Organizations everywhere are being forced to reckon with the threat of ransomware, because the number of attacks is skyrocketing.

The tactics are straightforward: Attackers use malware to block access to computer data, networks, and systems and then demand a ransom to restore it. The attacks can threaten critical data and operations, and the cost of an attack to organizations can run into the tens of millions of dollars.

In the latest episode of the Six Hundred Atlantic podcast, the Boston Fed’s chief information security officer, Anjan Bagchee, speaks about this growing threat and the increasing sophistication of the attackers.

In the interview, Bagchee says the attacks are evolving in ways that have the potential to do real economic damage. He adds the tech labor market is so tight, it’s tough for organizations to find people with the skills to prevent or mitigate attacks. And he weighs in on whether victims should consider just paying the ransom.

Listen to the episode above, or on your favorite podcast player.

JAY LINDSAY:

Hi, and thanks for joining us for another episode of Six Hundred Atlantic. I'm your host, Jay Lindsay. I'm here with Anjan Bagchee. He's the chief information security officer at the Boston Fed. Now, cybersecurity is a priority here at the Fed because it’s the Fed’s job to promote a strong economy and stable financial system. We hear constantly about cybersecurity attacks and hacks, and these can have huge costs and implications for the economy. So, the Fed is very interested in helping organizations of all sizes understand the risks and how to combat them.

For years, the Boston Fed has worked with banks and businesses on cybersecurity awareness. We share threat intelligence and security best practices, and for a long time we’ve hosted a threat-sharing forum with local depository institutions because the risks are always evolving. The threat we’re going to be focused on today is ransomware. Not everyone knows what that is, and we're going to let Anjan explain it. But one thing that’s clear is this may be the biggest current threat in the information security world, and it's growing. I'll let Anjan tell us more. But first, welcome Anjan.

ANJAN BAGCHEE:

Thank you for the introduction, Jay. Glad to be here.

JAY LINDSAY:

I saw a stat¹ that indicated ransomware attacks increased in 2021 more than in the last five years combined. So, that's just a major increase. So, can we start with some basics here? Can you tell me, first, what a ransomware attack is, and can you talk about why they're becoming more common?

ANJAN BAGCHEE:

What ends up happening in a ransomware attack is through some mechanism, either by you visiting a website or an email that you get that has an attachment that claims to be some sort of an image or invoice or something, and you click on it, and it has a payload, a program that then encrypts your machine, and then demands money from the attacker to decrypt it so you can get your data back. And that's classified as a ransomware, a different form of malware.

And the other part of your question, which is why is it becoming popular? So, there is the ease of getting monetary advantage from it. And that's why, and especially through the pandemic, there's been a more than usual increase in ransomware incidents. And I think all of the studies that I've seen, including a lot of information that comes from the Federal Bureau of Investigations is that because of a lot of people working from home, I think it made people easier targets because you're not in as much of a closed environment, and some of the controls that you had in terms of employee awareness and training kind of fell by the wayside for a lot of organizations.

JAY LINDSAY:

One thing I want to ask you about, and I didn't realize this, how sophisticated these things could be, and it's so sophisticated that the criminals actually lease out this malicious software and computing infrastructure to people. I mean, you don't even need to be technically competent to pull off a ransomware attack because you can just buy the material. Is that correct?

ANJAN BAGCHEE:

That's correct. They will provide you all of the expertise, the way to send the ransomware payload to a defined population and provide all of the support around it for you to launch that attack, and they'll charge you for that.

JAY LINDSAY:

I want to talk from the standpoint of the victim. So, obviously, you have a couple alternatives if you're a ransomware victim, you can pay or you can refuse to pay. And it seems like both those things could be costly, there's things to weigh in both cases. So, I read somewhere about a hospital that didn't pay, it cost them $50 million from lost revenue and to shore up their systems. So, what do you do if you're a victim?

ANJAN BAGCHEE:

Like a lot of aspects of cybersecurity, your response to an event, like a ransomware event, is determined by how ready you are before it happens. And, so, your options are very limited if you are not prepared for it in the first place. In this case, there are different schools of thought, and I'm a proponent of backing up your data, because I do not believe that paying a ransomware organization to get your data is a viable solution. And the reasoning that I place on it is, for one, if you pay and you get your data back, then the attackers know that you are willing to pay, which means you will fall victim to them possibly again, because they will target the organization again.

And then there's certainly known cases of, intentionally or unintentionally, the amount was paid, and you get the decryption key, but the decryption key does not work. Now, you're back to square one, and you still have a problem. So, what you want to make sure is, at the end of the day, if your machine is encrypted, and your data is backed up somewhere, you can just reformat your machine, put the data back on.

JAY LINDSAY:

Kind of a related question, obviously we see this incredible cost from ransomware attacks, but they keep happening. Are organizations paying enough attention to security, to this particular threat? Why or why not would you say?

