America is waking up to the reality of ransomware. Recent high-profile attacks on major infrastructure, tech giants, and critical supply chain components underscore our vulnerability to this threat. Unfortunately, this is just the beginning of a potentially perilous chapter in our history.
Of course, ransomware has historical precedence. While many of the threat actors behind the recent attacks appear to be criminal groups without national allegiances, appearances can be deceiving. In actuality, we’re witnessing something similar to sixteenth-century piracy. Just as privateers were authorized to harass gold-laden Spanish ships bound for the Americas, modern nation states are turning blind eyes to the actions of cybercriminals within their borders, allowing them to profit as long as they exclusively target adversaries.
And profit they are. A recent Institute for Security and Technology report estimates that victim payouts increased by 311 percent in 2020. Ransomware resulted in an average downtime of 21 days for breached companies, with full recovery taking about 287 days. In total, companies paid about $350 million to cybercriminals in the same year, and the average payment increased by 171 percent.
Cybercriminals are shrewd. The prevailing payout trends are positive reinforcement, with recent multi-million-dollar payments from Colonial Pipeline and meat processing giant JBS providing further incentive.
Anatomy of an attack
In a ransomware attack, cybercriminals use a specific type of malware—often Cryptolocker—to encrypt a victim’s files. With the files under their control, cybercriminals then demand a ransom, typically paid in cryptocurrency, to restore access to the files. Once the victim pays, they receive a decryption key.
In recent years, targets have gotten bigger, with higher-profile companies becoming prey. Furthermore, cybercriminals have begun exploiting zero-day vulnerabilities: patchless weaknesses in security that theoretically only software vendors know about. Cybercriminals learn about these vulnerabilities through employee extortion, bribery, or unauthorized access to proprietary data. Recent examples of zero-day attacks include Apple and Adobe Acrobat.
The ransomware tactics are also evolving to include double-extortion attacks. With a victim’s data in their possession, cybercriminals demand a ransom for its return. If the victim doesn’t pay, the cybercriminals release the data publicly, resulting in loss of proprietary information, confidential employee and/or client data, potential dirty laundry, and a heap of embarrassment.
One of the more brazen attacks happened earlier this year when Hafnium, a Chinese cybercrime syndicate, breached Microsoft’s On-Premise Exchange Server. The threat actors exploited a vulnerability to install webshells in compromised servers or computers. The cybercriminals would then take over, extracting data and credentials and demanding a ransom.
Recently, the Biden administration laid the blame for the attack with China.
“Hackers with a history of working for the (People’s Republic of China) Ministry of State Security have engaged in ransomware attacks, cyber enabled extortion, crypto-jacking, and rank theft from victims around the world, all for financial gain,” a White House news release read.
The administration joins with the European Union, United Kingdom, and NATO in attributing the attack, “with a high degree of confidence,” to the PRC.
Another standout in the recent hit parade of ransomware attacks was REvil’s breach of Kaseya, a software vendor for IT companies. You might remember REvil as the group behind the attack on meat supplier JBS Foods. This time, REvil targeted VSA, Kaseya’s remote management tool. This is an exceptionally devious tactic because breaching VSA gave REvil access to not just the IT firms, but also the IT firms’ clients. ZDNet estimates that as many as 1,500 companies have been affected
For the average American, perhaps the most tangible example of ransomware’s potential for havoc was the recent attack on Colonial Pipeline. Americans caught up in panic-buying gas suddenly realized how vulnerable US infrastructure is to cybercrime. A major American company woke up to the chilling realization of how woefully unprepared they were to meet this emergent threat. And cybercriminals realized just how lucrative the game had gotten when Colonial opted to pay $4.4 million to resolve the attack. As a footnote, we all learned that cryptocurrency isn’t untraceable. The FBI has since recovered about half of the Bitcoin Colonial paid in ransom.
Though arguably the highest-profile breach to date, the ransomware attack on Colonial Pipeline is one among many. For context, check out the attack timeline at the end of this post.
What to do if attacked
In the cybersecurity world, proactivity is almost always better than reactivity. But, let’s cover the worst-case scenario first. When mitigating a ransomware attack, the first thing you should do is contact your cyber liability insurance provider. You have one, right? If you don’t, get a policy. Contacting your cyber liability provider first grants you attorney-client privilege, which may help you coordinate any law-enforcement response.
The next step is to contact law enforcement. If you have a cyber liability provider, they will most likely do this for you. Send reports to the FBI and possibly the Cybersecurity and Infrastructure Security Agency. Start here. Then, stick to your incident response plan. Don’t have one? Work with a proven cybersecurity firm to create one ASAP.
You may be tempted to pay up immediately in order to get back to business. Proceed with caution. The US Treasury Department’s Office of Foreign Assets Control maintains a sanctioned-entity list, which is a rogue’s gallery of sanctioned individuals, groups, and entities (think terrorists and drug traffickers), with which Americans are prohibited from transacting. Let’s say the group that attacked you is on the list. Pay up, and you could be on the wrong side of the law.
How to avoid an attack
Preparedness is key. In addition to having cyber liability insurance and an incident response plan, your company should be proactive in the following ways:
- Implement tight endpoint protection policies: Your IT department should be precise about the scan schedule, the files and folders that get scanned, and the response for when scans reveal malware.
- Segregated backups: Critical data should be backed up using cloud-based storage at scheduled intervals. This way, in the event of a ransomware attack, you have access to at least some of your data.
- Restrict access: Core datasets and blobs should be accessible only to those who need it.
- Multifactor authentication: Do not use SMS, which is breachable. Stick with a proven authenticator application.
- Employee training: Many ransomware attacks originate with spear phishing. For example, an employee receives an email from a compromised company account, requesting that they supply confidential information. Your employees must know how to spot this tactic and, more importantly, why spear phishing is a serious threat.
- Know your team: Many ransomware attacks originate from inside an organization. Clearly map out who has access to what, as well as potential disgruntled former employees who might harm your company.
- Know your supply chain: It isn’t just your digital footprint that’s susceptible to cybercrime. Any company with which you transact business could be a vector of attack. Ask about what precautions they’re taking.
Increasingly, the gold standard for preventing ransomware attacks is the penetration test (i.e. pentest). When you hire a proven cybersecurity firm for pentesting, its team of technicians probe your company’s defenses for weaknesses. The idea is to identify—and correct—the vulnerabilities before cybercriminals exploit them. Regular pentesting from multiple cybersecurity firms is one of the best ways to ensure that your data is secure. Interested in discussing pentesting? Contact us today.
Keep an eye on the horizon
Past is prologue. History shows us how piracy has shaped the fates of nation states. Recent history shows us that for cybercriminals, the stakes and incentives to target American companies have never been higher. In our May post, we posed the rhetorical question, Is something big on the horizon? On the ransomware front of the war against cybercrime, the answer is an emphatic yes.