Cloud CISO Perspectives: Ending ransomware starts with more reporting
Phil Venables
VP, TI Security & CISO, Google Cloud
Monica Shokrai
Head of Business Risk & Insurance, Google Cloud
Hear monthly from our Cloud CISO in your inbox
Get the latest on security from Cloud CISO Phil Venables.
SubscribeWelcome to the second Cloud CISO Perspectives for November 2024. Today, Monica Shokrai, head of business risk and insurance, Google Cloud, and Kimberly Goody, cybercrime analysis lead, Google Threat Intelligence Group, explore the role cyber-insurance can play in combating the scourge of ransomware.
As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.
--Phil Venables, VP, TI Security & CISO, Google Cloud
Ending the ransomware scourge starts with reporting, not blocking cyber-insurance
By Monica Shokrai, head of business risk and insurance, Google Cloud, and Kimberly Goody, cybercrime analysis lead, Google Threat Intelligence Group
Ransomware is wreaking havoc around the world, underscoring the need for better collective defensive action from public and private sector organizations.
Globally, ransomware continues to be a complicated and pernicious threat, according to our M-Trends 2024 report. It accounts for more than 20 percent of cyberattacks, year after year. Ransomware at one U.S. health insurance organization forced the shut down of operations at hospitals and pharmacies for several weeks earlier this year, a move that cost the company an estimated $872 million so far.
Victims of these attacks are often left with the difficult decision to pay a ransom. At least $3.1 billion has been paid in ransom for more than 4,900 ransomware attacks since 2021, wrote Anne Neuberger, U.S. deputy national security adviser for cyber and emerging technology, in October — and these are only the attacks that we know of because they’ve been reported.
Law enforcement and impacted organizations have stepped up their fight against ransomware this year. Some of them have developed a multifaceted approach that combines strategic interventions, technological defenses, and law enforcement efforts to combat it, and so far that’s proven helpful. These efforts led to 14 disruptions by law enforcement in ransomware operations as of September.
Despite these actions, attacks continue. Defending against ransomware is so complicated that even some independent cybersecurity researchers, who had been calling for bans on insurance payments to organizations suffering from ransomware attacks, have backed down from their hard-line positions.
While solutions to the threat are complex, cyber-insurance can play a key role. Cyber-insurers can help reduce attackers’ financial gains from incidents, first and most importantly by requiring a minimum level of security standards to strengthen an organization’s defenses before approving an insurance policy.
Insurers have also been shown to reduce attackers' financial gains by limiting or avoiding ransom payments altogether and advising on best practices, particularly regarding backups. If a ransomware attacker demands a $2 million bounty to restore data, but cyber-insurance can embolden an organization under attack to more confidently assert their counter-demand for a reduced payment, that can help the attacked organization strengthen its position and even pay a lower sum — or none at all.
Cowbell Cyber, a cyber-insurance firm, recently found that ’businesses using Google Cloud report a 28% lower frequency of cyber incidents relative to other cloud users.’
However, some believe that cyber-insurance encourages ransomware payments, and would prefer cyber-insurance coverage for ransomware to be banned. Outright bans on cyber-insurance coverage for ransomware payments are likely to harm small businesses more than large ones. Larger businesses are often better positioned to absorb the financial cost of ransomware payments on their own. Conversely, a ban would hurt smaller businesses in outsized ways.
If the ultimate goal of banning insurers from reimbursing ransomware payments is to reduce the profitability of ransomware attacks, then actions that require victims to report payments have the potential to be more impactful. Mandatory reporting could improve law enforcement tracking efforts and introduce more opportunities to recover funds even after payment is sent.
If larger companies continue to pay the ransom despite insurance not covering it, the impact of a ban on the insurance coverage becomes less meaningful. However, a more effective approach may be to incentivize the adoption of policies that improve the digital resilience of private and public-sector organizations to drive down the risks they face. As Phil and Andy wrote in the previous edition of this newsletter, this often means updating legacy IT.
