A new assessment service from cybersecurity ratings provider Black Kite aims to let enterprise defenders know which of their third-party partners and vendors could be vulnerable to a ransomware attack.
Ransomware was the scourge of information security in 2020, as the malware brought all kinds of organizations — financial services, health care facilities, educational systems, municipalities, and enterprises — to a screeching halt. Ransoms are getting larger, and tactics have evolved as attackers shift away from just encrypting data to actually stealing the data.
The Ransomware Susceptibility Index analyzes technical data from open source intelligence sources to calculate the probability that a company will suffer a ransomware attack within 12 months, Bob Maley, Black Kite’s chief security officer, told VentureBeat. The Index developed a machine learning model that considers 26 controls to calculate a score between 0 and 1. The higher value means the company has a greater likelihood of being hit by a successful ransomware attack.
The goal is to give enterprises reliable data about their ransomware risk so they can make informed decisions about how they work with third-party partners, Maley said.
Third-party risk assessment
Many ransomware attacks now target third-party suppliers and partners instead of going straight for a single company. This is in part because the partners may have weaker security defenses. They could be behind on security updates, or their employees might be more likely to fall for phishing schemes. Another reason is that attacking a supplier would net the gang more victims because a supply chain attack would affect all of the supplier’s customers.
In August 2019, 22 towns in Texas were hit by a ransomware attack when the gang targeted the managed service provider the towns used. When cloud services provider Blackbaud was hit by ransomware, dozens of its customers had to disclose the breach.
Enterprises have to look beyond their own environment when assessing their ransomware risk, Maley said. If the third-party providers are hit, the malware may be able to cascade into their networks. Or the gang will steal data from the provider that actually belongs to the client organizations. Enterprise defenders can use the Index to gauge the risks of a ransomware attack for each of their partners.
The Index isn’t just a score. It includes a detailed report showing which of the 26 controls are missing. If a partner has a high score, the security team can contact that partner and demand the issues be fixed, Maley said.
Verifying the math
Black Kite’s team of researchers needed a way to check the Index’s accuracy, so they turned to the dark web. Many ransomware gangs now sell the stolen data on criminal marketplaces if the victim doesn’t pay the ransom. The team looked for data dumps that were the result of ransomware attacks and checked the Index to see the victim organization’s score.
Just two weeks ago, notorious ransomware gang REvil said it had stolen schematics of unreleased Apple products from an Apple supplier. The group demanded Apple pay $50 million and threatened to sell the data to the highest bidder. The RSI score for that Apple supplier was 0.729, Maley said.
A prominent health care provider whose data was put up for sale after a ransomware attack (which has not been publicly discussed at this time) had an RSI score of 0.928, Maley said.
Black Kite was able to validate the Index’s accuracy by checking multiple victims across different industries, Maley said.
Many defenders are beginning to feel there is no way to avoid an attack so they should instead focus on making sure recovery is possible, Maley said. But while recovery planning is important, defenders shouldn’t give up trying to block the attack.
Attackers research their targets before launching attacks. This research includes identifying potential phishing victims, searching for user credentials, scanning for unpatched vulnerabilities and outdated software, uncovering fraudulent domains, and looking for exposed ports. With this information in hand, the attackers craft a campaign to get a foothold in the network in order to deploy the ransomware. RSI relies on the same data sources to calculate ransomware risk.
“You can either be fatalistic or you can look at what the attackers look at,” Maley said.
VentureBeatVentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact. Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:
- up-to-date information on the subjects of interest to you
- our newsletters
- gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
- networking features, and more