John Shier, Senior Security Advisor at Sophos, on ransomware
Since the COVID-19 pandemic, pets video-bombing online meetings have amassed millions of views. As such, when I meet John Shier on a video call, he’s not alone. “This is a little French bulldog that we're dog-sitting, and every once in a while he gets a little excited!”
Dog-sitting in Toronto is not Shier’s full time occupation – he is a Senior Security Advisor and Senior Research Scientist at software development company Sophos.
“I'm usually a Senior Security Advisor for the press, but what that really means is I work in the office of the Chief Technology Officer as a liaison as well as those of all the different research groups within the organisation,” Shier explains. “We have our Sophos labs that do threat research, our Sophos AI team, an anti-exploit team, and our MDR group, which generates intelligence through the activities that they do monitoring our customers' environments. A subset of that is the Rapid Response Group, which is our Incident Response Investigation Group.”
Shier takes all of that information, synthesises it and then contextualises it within the security industry. “I look at what we are seeing as a broader industry; how does that fit and how does security itself fit within it? The idea is to be able to hopefully provide advice on how to better protect individuals and companies, as we're all trying to navigate this crazy digital world.”
Sophos is a global leader and innovator of advanced cybersecurity solutions, which includes managed detection and response as well as incident response services. The company has a broad portfolio of endpoint, network, email and cloud security technologies that enable companies to better protect themselves and defeat cyber attacks.
Threats behind manufacturing cyber attacks
The difference between a cyber attack and a ransomware attack is simple: information gained in a ransomware attack is kept from the public and offered back to the victim for a price, whereas in a cyberattack, there is no offer of negotiation. But who are the people committing these attacks – pariah states or a lone wolf with a grudge or financial incentive to wreak havoc?
“I would say that it's fairly rare to have nation states behind ransomware attacks that are for profit,” says Shier. “Nation states are generally after information, they're not really in it to make money; they're gathering intelligence, state secrets, intellectual property and information about activists.”
Metal manufacturer Aurubis was hit by a cyberattack last year. “They believe it’s a part of a broader attack against the manufacturing sector – and this has impacted some of their IT systems,” he says.
But Shier saw one silver lining: based on the company's reporting, the Environmental Protection side of the business was only minimally impacted. “They were still able to ingest materials and ship materials. If a large manufacturer like that goes down for any length of time, then it has these ripple effects through the supply chain.”
Aurubis is the EU’s largest supplier of copper, so a delay in their production could have a fairly large domino effect on the manufacturing sector.
“Ransomware is a financially motivated crime, with individuals who are a part of an affiliate network.” In such cases, affiliate networks are the creators of the ransomware that provide the actual software doing the encrypting. They also provide other services like payment and negotiation services, as well as dashboards for victim management.
“There's another tool called X matter, which is also a data stealing tool that is being used by several different groups,” explains Shier. “It could be a single person that's part of this affiliate programme or it could be a bunch of people. You can also be part of more than one such programme. There's a whole bunch of these ransomware groups; as a group or an individual, you can participate in many of these schemes. Generally, they take anywhere from 10-20%, then the affiliates themselves get the rest of the profit.”
Sophos's ‘State of Ransomware in Manufacturing’ report
Every year, Sophos conducts a global survey about the IT and security industry.
“We asked 5,600 respondents across 31 countries about what they wanted to find out more about. The answer was ransomware, the one threat that just refuses to go away.”
Sophos found that 55% of companies in manufacturing were hit in the reporting year of 2021, versus a global average of 66%.
“That's good in relative terms, because they're below the global average, but over half of the sector is getting hit and attacks appear to be increasing.”
Sophos also asked whether those who were hit by ransomware attacks paid the ransom or not and how much they paid. 33% paid, versus a global average of 46%.
“This is not an indictment or criticism of the companies themselves, but this means that 33% of those companies are directly funding criminals. Sometimes, you just have to because it's incumbent on the survival of your business, so we fully understand that.”
A lot of this has to do with whether the company has reliable backups or cyber insurance.
Overall, Shier failed to find the results surprising.
“The problem I have as a jaded security guy that's been in this industry a little too long is that some of this stuff was not shocking to me. If you have a vulnerable service or exposed system, you will be found out by cyber criminals.”
For Shier, the results confirmed what he already knew – everybody is a target.