Despite the steady drumbeat of hacks that are reported on a nearly weekly basis, it is safe to say that cybersecurity is still far from a “top of mind issue” for most people.
Massive data breaches like Equifax, Marriott, and many, many more are chalked up to being yet another part of the modern life.
While each of those cybersecurity incidents was quite serious in its own right, for the public whose data were compromised, they represented more of an inconvenience than a serious concern. Similar to having your credit card number stolen, it can be annoying but it is priced into the equation. The costs of fraud are not directly felt by the consumer, so they feel generally removed from the risk of fraud.
However, when the billing department of an energy company nobody’s ever heard of gets hacked and gas goes up – as was the case for what’s been judged as perhaps the worst cybersecurity incident of the last year – folks start to feel differently. What can these attacks from the past year teach us about the future of ransomware?
Cyber Threats, Real World Impact
Cyberattacks are increasingly having more “real world” effects, putting critical infrastructure like energy and healthcare at risk.
Over the past few years, hospitals across the globe have been hit with ransomware attacks, effectively shutting down their ability to operate effectively. Ireland’s national health service being the most recent large-scale victim. A woman in Germany died in transit while being sent to another hospital after a ransomware attack that shut down services at the university hospital.
The most recent wake up call for the public is the attack that shut down operations of the Colonial Pipeline company in May.
According to reports, hackers from the Darkside ransomware-as-a-service (RaaS) group breached Colonial Pipeline’s corporate network, infecting them with ransomware. This led the company to halt its activities, closing the spigot on 45% of the fuel being transferred on the American East Coast.
While the specific vector of attack –– possibly an unpatched vulnerability but more likely some kind of social engineering technique like phishing –– is unknown, it has been reported that the attackers gained access to the business side of the company. There are no indications that they were able to access the industrial controls for the pipeline.
Upon discovering the breach, the company shut down operations on the pipeline. This was both a prudent safety measure as well as a sound financial decision. With their corporate billing system down, they would be unable to track and charge for the deliveries.
Whatever their reasoning, the result was the same. As fuel deliveries on the east coast dwindled, concerns over scarcity spread and with it plenty of bad ideas. Stories of people attempting to fill plastic bags with gasoline led to officials issuing warnings against this and other unsafe practices.
After a flurry of negotiations, Colonial Pipeline is reported to have paid the Darkside crew. Estimates put the number somewhere between the $4-5 million dollar range, depending on the value of Bitcoin at any given moment. With the ransom paid and a fair number of details about the aftermath still unclear, the pipeline is back pumping again. Fuel crisis averted and like the ransomware attacks on everything from hospitals to city governments before it, people have gone back to “situation normal.”
For now, anyway.
Proliferation of Hacking Tools Means More Targets
Changes in the economics of hacking have created an environment where the potential for ransomware may get a lot worse.
Carrying out more sophisticated and devastating attacks that can take an organization offline used to be relegated to only the more talented of threat actors. They had to write their own malware, build the infrastructure to support their operations, and basically handle all of the details from start to finish.
That was then. This is now.
There has been a massive proliferation of hacking tool kits that provide hacking crews with everything they need to attack their targets. Dark web marketplaces now offer comprehensive kits that include the malicious code along with everything else needed for the attack. Down to the phishing emails that can be used to gain entry in the breach.
The effect of this marketplace has been to lower the bar to entry for cyber criminals. It’s a kind of democratization of hacking that allows anyone with a couple of bucks and the time to go after a target to get in on the game. Phishing kits can be bought on the dark web for as low as $5 while more complex tools can reach tens of thousands of dollars. But when the payout for a single successful ransomware attack can top $10 million, the ROI seems pretty appealing.
Adding fuel to the fire is the fact that hackers are benefiting from the trickle down effect of state actor-developed malware and techniques. There is evidence that the NSA’s Eternal Blue exploit for attacking Windows systems was later used in Russia’s highly destructive NotPetya campaign in 2017. However, after the state actors had shown how effective the exploit could be, criminal gangs have gotten in on the action by incorporating it into their own operations.
The result of these developments has led to a reality where there are now far more capable hackers out there, all armed to the teeth with effective tools.
Whereas in the past it would take serious state actors like the US and Israel to develop complex code like Stuxnet to attack nuclear reactors, the hacking of the pipeline company shows us that criminal gangs have the capacity to inflict serious real-world damage. More to the point, the Darkside team, probably inadvertently, shut off the flow of fuel not by targeting the actual industrial control systems, but the less “critical” billing department. This should maybe lead us to reconsider how we assess our threat models.
It also means that with more threat actors out there, there is a significant potential for hitting far more targets than before. This is bad news for organizations of all sizes –– including those that were certain that they were not “interesting” enough for hackers to pay them much mind.
Every organization has something of value that they are willing to pay good money for its safe return and continued confidentiality. Criminals know that and now have an expanded pool of targets to choose from. They also know that while landing a whale like a big energy company is likely to pay serious dividends, there are plenty of medium sized companies and enterprises that are worth their time.
Planning for 2022: Prioritize These 3 Tips for Stronger Security
Given these challenging developments, organizations need to take steps to make themselves harder targets for these hacking crews.
Here below are a couple of basics to get started with.
1. Patch, Update, and…Patch
Even as 0-day vulnerabilities get all of the headlines, known vulnerabilities (CVEs) are still the go to for hackers when making their breach. It’s essentially a free lunch since a published vulnerability tells the hacker what is vulnerable and how it can be exploited.
Patching and updating systems can be difficult for IT teams to stay on top of, but it is one of the most effective ways to mitigate the risk of an attack.
Even if you are not staying abreast of the latest vulnerabilities, you can be sure that the hackers are.
2. Improve Visibility Everywhere
Visibility has been at the top of the list for network defenders for years. But now with the growth of social engineering attacks, there is increased awareness that we need to have visibility everywhere.
Monitoring of activity can help to identify risk vectors, including abuse of privileged accounts that might be exploited by an attacker.
3. Authenticate Identities
Identity is how we access most of our work resources, primarily through usernames and passwords. This is far from an ideal situation as these credentials are easily stolen or impersonated, but it’s the one we’ve got.
Reduce your risk with added protections that go beyond these basic pieces of information. Technologies ranging from Single Sign-on (SSO), Multi-factor Authentication (MFA), and other tools can help to make it much harder for attackers to access your systems.
Starting to Take Security More Seriously
Countering the risk of ransomware is going to take a multi-pronged effort from everyone involved.
From having monitoring and automated controls in place on work devices and access to protect against unintentional negligence to educating employees on the need to be conscious of the risks of opening emails and other social engineering vectors, there are critical steps companies can take, and more should be doing them. Management needs to ensure that they are implementing the right solutions and setting policies that help to close some of the gaps in their security.
There are also arguments that it might be time to stop paying the ransom as a way to disincentivize the attacks.
It will also take pressure from the government to step in and raise the bar. In response to the Colonial Pipeline incident, the TSA has announced that it will be taking steps to improve enforcement of security of critical infrastructure. There have been more than a few calls for the US government to take more aggressive actions against hackers that are outside of its jurisdiction, though how exactly that would look like given the current geopolitical situation is far from clear.
Taken together, we have an opportunity to make ransomware a less profitable venture for hackers and change the future of ransomware. However, looking at the evolving threat landscape, it will be a serious slog ahead.