By Sarah Goodchild

Sarah Goodchild

The UK government recently made it illegal for British companies to pay Russian cybercriminals who demand large ransoms from their victims. It’s a move that underscores the seriousness of the Russian ransomware threat and removes one of the most common responses to ransomware, which is to pay up. Proofpoint research found that more than 80% of UK firms would pay attackers to get their data back and resume day-to-day operations.

Now that paying off certain attackers is no longer a fallback option, it’s vital that channel partners help customers be more proactive in their approach to ransomware. They can do so by ensuring customers better understand their readiness to defend against the latest attacks and by helping them to keep their defences working effectively.

The Scale of the Challenge

Ransomware remains a scourge to UK businesses and a significant proportion of all ransomware activity can be traced to cybercriminals based in Russia. Many of these ransomware payments flow directly to adversaries who are supported by the Russian government, or at least allowed to continue their operations. Conti, Lockbit, REvil, DarkSide and Royal are all high-profile examples of prolific Russian-affiliated ransomware gangs.

Other scenarios can be more opaque, meaning the nationality of the attacker and financial beneficiary is unknown. If a payment is made to a group not believed to be directly affiliated with Russia, it may still contain Russian individuals.

Despite the widespread awareness of ransomware and major investments in security controls, the threat continues to rise. Even the biggest, most security-conscious organisations can be hit, including in recent months, The Guardian and Post Office.

Why Current Approaches Fail

To understand how channel partners can better help their customers, it’s important to consider why current approaches to ransomware fail. A major problem is that security teams are often unaware that security controls do not provide the protection they expect. In many cases, this is because tools, if not updated and tuned frequently, can become less effective over time as new threats emerge.

Organisations also continue to depend on point-in-time pen tests to gauge their security posture, tests which are conducted infrequently and quickly become outdated. This inability to measure security effectiveness in real time leaves security teams in the dark and, therefore, too reliant on assumptions.

A major problem remains the extent to which attacker behaviours evolve. The Picus Security Red Report 2023 evidences how adversaries change their tactics and techniques from year to year. Among its findings is that, on average, malware is now capable of performing a dozen attack techniques across the cyber kill-chain. The rising sophistication and evasiveness of malware means that it will only become harder to detect.

The rise of the Royal ransomware group is a fitting illustration of the speed at which new threat actors can arise. Indeed, the group did not even exist one year ago, but it has emerged from the ashes of Conti, developed new ransomware campaigns and has quickly become one of the greatest threats to critical infrastructure providers.

Helping Customers Be More Proactive

The approach of selling more security controls that only add to the burden of managing security operations can only take channel partners so far, especially with more businesses tightening their belts in the current economic climate. To build long-term success, channel partners must first identify where investments can have the biggest impact and help customers to extract the best ROI from these solutions.

To this end, there is a growing need for solutions that can validate the effectiveness of security control on a continuous basis. Channel providers can take advantage of new technologies such as breach and attack simulation (BAS) tools, which automatically simulate real-world threats, including ransomware. BAS solutions can be used to measure the effectiveness of security controls against attacks and minimize the time it takes to address coverage and visibility gaps.

At a time when security budgets and resources are under pressure, helping security teams leverage automation to enhance security outcomes and reduce expensive manual processes is a strategy that resonates well with security leaders and their teams.

Seizing the Moment

Ransomware operators show no signs of abating, even with new laws in place. For the channel, this moment should be treated as a chance to build better relationships, help customers bolster their resilience, and enable them to adopt a more proactive and threat-centric approach.

Sarah Goodchild is senior director of channel sales EMEA at Picus Security. You may follow her on LinkedIn or @PicusSecurity.