Ransomware Has Gotten So Bad, It’s Aligned with Terrorism
Ransomware has rapidly progressed from an irritating annoyance to a legitimate global threat, with the U.S. Justice Department officially going on the record and establishing that future ransomware investigations will be handled the same way that terrorism cases are now. Let’s review the reasons behind this policy change and how your business should respond.
How Much Worse Has Ransomware Gotten?
Let’s look at this somewhat casually.
Ransomware was never something to be trifled with. However, compared to the attacks we’re seeing today, the attacks of the past seem to be small potatoes at their worst. Having your business’ data encrypted is bad. However, crippled supply chains and interrupted national infrastructures (as we’ve seen in the recent attacks on JBS SA and Colonial Pipeline) are undoubtedly worse.
The dangers that such ransomware attacks pose cannot be understated, and no business is truly safe. The White House recently said as much in their warning to companies in regards to their cybersecurity preparations.
This is Why the US Justice Department is Speaking Out
Understandably concerned about the ramifications such threats could easily pose to national security, the Department of Justice has joined with the White House to draw a line in the sand. As their way of responding to what they accurately described as a “growing threat,” investigations into ransomware cases will now be handled similarly to how terrorism cases are… all stops taken out in terms of what tools are used.
Other Governing Bodies are Following Suit
Likewise, in response to the JBS hack and the potential economic ramifications it will likely cause, the US Congress is now considering the lack of federal oversight into the cybersecurity protections implemented by meat processors. Such oversight could help to create a more unified strategy to help prevent and mitigate these kinds of attacks and their widespread impacts.
Ransomware Threats are Also Getting Worse
In addition to many ransomware attacks being waged on bigger, higher-value targets, the strategies involved across the board are evolving. Just consider the ideal progression of a ransomware attack from the attacker’s perspective.
1. Use ransomware to encrypt a targeted system
2. Threaten to delete all contents of a targeted system if a ransom isn’t paid
Understanding this, the consensus amongst security-minded businesses was that keeping an isolated backup was the perfect failsafe against such an attack. After all, with the backup to fall back on, the encrypted data could be deleted and replaced with relatively minor cost to the business. This is one of the many, many reasons we always recommend a business to keep a backup squirreled away.
Unfortunately, as will always be the case with cybercriminals, these practices encouraged them to adapt their processes. Lately, more and more attacks are following a slightly different method than what we’ve been seeing:
1. Steal data from a system, using ransomware to encrypt it after the data has been harvested
2. Threaten to delete all contents of a targeted system if a ransom isn’t paid
4. Threaten to leak or sell the stolen data unless a second ransom is paid
5. Profit again
This double-whammy approach to ransomware first came onto the scene in late 2019, and has exploded since. One recent survey found that 77 percent of ransomware attacks now come with threats to leak data if a ransom isn’t paid. This same survey also revealed that such attacks are increasingly directed against SMBs, who have considerably fewer resources than enterprise-level targets.
So, if keeping a backup no longer helps to squash the entire threat, what can a company do?
How a Business Can Resist Ransomware
First, it will help to understand how the majority of modern ransomware attacks begin. About half are enabled by a cybercriminal’s ability to compromise remote desktop software (through stolen or guessed access credentials, or through an unpatched vulnerability). This means that any organization can more effectively prevent ransomware by reinforcing its password security and user management.
By implementing password requirements that better align to best practices and then reinforcing them through two-factor authentication measures, your business can help eliminate much of the risk of an insecure password. Supplementing these measures with a password management platform can make it that much simpler for your users to utilize sufficiently secure identity authentication, benefitting your organization considerably.
Finally, it helps to invest in a dark web monitoring service, as this can help you identify if any of the passwords or data that your organization relies on has been compromised and exfiltrated. While it won’t help to undo any damage that has already been done as a result, this knowledge can help you identify your weak points and resolve them.
While we wish we could say that this is the last time that a cyberattack method will ever get progressively worse, we simply can’t, so we all need to do whatever we can to stop them. That’s where Jackson Thornton Technologies and our services come in. Learn more about what you need us to do by calling 334-834-7660.
Hackers Start Beef with JBS Ransomware Attack
Last weekend saw a significant cyberattack waged against the world’s largest meat processor and distributor, JBS S.A., that completely suspended the company’s operations in both North America and Australia… and as a result, has impacted the supply chains associated with the company. Let’s examine the situation to see what lessons we can take away from all this.
What Happened to JBS S.A.?
Over the last weekend of May 2021, JBS’ global IT systems were targeted by a ransomware attack that completely shut down the meat processor’s operations in North America and Australia. Seeing as effectively each step of the company’s operations (from livestock procurement all the way to export and shipment) rely on some kind of technology, everything was put on pause.
Fortunately, JBS had implemented backups, and have therefore been able to restore their systems and are returning to operation. Furthermore, there has been no apparent evidence discovered suggesting that any customer, employee, or supplier data was compromised in the attack.
However, this does not mean that there is nothing more to examine surrounding these events. Let’s go into the major takeaways that need to be addressed.
First of All, Who’s Responsible, and Who is Involved in Fighting Back?
There has been no indication that any activist groups were involved in the attack. Rather, sophisticated cybercriminals—the sort that have been previously associated with Russian cyberattacks—have been assigned blame for this attack. Along with the Federal Bureau of Investigation’s interest in the cyberattack, the United States government has been in communication with Russia concerning these efforts.
