In 2021, the number of cyberattacks globally has seen a steady rise, fueled by the transition to digital working environments. Ransomware, a type of malicious software that encrypts data on a computer system and blocks access until a ransom is paid, remained one of the biggest cybersecurity threats. For instance, malicious emails, which are a preferred vector of ransomware attacks, grew by 600% during the pandemic.
No industry or business is safe from becoming a target. It is not only about how sensitive the data of an organization is, but also whether they are an easy target, says Bozhidar Bozhanov, software engineer, as well as founder and CEO of LogSentinel, an information security company.
This is illustrated by the increase in ransomware attacks on education institutions, which generally lack proper risk management procedures and training, not to mention cybersecurity infrastructures. Two thirds of universities in the US lack basic email security configurations. No wonder that attacks on higher education doubled in the first pandemic year, when schools were forced to move their operations online. 44% of 500 education institutions from around the world were hit by a ransomware attack last year, according to a survey.
In Romania, the Polytechnical University in Bucharest was most recently attacked by hackers on September 11. Cybercriminals managed to access the communication platform between students and the administration and extract some of the students’ personal data. As the new school year begins in a blended form across the region, we can expect this trend to continue. Unfortunately, with public institutions in the region already struggling with using new remote teaching technologies and methods, cybersecurity adds a challenge that often exceeds their current capabilities.
The Recursive reached out to Bozhidar Bozhanov to understand what vulnerabilities cybercriminals exploit, what can be done to improve cybersecurity in Southeast Europe, and what steps can public institutions and small businesses follow to mitigate the risks of ransomware attacks and data loss.
The Recursive: Ransomware is not new – the first documented attack was sometime in the 1980s. What have been the main changes in ransomware attacks since then?
Bozhidar Bozhanov: First, the appearance of a business model. The whole security threat landscape has increased with the digital transformation. The more organizations rely on their digital tools, the more they’re being targeted by cyberattacks, including ransomware. The COVID pandemic drove digital transformation further. So, ransomware also increased during the pandemic.
How is the rise of crypto payment influencing the spread of ransomware?
For sure it’s much easier to remain undetected using cryptocurrency transactions. Now, that’s not necessarily always true. There are different types of currencies. Bitcoin isn’t anonymous by design – there is a trace of the transaction. You can get to the source after some investigation. There are even discussions in the American law enforcement about tracing Bitcoin payments.
Yet, there are other types of cryptocurrencies that are anonymous by design, Zcash comes to mind, which employ zero-knowledge proofs to guarantee that transactions are untraceable. So that makes it 100% certain that the chain of payment can be traced. Still, Bitcoin and the other more popular ones are also good enough for the general low-profile target ransomware attacks.
Who are the easiest victims of ransomware? What vulnerability do cybercriminals exploit?
Every single one of them. The easiest targets of ransomware attacks are organizations that don’t have good cybersecurity programs. And that’s the majority of them. IT infrastructures are complex and they’re growing more complex. If you don’t have the right people and mindsets in management, you don’t prioritize data security.
So far, businesses have relied on just not being interesting enough for malicious actors. However, with the gradual increase in ransomware, people are realizing that no one is actually safe from becoming a target.
What are the main strengths and weaknesses in our region when it comes to protecting against cybersecurity threats?
In countries like Bulgaria and Romania where governance of the public sector is more centralized, there hasn’t been enough understanding at a national level that ransomware attacks are an actual threat.
I know Romania has been pretty strong in cybersecurity recently, with the European cybersecurity agency developing a research center there and with local former startups such as Bitdefender becoming a global leader in cybersecurity.
On a national level, there is the legal framework, there is the organizational structure, but we haven’t seen enough people in decision-making positions to put these legal frameworks and organizational structures into effective use. I know it sounds vague, but unfortunately that’s the way it works. You need to have people at the center in our more or less small to mid-sized countries to guide that process and to be full time involved. Unfortunately, these positions are too political to be taken by experts.
How can we change that?
There are probably two directions. One is the centralized approach, where you have someone stepping up centrally and creating the proper cybersecurity programs. This also implies getting the right personnel in hospitals, in schools, or giving the right regulation. Another direction is self-management. You have schools, hospitals, and other institutions, accessing solutions in the free market.
I’m kind of skeptical of the free market approach when it comes to cybersecurity, especially in public institutions. The problem with cybersecurity is that purchases are not usually driven by market forces. Instead, they are driven by compliance with regulation.
In general, not just in cybersecurity, risk management is not a good skill of human nature. We can’t really properly assess risk just off the top of our head. So, we can easily miscalculate risk and decide it is not worth investing our budgets in protecting against an unlikely threat. That’s why regulations exist, to drive the cyber security purchases, despite a lack of perceived risk.
