On Friday, May 7, the Colonial Pipeline Company, a major transporter of fuel on the U.S. East Coast, was hit with a ransomware attack using the Darkside ransomware. While the attack did not affect systems directly related to fuel pipelines or other industrial equipment, it did effectively disable the IT systems at Colonial, which forced all operations to shut down as a precaution. This caused significant disruptions in the gas supply chain for the South East U.S. and beyond, prompting the Biden Administration to declare a state of emergency.
While this attack was particularly disruptive to the U.S. economy, businesses being attacked by ransomware is not new. In fact, over the past several years, ransomware attacks have significantly increased. Victims of ransomware attacks are found in nearly every single business sector in the U.S., regardless of size or services offered. Universities, City governments, even small businesses, are all targets of cybercriminals who use ransomware as a pure money-making scheme. With the number of attacks only increasing, every business must consider itself a potential target.
What is Ransomware?
Ransomware is a form of malicious software or malware that infects a computer and encrypts its files so that a legitimate user can no longer access them. The ransomware operator then holds the key to the encryption (allowing systems to decrypted) as ransom. Ransom can be set anywhere between a few thousand dollars to a reported 50 million leveraged against a supplier for Apple. Ransomware is used by many different groups, including state actors and sophisticated cyber-criminal gangs.
It is effective because it is easy to implement and hard to trace, both in payment and by its operators. Ransomware can come in many different forms, with Ryuk being one of the more popular types used today. Typically, it is sent via email to users as a malicious attachment or link that is then downloaded. Once on a system, ransomware can hide for weeks slowly, reconning the network and spreading across to other systems before its encryption payload is activated. This allows gangs to attack multiple systems at once to make a more significant impact.
Ransom payments are usually extracted through cryptocurrency, which is extremely difficult to trace.
Since the encryption used is nearly impossible to break, and backups take days or weeks to set up (or, in a worst-case scenario, can be destroyed or encrypted by the ransomware), many companies are forced to pay the operators to get back their data. Many gangs have also taken to stealing and then leaking data to force companies to pay in order to both obtain the key but also stop the leaks. All these factor into ransomware’s explosive popularity. The graph below, taken from a report by Black Fog, shows the number of successful attacks during 2020 and into the first part of 2021.
Unfortunately, there is not a simple solution to preventing and mitigating ransomware. Ransomware operators spend considerable time and resources in learning how to bypass even advanced security controls. This means that just having an endpoint protection solution is not enough to stop ransomware. The best defense is a comprehensive security program that actively looks for threats.
The best controls to focus on to prevent ransomware include:
- Employee Training- since most malware is sent via phishing emails, training employees to spot these and avoid clicking on links or downloading attachments helps prevent the attack before it starts.
- Comprehensive Logging and Monitoring- Ransomware uses set techniques that exploit certain system processes to execute their attacks. Logging critical processes across all systems, including desktops, and using monitoring tools like a SIEM solution, is essential to identifying ransomware activity before it has a chance to deploy fully.
- Routine and Segmented Backups- Should the worst happen, having backups that are segmented from the rest of the network can be vital to limiting the damage done by ransomware. It would be best if you also had a plan in place on how to restore systems best when an incident like ransomware happens.
Regardless of what controls you have in place, nothing beats having a robust security program that follows proven standards to consistently assess your organization’s security posture. Using the NIST Cybersecurity Framework to determine how your organization manages security controls is an excellent start to building the foundation required to meet modern adversaries.
For many organizations, though, security may be a new field that is outside their expertise. That’s why it’s crucial to have a trusted partner to help guide you on your security journey, which has experience in meeting emerging threats and can help with security management, risk management, NIST Cybersecurity Framework consulting, and many other disciplines.
Whether you are just starting your security journey or evolving to respond to new threats, Edafio can support your needs. Reach out today for a no-obligation consultation to learn how our security experts can help ensure that your organization does not become the next ransomware headline.