Mainframes and the unseen ransomware threat

By now it’s clear just how serious the cybercrime problem has become. Each year, it drains an estimated $3 billion from the Canadian economy, a situation that is expected to worsen as criminals find new and innovative ways to penetrate cybersecurity defences.

The problem of ransomware – taking control of sensitive data or operations and keeping it encrypted until a ransom has been paid — has become especially problematic. In August a national report found that cybercriminals were linked to $530 million in damages in Canada in 2022.

Like all predators, ransomware criminals look for the weak links in a line of defence and target them. That is why it’s so important that organizations take advantage of cutting-edge security solutions, train their people to practice effective cyber hygiene, and continually monitor for gaps in their defences.

One aspect of those defences that is too-often overlooked is mainframe computing.

One thing that Fortune 1000 companies, governments, utilities, and large public sector organizations have in common is a reliance on mainframe technology, which sits at the core of their IT platforms and provides the foundation for their mission-critical, day-to-day operations. Anyone who has used an ATM, for example, has almost certainly interacted with a mainframe. And most major websites rely on mainframes to store their production databases. A major outage would result in a catastrophic backup of financial transactions.

High-profile targets such as large corporations, government agencies, and critical infrastructure providers are increasingly more attractive to cybercriminals. They’re viewed as having more financial resources and valuable business data, personal information, or intellectual property. Ransomware actors believe that they can demand higher ransoms for the potential damage if their data is made public or destroyed. They also believe that such targets can potentially provide large payouts to avoid regulatory fines and reputational damage.

For that reason, stringent mainframe security is of paramount importance. The implications of a breach, from a data security or business operations point of view, is hard to overstate. For a variety of reasons, however, many organizations lack a clear understanding of the risk to their mainframe environments. This is partly because the attention in recent years has shifted to security risks associated with cloud computing and hybrid working models. As well, today’s organizations are home to a new generation of security professionals who have little experience with mainframes. Those that do tend to be older and closer to retirement, leaving a skills and awareness gap. It’s a question of risk versus consequence.

That leaves many large businesses sitting on a significant risk they are not adequately prepared for. Companies that oversee mainframe environments should consider implementing new approaches and measures that will further strengthen their ransomware defences.

Mainframes are at greater risk than you might believe

Discussions around mainframe security often bring to light some widely held – and quite mistaken – beliefs. That because of their aging or simplified architecture with fewer vulnerabilities, that they’re essentially hacker-proof. Or that they occupy a unique place in the enterprise IT stack, not connected to the outside world where the real danger lies.

These myths are dangerous. Today’s mainframes are regularly accessed by workers and are connected to applications that do everything from handle e-business transactions to personal banking.

Address the most serious problem – malicious encryption

Encryption is a ransomware attacker’s best friend. Hackers have done an unfortunately effective job at weaponizing encryption, which helps ensure that their intrusions go undetected until it’s too late. This challenge is compounded by the fact that large organizations regularly deal in legitimately encrypted information, so simply looking for encryption is not enough.

One critical area that cybersecurity researchers are focused on is the ability to immediately detect, flag and weed out malicious encryption. This ability can greatly reduce the impact of ransomware, minimizing the risk of damage and making recovery a much faster process.

Accept that the problem is chronic and here to stay

Attackers are smart, patient, well-funded and very organized. In fact, in certain parts of the world, hacking is a growth industry. They also only need to be successful once. Often when they gain access, modern attackers embed multiple back doors then obscure the original entry point.  Or they may install “time bombs” that are pre-set to activate unless otherwise instructed. Since malware lives on persistently in a software layer, attempts to restore data will prompt attackers to simply use another backdoor time bomb to re-encrypt your data.

Over the past three years, there has also been a surge in specific security breaches and cyberattacks, including ransomware. According to the Ponemon Institute’s IBM 2023 Cost of a Data Breach Report, the average global cost of a data breach in 2023 reached US$4.45 million, representing a 15 per cent rise over the preceding three years.

It is of utmost importance for large organizations to operate with a comprehensive grasp of the contemporary ransomware landscape and to realign their priorities accordingly.

The lessons for those with mainframe environments are clear. Complacency is the enemy. Be as proactive in possible in your thinking, look critically at your systems and implement continuous smart monitoring to spot malicious software changes. That approach, plus staying informed about emerging threats, building threat intelligence, and committing to best security practices are the best ways to avoid becoming the next ransomware victim.

Al Saurette is CEO of Calgary-based MainTegrity. He has a 30+-year track record of serving governments, major banks, and insurance entities across North America and Europe.