ANJAN BAGCHEE:

So, numbers tell the story of not enough organizations paying enough attention. And the reason behind it is the solution is not just technology. At the end of the day, beyond technology, your best defense against ransomware are employees that are paying attention, that are receiving good security awareness training,

So, I think that we have to realize that for us to fall to ransomware less often, we have to involve everyone that works in the organization, because your weakest link is your weakest link. All they need to do is find one path into the organization. We just have to do a better job as organizations of implementing a security program and maturing it to respond to events like this.

JAY LINDSAY:

Is it ever a case where the balance between convenience for employees and security, you're trying to weigh that, and you're not going as far in one direction as you should? Is that a factor in terms of why these might continue, these ransomware attacks?

ANJAN BAGCHEE:

I think you're onto something there. If you look at it across industries, you will see that there are different sectors that respond differently. The ones that are more security-aware have a better response mechanism. And the reason behind that is, “How is information security, how is cyber response considered by that business?” Is it considered a hurdle that you think is getting in the way of your day-to-day business? Then you're more likely to not adhere to the recommendations that are made, because information security is owned by every person in the organization. And if there isn't that level of awareness, then really none of the controls that you put in place are going to be as effective as they need to be.

JAY LINDSAY:

So, I’m hoping we can talk a little bit now in a general sense about what the Fed and what the Boston Fed are doing in this realm.

ANJAN BAGCHEE:

I think we have a very robust approach to this, in terms of not only the fundamentals and the basics that are talked about in terms of how we respond and what tools we use to respond, but also looking at how ransomware landscape overall is evolving. What level of threat does it present? Because this is something that is evolving, so we need to evolve with it to make sure that our response is meeting the risks that it presents.

JAY LINDSAY:

So, everyone, I guess, is familiar lately, if they're following the labor market at all – which we tend to do here at the Fed – that it's been a tight labor market. And I saw stats recently that indicate the labor market is even tighter among tech workers, and this will come around to ransomware, trust me. So, obviously this may affect an organization's ability if the market is so tight for tech workers to get the people they need in place to fortify themselves against these kind of attacks. Is that a factor right now?

ANJAN BAGCHEE:

I think that's a factor overall across cybersecurity programs. And anyone that works in cybersecurity, this is not news to them, but it is very hard to find and retain cyber talent. You have to really go out of your way to retain talent, in terms of not just compensation, but presenting projects that they'll find interesting and professionally satisfying. So, factoring all of those things in, what do you have to do is make sure that you look for areas of automation, of machine-learning to create, augment the tools that you have. And some things that will save you time will make the process shorter.

And that'll have the double-sided advantage of, one, probably needing less people, because you can automate parts of it. The other is your response time, which is critical in responding to ransomware, how quickly you detect ransomware in your environment and isolate those machines is the biggest factor in controlling the damage.

JAY LINDSAY:

I wonder, as you look ahead into the next couple of years, what strikes you as a real priority, or real priorities, plural, as people try to reckon with this threat?

ANJAN BAGCHEE:

I think the impact is going to be economic, not just because of the scale of growth that we are seeing, the scale of growth is also accompanied by the type of attacks that ransomware seems to be doing. So far, we traditionally see just the encryption of your data, and then you pay to decrypt the data. A lot of these larger entities that provide ransomware-as-a-service have gotten really adept at developing payloads, essentially the ransomware software, that actually finds out where it is, reports back that this is the organization that I'm in, and then the attackers determine what to do. And why for organizations that's impactful is, let's say you are an organization that has tremendously valuable intellectual property. And in that case, what they do is they will exfiltrate that data out of the organization, then decrypt.

I think that that's one of the things to consider as we look at this, that this is not going to be just a nuisance anymore. This is going to cost a lot if more and more intellectual property gets exfiltrated on the way before encryption happens. And that's something that we have to consider, that this presents a much larger threat than the way that we know it now.

JAY LINDSAY:

Wow. Well, thanks for that. Certainly, a warning being sounded here, appreciate that. And that's all the questions I've got for now, Anjan. I really appreciate you taking time with us today on this important topic.

ANJAN BAGCHEE:

Thank you. Thank you for having me. Always nice to talk about cyber security topics.

JAY LINDSAY:

So, you can find more information on everything discussed today on our website. Visit bostonfed.org/sixhundredatlantic, where you can check out other interviews as well as our podcast seasons. The most recent season, Season 3, looks at racial disparities in the United States. And while you're there, subscribe to our email list to stay informed of upcoming episodes. And we'd really appreciate if you would rate, review, share, and subscribe to Six Hundred Atlantic on your favorite podcast app. I'm Jay Lindsay, signing off on another episode of Six Hundred Atlantic. Thanks for listening.

1. https://www.verizon.com/business/resources/reports/dbir/2022/summary-of-findings/