Sun Tzu v Ransomware: cybersecurity & The Art of War

RansomHub’s 200 Attacks: A Wake-Up Call for Cybersecurity

In recent months, RansomHub, a relatively new player in the ransomware landscape, has been linked to over 200 attacks, prompting urgent action from the FBI, CISA, and HHS. This wave of attacks, targeting sectors from healthcare to financial services, underscores the growing threat of ransomware. However, RansomHub’s high-profile hits are merely the tip of the iceberg in the vast and complex world of cyber threats. To understand and counter these threats, we can draw on the ancient wisdom of Sun Tzu.

The Growing Scale of Ransomware Attacks

The ransomware problem extends far beyond any single group’s activities. Globally, ransomware attacks are occurring at an alarming rate, with thousands of incidents reported each year. The financial damage is staggering, with costs related to ransomware, including ransom payments, business interruption, and clean-up efforts, now measured in the trillions of dollars. Sun Tzu’s assertion that "all warfare is based on deception" is especially relevant here, as these attacks often exploit the element of surprise, using deception to bypass defences.

Small and medium-sized businesses (SMBs) are particularly vulnerable, with statistics showing that up to 60% of SMBs fail within six months of a ransomware attack. For larger enterprises, the impact includes massive financial losses, damaged reputations, and long-term operational disruptions. In these chaotic situations, Sun Tzu reminds us, "In the midst of chaos, there is also opportunity." This is a call to learn, adapt, and strengthen defences post-incident.

External vs. Insider Threats: The Dual-Edged Sword

Ransomware attacks can be broadly categorized into two types: those originating from external threats and those involving insiders.

External Threats:

These traditional attacks exploit vulnerabilities, often using zero-day exploits, to breach an organization’s defences. Groups like Fancy Bear APT (Russian intelligence) have used zero-days for espionage, while others, like VoltTyphoon APT (Chinese intelligence), have targeted critical infrastructure with the intent to cause destruction. Sun Tzu’s wisdom, "If you know the enemy and know yourself, you need not fear the result of a hundred battles," highlights the importance of understanding both these external threats and your internal vulnerabilities.

The damage from such attacks can be catastrophic, particularly when critical data is stolen, or systems are rendered inoperable.

Insider Threats:

On the surface, insider threats might seem less damaging, with average incident costs around $750,000. These incidents typically involve employees who unintentionally or negligently cause harm by mishandling data or falling victim to phishing scams. Yet, as Sun Tzu advises, "The opportunity of defeating the enemy is provided by the enemy himself," and insiders often unknowingly provide the openings that external attackers need.

However, the situation becomes far more dangerous when insiders actively collude with external ransomware groups like LockBit. In these scenarios, the insider acts as a “mole,” using their legitimate access to facilitate large-scale attacks on their own organization. This collusion can enable more sophisticated and targeted attacks, resulting in significantly higher costs and more extensive damage.

In most ransomware attacks, the threat doesn’t simply vanish after the initial incident. In fact, a significant percentage of organizations experience repeat attacks. According to recent findings by Sophos, 54% of organizations that paid a ransom were hit again, often by the same attackers who either left dormant malware undetected or relied on a complicit insider to reopen the door for another strike. This alarming trend highlights the persistence of these threats; once compromised, the likelihood of a business facing subsequent attacks increases dramatically. Forensics may miss dormant malware, allowing attackers to bide their time and strike again when the organization is most vulnerable. This cycle can lead to multiple ransom payments, each one further crippling the business.

The Spy Within: Modern-Day Double Agents

The collaboration between insiders and ransomware gangs like LockBit can be likened to the actions of infamous double agents like Aldrich Ames and Robert Hanssen. These individuals betrayed their country, leading to the deaths of dozens of American agents in exchange for money—a cheap sellout for a high cost. Similarly, insiders who collude with ransomware gangs are modern-day double agents, selling out their organizations for financial gain while causing potentially irreparable harm. As Sun Tzu warns, "All warfare is based on deception," and these insiders embody that deception to devastating effect.

These "traitors" don’t just provide access; they actively participate in the sabotage of their own company’s defences, much like how Ames and Hanssen used their positions to betray national security. The damage caused by such betrayals extends far beyond immediate financial loss, eroding trust and potentially leading to the downfall of the entire organization. Sun Tzu’s strategy of "subduing the enemy without fighting" is a reminder that the best defense is one that makes betrayal and attack so difficult that they are deterred before they begin.

?

The Abatis Analogy: Fortifying Defences

In the context of this modern spy story, the analogy of Abatis, a defensive obstacle made of felled trees with sharpened branches, used historically to slow down and disrupt attacking forces, fits well with the concept of rendering an OS immutable in cybersecurity.

Abatis as Immutable OS: Just as an Abatis slows down or prevents enemy forces from advancing, an immutable OS creates a hardened defense that prevents any unauthorized changes to critical systems. It serves as a barrier that even insiders with malicious intent cannot easily overcome. This is an embodiment of Sun Tzu’s principle of making the enemy's advances impractical or unappealing.

Zero-Trust as Layered Defense: The zero-trust security model acts like a series of Abatis defences, ensuring that no single point of failure exists. Every access request is scrutinized, and even those within the organization are subject to strict verification processes. This multi-layered approach makes it exceedingly difficult for an insider to facilitate an attack, much like how an attacking force would struggle to penetrate a well-fortified position.

?

Conclusion: Proactive Measures for a New Era of Threats

The ransomware landscape is evolving, with the line between external and insider threats becoming increasingly blurred. As ransomware gangs like LockBit continue to exploit insiders, the need for robust, proactive security measures becomes more urgent. Rendering your OS immutable and adopting a zero-trust approach are crucial steps in defending against these sophisticated attacks.

Sun Tzu’s teachings remind us that the art of defense is about anticipation, preparation, and making the enemy's path to victory as difficult as possible. By fortifying our defences, through immutable OS strategies and zero-trust architectures, we can prevent these attacks before they begin. The stakes are too high to rely on reactive measures. By taking proactive steps, organizations can protect themselves from both external and internal threats, ensuring their resilience in the face of an ever-evolving cybersecurity landscape.

About the Author

Alexander Rogan is CEO at Abatis Security Innovations & Technologies GmbH (Switzerland) and Platinum High Integrity Technologies Limited (UK). Alexander specialises in strategic management and resolution of complex supply chain issues, particularly in challenging and high-risk environments such as the former Soviet Union. Additionally, he has significant expertise in cybersecurity, intelligence gathering (OSINT), and protecting critical business infrastructures from both kinetic and cyber threats. His ability to navigate geopolitical landscapes, coupled with his experience in developing and integrating robust security strategies, positions him as a leader in safeguarding global supply chains, fintech, and e-commerce sectors.

Connect with him on LinkedIn for more insights on cybersecurity trends and best practices.