Do you believe that ransomware is inevitable?

Unfortunately, ransomware attacks have become so frequent that it is practically unavoidable at this point. Ransomware extracted at least $590M in the first half of 2021 alone – more than the $416M tracked in all of 2020, according to the US government’s Financial Crimes Enforcement Network (FinCEN). Ransomware-as-a-Service (RaaS) tools even allow ransomware's developers to profit from cybercriminal affiliates who deploy it against victims! I heard a great quote on this issue, “Ransomware attacks are inevitable. Paying the ransom isn't”. Until some very tough decisions are made around what is needed to stop the ransomware problem, it will remain inevitable.

I like to draw this correlation: Is it possible to prevent 100% of kidnappings? Because every large company has a kidnapping policy as well as protection, insurance and steps for mitigation. I don't think it is possible; it depends on where you're operating, but there is not a 100% security of it. Ideally, we don't want to have rampant kidnapping attacks across US Corporations. They’d be horrific hostage attacks. So I think ransomware is a similar situation: You don't want to have a lot of it. But most networks are so negligent at this point that it's trivial to execute ransomware at scale.

During a CISO roundtable I heard people say that we simply have to accept that ransomware is going to happen. I don't believe that. We can approach these zero-days and malware in a lot of different ways. When I was an infrastructure guy, I couldn't say, "Oh, it's inevitable that these servers will be down, so production will be out for three weeks. It's just what happens in IT.” That would never be acceptable. And yet, we're accepting that the attackers are already in and moving around our network because of the way our networks are designed.