One approach is to incentivize the adoption of secure by design and secure by default technologies, such as those that we develop at Google Cloud. Cowbell Cyber, a cyber-insurance firm, recently found that "businesses using Google Cloud report a 28% lower frequency of cyber incidents relative to other cloud users.” The report also found that Google Cloud exhibited the lowest severity of cyber incidents compared to other cloud service providers.
At-Bay, another cyber-insurance firm, found customers using Google Workspace experienced, on average, 54% fewer email security incidents.
There is an opportunity with AI, as well, to better scale existing anti-ransomware efforts to meet the needs of defenders. We’ve already begun to see AI have a positive impact by helping organizations grow their threat detection efforts and more efficiently address vulnerabilities before attackers can exploit them.
In your fight against ransomware, Google Cloud is here to help you every step of the way. From technology solutions and Mandiant Consulting Services, to threat intelligence insight, we can help you prepare for, protect against, and respond to ransomware attacks. You can learn more about the latest ransomware protection and containment strategies in this report.
For more leadership guidance from Google Cloud experts, please see our CISO Insights hub.
In case you missed it
Here are the latest updates, products, services, and resources from our security teams so far this month:
- Cyber risk top 5: What every board should know: Boards should learn about security and digital transformation to better manage their organizations. Here’s five top risks they need to know. Read more.
- Make IAM for GKE easier to use with Workload Identity Federation: Workload Identity Federation for GKE is now even easier to use with deeper IAM integration. Here’s what you need to know. Read more.
- Shift-left your cloud compliance auditing with Audit Manager: Our Audit Manager service, which can help streamline the compliance auditing process, is now generally available. Read more.
- Learn how to build a secure data platform: A new ebook, Building a Secure Data Platform with Google Cloud, details the tools available to protect your data as you use it to grow your business. Read more.
- Bug hunting in Google Cloud's VPC Service Controls: You can get rewarded for finding vulnerabilities in VPC Service Controls, which helps prevent data exfiltration. Here’s how. Read more.
- Finding bugs in Chrome with CodeQL: Learn how to use CodeQL, a static analysis tool, to search for vulnerabilities in Chrome. Read more.
Please visit the Google Cloud blog for more security stories published this month.
Threat Intelligence news
- Using AI to enhance red team engagements: Mandiant researchers look at several case studies that demonstrate how we can use AI to analyze data from complex adversarial emulation engagements to better defend organizations. Read more.
- Empowering Gemini for malware analysis: In our latest advancements in malware analysis, we’re equipping Gemini with new capabilities to address obfuscation techniques and obtain real-time insights on indicators of compromise by integrating the Code Interpreter extension and the Google Threat Intelligence function calling. Read more.
- Understanding the digital marketing ecosystem spreading pro-PRC influence operations: GLASSBRIDGE is an umbrella group of four different companies that operate networks of “fake” news sites and newswire services tracked by the Google Threat Intelligence Group. They publish thematically similar, inauthentic content that emphasizes narratives aligned to the political interests of the People’s Republic of China. Read more.
Please visit the Google Cloud blog for more threat intelligence stories published this month.
Now hear this: Google Cloud Security and Mandiant podcasts
- Your top cloud IAM pet peeves (and how to fix them): Google Cloud’s Michele Chubirka, staff cloud security advocate, and Sita Lakshmi Sangameswaran, senior developer relations engineer, join host Anton Chuvakin for a deep dive into the state of Identity Access Management in the cloud, why you might be doing IAM wrong, and how to get it right. Listen here.
- Behind the Binary: Motivation, community, and the future with YARA-X: Victor Manuel Alvarez, the creator of YARA, sits down with host Josh Stroschein to talk about how YARA became one of the most powerful tools in cybersecurity, and why we need a ground-up rewrite of this venerable tool. Listen here.
- Behind the Binary: A look at the history of incident response, Mandiant, and Flare-On: Nick Harbour joins Josh to discuss his career journey from the Air Force to Mandiant, share insights into the evolution of malware analysis, and the development of the reverse engineering Flare-On contest. Listen here.
To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back in two weeks with more security-related updates from Google Cloud.
