The past eighteen months have been tumultuous to say the least. As well as struggling with the fallout from a global pandemic, we’ve also seen some of the most devastating cyberattacks on record; from the now infamous SolarWinds breach, which impacted organizations as large as Cisco, Microsoft and even the US government; right through to a ransomware attack on the US Colonial Pipeline which disrupted the transport of oil to roughly half of the US east coast. With cybercrime enjoying an apparent surge during the pandemic, and insurers like AXA now refusing to pay out for ransomware demands, businesses have a lot to think about. In the second of a new series of live cyber threat briefings, Adversary Simulation Lead, Aaron Dobie and Product Marketing Manager, Andrew O’Hara discussed the issue.
Our second cyber threat briefing session began with a short overview of what we actually mean when we talk about ransomware. It’s actually a subset of malware in which a criminal organization will attempt to gain access to a company’s systems before encrypting the data and holding it to ransom. The only way to recover said data would be to pay the bad actors for the private key they created when encrypting the data.
It can feel like a lose-lose situation for many businesses, but it gets worse. Extortion for money is just one route bad actors might take. Others include blackmail, where the criminal organization will threaten to publish sensitive data on the web, or even auctioning the data off on the dark web to other bad actors who may have an ax to grind. So-called “wiperware” has also started to emerge, where a business’s data is completely wiped in the process of extracting money. One key point that emerged in the session was that ransomware is rarely deployed or activated immediately after gaining access to a network. It’s a premeditated process that often spans weeks or months, going completely undetected.
Our session then turned to the most recent example of a large-scale ransomware attack – the one that targeted the US Colonial Pipeline in May 2021. The Colonial Pipeline is a cross-US pipeline that moves oil and leverages a large number of pieces of SCADA (supervisory control and data acquisition) equipment. Essentially, they had ransomware infect a large portion of their network that basically brought all operations to a halt.
It was initially attributed to the criminal group, DarkSide, though the initial vector of infection remains unclear. Ultimately, they ended up paying out $4.4 million in ransom payments and are now back online.
Colonial Oil Industries’ response contrasted with that of the Republic of Ireland’s Health and Safety Executive (HSE), which was hit by ransomware attributed to the Conti group. This attack tried to extract a €20 million payment, but the HSE was alerted earlier and was able to take a more proactive response, bringing systems offline to stop the spread. Unlike the Colonial Pipeline incident, the HSE is not making any payment and is looking to bring its network back online by cleaning up specific sections.
With ransomware on the rise, it’s been tempting for businesses to simply fall back on their insurance plans to cover any ransomware payments they incur. However, as demonstrated by HSE and others, there are precautionary measures a business can take to limit and remediate the impact of ransomware, which is making insurers less keen to pick up the tab. In France, for instance, the insurer AXA has made a public statement saying they’re going to stop paying out for ransomware payments if businesses can’t demonstrate best practice controls for mitigating the threat. So the incentive for businesses to get on top of their cybersecurity has now increased dramatically, with many risking invalidating their insurance if they can’t demonstrate that tough measures are in place.
It might seem like an easy solution for businesses with deep pockets to simply pay the ransom, especially if suffering a basic extortion ransomware attack. However, by paying the ransom, they’re playing right into the hands of the criminals and exacerbating the problem. The more ransom payments that are made, the more the practice will increase. That said, whether a business should or should not pay a ransom when their back is truly up against the wall and to not pay would result in total business collapse – that’s a wider ethical and philosophical question.
Businesses need to implement multiple controls that will act to either stop or limit the impact or risks posed, often referred to as “defense in depth.” These controls should be validated with appropriate testing to ensure they are effective.
The first stage is to mitigate the initial access vector. Typically, ransomware will be deployed in the network either via a spear-phishing campaign, deploying malware on an endpoint, or by exploitation of a public-facing host that will facilitate the attacker gaining an initial foothold into your internal network. The second stage will be limiting lateral movement, which will require network hardening as well as hardening servers that aren’t at the perimeter but are potentially accessible from hosts that are at the perimeter, where an attacker would make their second step into your network.