Dubbed “one of the most disruptive digital ransom schemes reported” by Reuters, the ransomware attack on Friday shut down an entire pipeline network, which is the source of nearly half of the U.S. East Coast’s fuel supply. As of Tuesday, the FBI and US Cybersecurity and Infrastructure Security Agency (CISA) have put out a joint advisory about the attack. The culprit has been identified as DarkSide, a malware operator that runs Ransomware-as-a-Service (RaaS). You can read the full alert here.
The ramifications for this massive operation going offline are expected to affect the daily consumer. With 2.5m barrels of gasoline per day, along with other sources of energy that typically flow through 5,500 miles of pipelines halted, it is expected that gas prices are going to sky-rocket.
Unfortunately, the oil and gas industry was not the only industry to be hit this past week. Scripps Health of San Diego, California was attacked on May 1. The 5-hospital operation has been struggling to get their servers back online and regain control of critical patient data.
The sad reality of these ransomware attacks, also known as extortionware, is that they are becoming more and more frequent and are no longer isolated to the IT department. Dave Trader, Field CISO at Presidio, answers some of the outstanding questions on these attacks and talks about what could have been done differently.
What are the motives and methods behind ransomware attacks?
Dave Trader: Cybercrime is estimated to cost the global economy in the neighborhood of $6 trillion – that is equivalent to some of the largest economies in the world. Reports show in 2020, ransomware was the top attack type in North America and is a lucrative business that will continue to rapidly evolve and grow. Ransomware as a Service (RaaS) is now a business model for distributing ransomware variants to subscribers offering the same benefits associated with legitimate Software as a Service (SaaS) providers such as regular updates, technical support, access to communities, and documentation.
Phishing and RDP compromise are the top attack vectors utilized with ransomware and the most consistent method of access. Trends over time show that the size of companies being compromised is increasing along with the average ransom payment. This means the methodology used by threat actors is just as effective in larger companies as it is in small companies.
These attacks seem to be widespread, attacking a wide range of industries. What steps can be taken to limit exposure to ransomware?
DT: Absolutely. Ransomware has impacted organizations across various industry verticals led by healthcare and professional firms such as legal and financial services companies. Many of the companies that fall prey to ransomware may not have a dedicated IT staff or see themselves as a primary target and don’t take the necessary steps to keep themselves safe. Lack of consistent policy, segmented network infrastructure, protections, and monitoring make them prime targets for threat actors.
The best strategy in defending against ransomware is building a foundational, resilient security program to address the risk to the business using a security framework. The framework is typically tailored to meet the needs of the organization and provide a prescriptive, scalable methodology to measure the organization’s maturity against industry cybersecurity standards. Gaps in the security program cause risk which leads to potential vulnerabilities and creates exposure. In environments where gaps are identified, prioritized, and mitigated I see those companies significantly reducing their threat landscape.
What are some of the ramifications of ransomware attacks?
DT: The immediate and most common ramifications will be damage to the business reputation, loss of revenue, interruption of services, and the cost of recovery. There are real dollar impacts to slowing down or stopping these business services that will be felt near the consumer such as increased costs or inconvenience. When we get into the area of critical infrastructure related to energy services such as the power grid, or healthcare organizations this type of incident can realistically result in loss of life and have a very serious, sobering impact. It can be arduous, but diligently reducing the attack surface must be a priority.
In your opinion, what could have been done to prevent these attacks?
DT: We need to take a comprehensive and holistic approach to ransomware. Earlier we discussed using security frameworks and methodologies, and in combination with properly deployed security controls offer a formidable defense to ransomware attacks. There isn’t one silver bullet for ransomware, but when we combine our defenses and sync them in harmony, that unison provides a best practice platform that can combat these attacks. The best way to prepare for a ransomware attack is to run practice drills to identify areas of improvement in the environment. We do this through table-top exercises (TTX), attack simulations, and Ransomware Readiness Assessments. Our team will systematically go through the components necessary to protect an environment and review current configurations; all with a goal of protecting your environment from these attacks.
In the event you discover you’ve been attacked, our Incident Response Team is ready to rapidly engage and assist with triage, stabilization, and recovery efforts. Our experts know how to mitigate, remediate, and encapsulate forensic evidence working alongside cyber insurance and legal teams. Attacks like this can be disruptive and our team responds with a sense of urgency to get you back up and running more securely.