The Australian Cyber Security Centre has also been providing their assistance, although they would not disclose what the nature of this assistance was, while the company was also working with both the Australian government and the Australian Federal Police to more assuredly identify the responsible party.
The Impacts of Ransomware and Other Threats
While ransomware is still relatively new in terms of mainstream threats, it has grown from a concerning eccentricity to a global concern in the few years it has been popularized. More than a threat that simply locks down a computer or network, ransomware now involves an element of exfiltration—not only is the target’s data deleted unless a ransom is paid, it is also stolen and sold unless a second ransom demand is also paid up. This form of attack is closely associated with exactly the groups that are suspected of conducting the attack on JBS.
Fortunately, JBS was smart and had protected themselves ahead of time by implementing a backup solution. This is precisely why we always encourage businesses to do just that: the backup serves as your business’ insurance policy should your operations ever be targeted by such an attack. Unfortunately, this isn’t unlikely as many such attacks are spread through automated phishing campaigns and other hands-off means of dispersing malware.
At Jackson Thornton Technologies, we’re committed to helping businesses resist cybersecurity issues of all shapes and sizes, along with helping you manage your IT in the operational sense. Start a conversation with us by calling 334-834-7660 today.
Cybersecurity Lessons to Be Learned from the Colonial Pipeline Attack
Headlines have been filled with news pertaining to the recent hack of Colonial Pipeline, which has created significant gasoline shortages up the east coast of the nation. While the pipeline has been restored, the way this was accomplished sets a dangerous precedent. On top of this, the attack seems to have set off bigger infrastructural changes in the political space.
Let’s take a few minutes to dive into the situation at hand to see what insights can be gleaned from these events.
The Colonial Pipeline Situation
On May 7, Colonial Pipeline first became aware of a ransomware infection in its systems, prompting the fuel supplier to pull the plug on its pipeline operations along the southeast coast so that the malware wouldn’t spread. Leaning on a relatively new form of ransomware attack, those responsible for the attack—a group called Darkside—utilized a method known as double extortion, where the cybercriminal motivates their victim to pay up by not only locking their data down but also threatening to leak it out.
For its part, Darkside primarily operates as a kind of cybercriminal service provider, developing threats to provide them to other groups with their support.
In response to this threat, Colonial Pipeline quickly halted its operations… and as a result, a wide portion of the country experienced gas shortages due to the cutoff of supply. Many found themselves waiting for hours at the pumps, assuming that any gasoline was available at all. Despite stating that there were no plans to pay the almost $5 million in cryptocurrency that the hackers were demanding, it has been reported that the company did ultimately do so. Once the payment was received, the distributor was provided with a very slow decryption tool that they supplemented with their own backup solutions.
This situation has highlighted a few serious considerations that will need to be addressed by businesses of every size, while also revealing a few things about the current state of cybersecurity in clearly critical pieces of infrastructure.
Ransomware-as-a-Service is a Serious Threat
Darkside had risen to prominence in a relatively short time in the cybercriminal business world, creating a network of affiliate hackers to collaborate with for a share of the cut. With a net gain of at least $60 million in its seven months of existence ($46 million of which came in during Q1 2021 alone), this approach is apparently quite lucrative. While the affiliate hackers retain the majority of the ransom fees, Darkside handles a lot of the work on their behalf: writing the ransomware itself, billing the targeted victims, hosting the data that has been stolen, and even serving as the cybercriminal’s IT support and PR team.
This is serious, simply because it can significantly lower the barrier to entry that cybercriminals face when implementing ransomware, making it a feasible attack vector for more of them to put into place.
Double Extortion Makes Ransomware Even Worse
You may have caught that Colonial Pipeline did, in fact, have a data backup available to them… so, it may seem confusing that they still paid the ransom to have their data released. After all, the data backup should have enabled them to simply wipe and restore their entire infrastructure from scratch.
It’s the fact that this attack was using the double extortion method that makes the difference. Instead of simply threatening to delete the data if the ransom is not paid, a double extortion attack doubles down by threatening to leak the data if the ransom is not paid in time. Depending on the industry that is being targeted, some of this data could bring significant repercussions to the business that allowed it to leak. Government regulations and public opinion can both bring down serious consequences once data is leaked, so it makes sense that Colonial Pipeline would choose to bite the bullet and pay up instead. We still don’t recommend that ransomware demands are paid, but time will tell if this method of attack becomes more popular and forces us to reconsider.
Events Like These Will inspire Cybersecurity Improvements
Partly in response to these events, U.S. President Joe Biden signed an executive order intended to boost the cybersecurity protections in place surrounding critical infrastructures for the government and private sector companies alike. This order includes the founding of a task force committed to prosecuting hackers that utilize ransomware, as well at the removal of any contractual barriers to reporting breaches within federal agencies and a deadline of three days to report severe cyberattacks. With such attacks happening with higher frequency than ever before, it will be far more critical for businesses to consider these improvements crucial to their continued survival.
Situations like these make it clear that cybersecurity isn’t going to get any easier for businesses to manage from here on out, so it will be important to have a trustworthy resource waiting in the wings to assist your operations. Jackson Thornton Technologies can be that resource for you. Give us a call at 334-834-7660 to start a conversation about what we can do for you.