Cybersecurity companies can still play a role in educating organizations around the risks of malware attacks. What is your strategy at LogSentinel?
Well, we offer security information and event management (SIEM), a tool that collects logs and events from the whole IT environment – servers, cloud solutions, custom business applications. And then it builds a complete picture of what’s happening in the infrastructure and detects things that are suspicious, malicious and harmful. The tool can help with detecting ransomware and sometimes in preventing it, if companies use the right agent and push up an endpoint agent that can prevent the attack.
Ransomware requires a vector to spread from. This can be an unpatched vulnerability or can be related to a type of phishing or leaked credentials. What we offer is the detection of leaked credentials and phishing. We detect the initial entry of the receiver and prevent its spread. So, when you receive the phishing email, if the sysadmin is notified, they can automatically address it and nobody would be at risk of opening the malicious attachment.
In the case of the most recent famous ransomware attack – that on the Colonial Pipeline, the vector was leaked credentials. Someone used their corporate email and password on another website and that site was breached. Malicious actors then used them to enter the VPN. We can offer leaked credentials monitoring and notify customers.
In addition to that, there are the endpoint agents, which can detect file integrity changes and registry integrity changes. When you encrypt information, this automatically triggers a lot of events. This can be immediately detected by the agent, and then the computer can be shut down or removed from the network, in order to stop the spread of the ransomware
These are risk mitigation techniques which can vastly reduce the risk of getting attacked, without eliminating it completely. Their uptake has been mostly with large enterprises, which have to work with risk anyway, while smaller and medium-sized enterprises have not had proper cybersecurity programs historically.
If they were to start thinking of cybersecurity tomorrow, what steps would you advise startups and small companies, ordered in terms of complexity and costs?
First thing that usually doesn’t cost anything is a two-factor authentication. It’s a genuinely good idea to have one, regardless of whether you have any sensitive data or not. Two factor authentication doesn’t make you immune to many attacks, but makes you a much more difficult target. And cybercriminals prefer easy targets.
At least some type of endpoint protection is needed. This would be an antivirus, endpoint detection and response products. Unfortunately, even if we have introduced antivirus solutions decades ago, there are still large companies that don’t use one.
And then we get to the more complicated ones – SIEMs, next gen firewalls, email security solutions. Email security should be among the first solutions to consider because the most famous and popular vector of attack is email, whether it’s malicious attachments or credential harvesting.
In addition to security products, you need to have some training, to raise awareness among employees of these threats and thus help prevent behaviour that can lead to successful attacks.
Cybersecurity services are not the only tool that can help with ransomware. Having regular offsite backups is very important. They don’t prevent ransomware, but if it happens, they can help you restore and recover the data.
From a legal standpoint, what are the implications if schools, for instance, refuse to pay the ransom, since they are responsible to keep student data safe?
The implications are not that great – and this is both unfortunate and fortunate. These are often small organizations that cannot really afford paying huge amounts of money. If they can’t afford the ransom, they can’t afford a big fine for not complying to a standard. Otherwise, they have general obligations under GDPR and they can indeed be fined. How effective that is depends on each country, its enforcement mechanisms, and its general GDP awareness programs.
What steps should an organization follow if it is attacked?
First, assess what happened: what has been affected, whether there has been any data lost. One of the most important things in cybersecurity is the quick initial response. If there is one machine, one endpoint, or server that has been affected, you need to quickly shut it down or disconnect it, and then look for traces in the other parts of the network to remove them. Then you can quickly mitigate. It’s very important to be able to get immediate notifications of suspicious, potentially malicious entities in the IT ecosystem, so that you can really quickly respond.
The thing is malicious actors need to know what’s in the infrastructure. If they get somebody’s credentials, they have to log in and then look around, try to find other machines they can jump on, escalate privilege stuff etc. These things take time even though they’re prepared. So, defenders have some time to respond.
You cannot react to ransomware if you don’t have any security monitoring or backups.
What can you do as a cybersecurity company to get the buy-in of public institutions, as well as maybe influence the creation of a stronger cybersecurity agenda for the country?
I personally have a dual role. I’m the founder, but I’m also a politician. I’m an expert in the Commission on Digitalization in the Parliament, which was created by our party’s request. So, I’m also using the political route to increase awareness to drive change in this area. One thing that we have already proposed is having a Chief Information Security Officer in each Minister. We want to also empower these officers to report to the Ministers. We need actual security officers, not IT guys tasked with some security issues. This is kind of an organizational step, but it’s an important one because security starts with people. Tools are useless without the right people.