Ransomware attacks are malware-based attacks that encrypt an organization’s data, and then demand a ransom to receive an electronic key to unlock access to the data.
We’ve all heard about some of the recent high-profile ransomware attacks.
In May, 2020, top U.S. fuel pipeline operator Colonial Pipeline shut down its entire network, the source of nearly half of the U.S. East Coast’s fuel supply, after a cyber attack that involved ransomware.
Colonial transports 2.5 million barrels per day of gasoline, jet fuel and other fuels through 5,500 miles of pipelines. The head of Colonial Pipeline shut down the pipeline’s operations for a week, creating long lines at gas stations and driving the price of oil to $3 gallon for the first time in years. Reports are that Colonial paid nearly $5 million as a ransom to the cybercriminals. Ultimately Colonial was able to recover about $2.3 million of the ransom due to the efforts of federal authorities; however, such recoveries are rare.
The world's largest meat processing company, JBS Foods, was also shut down by hackers earlier this year. JBS USA ultimately paid $11 million ransom.
Unlike supply chain attacks, such as the massive breach known as SolarWinds, the motivation for ransomware attacks is purely financial, as voiced by a written communication from DarkSide, the group responsible for the Colonial Pipeline hack. "Our goal is to make money, and not creating problems for society.” However, since these groups are regularly targeting schools and hospitals, creating problems is exactly what they’re doing.
In addition to closing down operations, variations include threats to publish confidential data on the Internet if the ransom is not paid.
How does it happen?
- Through phishing email – an email that often looks like it comes from a reputable source has a malicious attachment or link to a site that acts as a sort of Trojan Horse
- Through your provider – Known as a supply chain attack, the hackers are able to insert code into a benign software component that is pushed through to multiple users in the form of an update.
Why is it getting worse?
- Criminals are becoming more sophisticated – they can encrypt backups first, leaving a company with no fallback position.
- Fueled by the near complete anonymity and the limited capability of law enforcement to trace and recover cryptocurrency transactions, cyber criminals have become emboldened to attack any targets they believe can be successfully compromised and coerced into paying a ransom.
- Cyber criminals are encouraged every time a company pays a ransom, so more and more are “getting into the business.”
What are some common flaws that enable ransomware?
Analysis of publicly disclosed ransomware attacks has revealed several flaws that were either already known by the victims or should have been discovered by typical governance and oversight processes recommended by security and IT professionals. In many cases:
- Internet-facing systems had vulnerabilities that were not patched
- Employees were somewhat or highly susceptible to phishing attacks
- Data backup programs were either nonexistent or had not been fully tested in a long while
Key Defensive Measures
- Keep systems maintained
- Perform vulnerability scans and pen tests
- Deploy patches quickly and comprehensively
- Limit your attack surface
- Restrict ports/protocols
- Limit access rights
- Minimize mount points
- Train your personnel
- Awareness training
- Phishing tests
- Incident response
- Reduce your exposure
- Email filters
- Browser filters
- Software whitelists
Above all, upper management must prioritize cyber security. Because a choice between paying an exorbitant ransom, shutting down operations, or exposing sensitive customer data isn’t a choice at all.
For more information on the Ransomware Epidemic, watch the replay of our webinar.