Why supply chain security could hold the key to reducing ransomware risk

Ransomware is the cybersecurity story of the decade.

Combining large-scale data theft with malware that can bring IT systems to a standstill: few could have designed a more insidious threat. At the time of writing, the latest big-name victim was publishing giant Macmillan. By the time you read this it will be yet another organization. In response, boardrooms are scrambling to shore up their defences. By one estimate, global spending on cybersecurity rose 60% last year. Yet how many of these same organizations appreciate the potential risk from their supply chains?

A growing number, according to new Trend Micro research. We found that 79% of global IT leaders believe their partners and customers are making their organisation a more attractive target. By locking down supply chain risk, enterprises could take a massive step towards reducing the threat from ransomware.

A perfect storm

The story of ransomware may go back over a decade. But it’s in the past few years and during the pandemic in particular that the threat truly accelerated. According to FBI figures, associated costs soared 449% between 2019 and 2021, while the volume of reports jumped 109% from 2017 to 2021.  Why did the pandemic have such a profound impact on this thriving corner of the cybercrime underground? A perfect storm of digital transformation, home working and cybercrime innovation.

Take digitalisation. The pandemic forced many organisations to accelerate IT modernisation efforts. They invested heavily in cloud infrastructure and services and were forced to support a radical shift in the way employees worked. Both opened up new opportunities for ransomware actors. Phishing attacks against home workers soared as cyber-criminals reckoned correctly that they may be more distracted than usual, and working from under-secured laptops. Attacks on misconfigured RDP endpoints and unpatched VPNs also surged as they took advantage of the increasing use of remote access infrastructure.

At the same time, a new “as-a-service” approach to ransomware emerged on the cybercrime underground, inviting affiliate groups to take a share of the spoils. Many use initial access brokers (IABs), cyber-criminals who specialise in compromise, to gain a foothold into networks, further lowering the barrier to entry. It has made some groups, like the aggressive Conti operation, billions of dollars in the process.

Why supply chain security matters

Not for nothing has the National Cyber Security Centre (NCSC) branded ransomware the most “significant” threat facing UK businesses. But the supply chain dimension is not always well understood. These complex inter-dependencies run through every organisation’s digital and physical infrastructure. They range from the use of open source components in software development, to IT providers, and professional services firms like lawyers and accountants. Most organisations may not even appreciate how deep these networks penetrate into their organisation, or how many suppliers they actually have.

That opacity is a boon for ransomware actors, who thrive in the shadows. There are several potential vectors for attack. They could theoretically plant malware or vulnerable software into open source code libraries. It’s claimed that  the average application development project contains 49 vulnerabilities. Or they could compromise an IT supplier with privileged access to customer networks and use that access to disseminate ransomware.

That’s what happened at IT management software provider Kaseya, leading to the compromise of scores of managed service provider clients and over 1,500 downstream customers last year. They could also target suppliers in their own right if they store sensitive client data. Law firms are a prime target. Witness the ransomware attacks on New York-based practice Grubman, Shire, Meiselas & Sacks in 2020 and UK firm Tuckers Solicitors the same year. Suppliers that require network access such as contracting firms may also represent a risk if their employees’ credentials are targeted.

In short, threat actors are always looking for the biggest bang for buck. And under-protected supply chains may offer exactly that. In fact, over half (52%) of the global organisations we spoke to said they have a supply chain partner that has been hit by ransomware.

Building a stronger supply chain security

Supply chains contribute to a concerning trend in recent years, as organisations lose visibility into an ever-expanding digital attack surface. In a separate study we found that 73% of IT and business leaders are concerned about the increasing size of their attack surface. And 43% admitted it is “spiralling out of control”. So what’s the answer?

Well, there’s no silver bullet to fix supply chain security. Best practices, as always should prevail. IT leaders need first to gain a comprehensive understanding of the supply chain itself and data flows, in order to identify high-risk suppliers. They should regularly audit these, holding them and any new suppliers to the same high security standards they enforce internally. An effective security strategy should include preventative controls such as anti-malware across all layers: email, web, hybrid cloud, network and endpoint. But it must also feature detection and response to spot and resolve breaches rapidly when they inevitably happen. Combining these with continuous vulnerability management and testing, user education programs and more is the way to go.

Even better, consider unified platforms that can deliver attack surface management and threat protection, detection and response from a single pane of glass. By moving away from siloed point solutions, organisations can eliminate coverage gaps, reduce costs and improve the productivity of security teams. That’s the road to mitigating supply chain risk, and with it the threat from ransomware.

About the Author

Bharat Mistry is Technical Director at Trend Micro. We’re a global cybersecurity leader, helping to make the world safe for exchanging digital information. Fueled by decades of security expertise, global threat research, and continuous innovation, our cybersecurity platform protects hundreds of thousands of organizations and millions of individuals across clouds, networks, devices, and endpoints.