The cloud-based software-as-a-service model is everywhere now, including the criminal underground, according to Steven Ursillo, the national assurance and cybersecurity leader for Top 100 Firm Cherry Bekaert.
Speaking at the AICPA Engage Conference, held in Las Vegas this week, Ursillo noted specifically that ransomware attacks — cyber attacks that lock up victims' data and computer systems unless a sum of money is paid — are not only on the rise, they are growing more sophisticated as well.
A lot of this has to do with the fact that, much like legitimate companies, criminals are also adopting the SaaS model for much of the same reasons: lower technical requirements. Just as an accountant need not be a coder to make, say, a bot for processing tax data, bad actors no longer have to code their own tools, which has served to lower the barrier for entry for such activities.
“Ransomware as a service is exactly what it sounds like — they designed SaaS engines for adversaries to launch ransomware campaigns. The technical part to do this stuff is now coming down. You can have a couple of different outlets to orchestrate your crime. If you’re in organized crime or have otherwise illicit intention, you can hire spammers to send out email messages, and have ransomware camping on a SaaS service. So there’s been an explosion of these types of crime happening,” he said.
This might also explain why ransomware is moving towards what Ursillo called “double or triple extortion.” A ransomware attack a few years ago might consist of just someone locking your data and demanding payment to release it. These types of attacks are still around today, but they are joined with threats to release the data on the darkweb or shut down operations entirely if they don’t pay.
Another part of the issue is that people and organizations have become more vulnerable over the past two years because of the mass migration to remote work. The problem was how unexpected this was for a lot of companies, meaning they weren’t always thinking about security when setting up remote work capacities.
“Many organizations were already doing remote operations, but were now forced into it at a much more expedited level. The way these organizations started to change wasn’t really planned out. People worked from home with different technologies, [organizations] put in technologies at the last minute, they were buying devices at big box stores,” he said.
Beyond even execution, though, is the fundamental fact that more things being online means more attack vectors for bad actors. Everyone uses apps now, but each of these apps is connected to a system that may, in turn, offer entry into an entire organization. The spread of online devices — also known as the Internet of Things — has also contributed to this, as each one of these also represents a possible entry point for attackers.
“Sometimes these remote access solutions went up after the fact, or they weren’t put in strategically so there’s a catch-up process to mature. But even for mature organizations, there are attackers looking for opportunities to get the end user and get into the corporation,” he said.
This lower barrier to entry means accounting professionals need to rethink their cybersecurity strategies. For one, who performs cyber attacks has undergone a major shift. While in prior years the majority originated from inside actors, today about 80% of attacks are from external players. This means it’s not just big criminal syndicates using these tools — it can be smaller operators who, before, lacked the technical ability to pull off such campaigns but are perfectly capable now.
“This doesn’t mean there’s not a technological bar to get in, but there’s more and more attackers able to do this type of work. They’re looking to monetize data, looking at the theft and sale of assets, looking at transactions, looking at operations, anything they can do to get an advantage and monetize data,” he said.
As organizations adjust to this new normal, Ursillo recommended that they put their backup data on an entirely separate network, because the first thing attackers do when they get in is destroy the backups, which makes it more likely you will pay the ransom. He also recommended looking into access control like multifactor authentication, endpoint detection systems that actively search for anomalous behavior, using proxy servers to blunt redirects from bad links, having up to date security training, maintaining patches and updates for the organization’s various systems, and bolstering email filtering.
