is an attempt to get past the firewall, while an “attack” is a breach. Others argue an “attack” is an attempt, while a “breach” is a successful attack.

Duncan argues the word “attack” implies a specific intent against a target. I’m not so sure. But I agree it would be more informative for vendors, security researchers and market research firms to distinguish between general and targeted attacks.

“We tell ourselves we must know our enemy so we can better protect our network,” writes Duncan. “However, I think we put too much focus on the enemy and not enough focus on ourselves. Is everyone in your organization following best security practices?  Is security a truly essential part of your corporate culture?  Is security a primary concern when establishing or upgrading your network architecture, or does cost outweigh the best security measures?”

While managers may want to know if an a ransomware infection was the result of being targeted, the odds are it wasn’t. “If we continue thinking of ransomware infections as “attacks,” we’ll never seriously consider a wide variety of issues that allow ransomware infections to happen in the first place,” says Duncan.

What do you think? Let us know in the comments section below.

Meanwhile there are new reports that the Cerber ransomware has been upgraded with improved encryption. Cerber2 now uses Microsoft’s 32-bit CryptGenRandom encryption model, which makes previous successful attempts at the decryption of the .Cerber files useless.

 

Would you recommend this article?

0
0

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News