Ransomware is wreaking havoc on U.S. industry and infrastructure. High-profile ransomware attacks like the May 7th hack into Colonial Pipeline, this week’s breach at an American nuclear weapons contractor, and last month’s attack on JBS Foods have dominated the headlines. But all told, there have been 292 ransomware attacks, led by just 6 different hacking groups, in the first 4 months of 2021. Energy infrastructure, healthcare, and finance are some of the top targets for these attacks.
The problem is so severe that the White House issued a memo on June 2nd stating that “The most important takeaway from the recent spate of ransomware attacks on U.S., Irish, German and other organizations around the world is that companies that view ransomware as a threat to their core business operations rather than a simple risk of data theft will react and recover more effectively.” Let’s examine why ransomware is the weapon of choice for so many of today’s hackers, what went wrong at Colonial Pipeline, and how businesses can best protect themselves from this threat in the future.
What is Ransomware?
Ransomware is a type of malware. Once it is on a victim’s device, it encrypts critical files, making them inaccessible and disabling the systems that rely on those files to run. Ransomware can encrypt entire business networks if given the opportunity. After the attack is launched, hackers request a ransom in return for decryption of the files. They may request even more money to prevent the data from those files being released to the Dark Web.
How does ransomware get onto the victim’s device? The most common point of entry is through a phishing email. Just one wrong click can give a hacker an open door to launch the rest of their attack.
Why Have Ransomware Attacks Increased this Year?
Ransomware has been around for over 30 years. There are a few reasons why we’re seeing a sudden spike in its use. First, ransomware has gotten easier to execute, making it a more accessible weapon against targets. Second, cryptocurrencies like bitcoin have made it much easier for criminals to securely receive ransom payment. And third, the coronavirus pandemic accelerated the transition many companies were already making to running their businesses digitally. Simultaneously, the pandemic caused mass panic and a lack of security protocols for remote workers. Together, this created a rapidly increasing number of targets who were all the more vulnerable to endpoint attacks and social engineering.
Case Study: Colonial Pipeline Cracked by a Single Password
Colonial Pipeline operates the largest petroleum pipeline in the U.S. and provides nearly half of the East Coast’s fuel supply. How did such a critical piece of infrastructure grind to a halt for nearly a week following the attack, causing mass panic and consumer-driven gas shortages?
It all started with a single password. Colonial Pipeline, like many companies, requires employees to connect to a virtual private network (VPN) to access certain business systems. This VPN is password protected, but somehow, the password for an inactive but still viable account found its way to the Dark Web. In all likelihood, this was the result of the account holder using this password in another application that was hacked and leaked previously. Reportedly, the account holder also failed to use a Multi-Factor Authentication (MFA) tool, which would have thwarted this attack by making the leaked password useless without its accompanying, time-sensitive MFA code.
Once DarkSide, the hacker group responsible, was in the VPN, the rest was easy. The ransomware they launched successfully stole 100GB of data and forced Colonial Pipeline to shut down all operations until it had properly isolated the attack. Once it became clear that none of the critical operation technology systems had been breached, Colonial was able to reopen the pipeline. But not before it paid DarkSide over $4.4 million in ransom money – which, surprisingly, the Department of Justice was eventually able to seize $2.3 million of in the course of its investigation into the incident.
What Can You Do to Prevent a Ransomware Attack?
There are two ways to reduce the threat a ransomware attack poses to your company: prevention and preparation.
No prevention method is 100% reliable, which is why it’s best to take a layered approach to cybersecurity. Mandatory security awareness training for your staff will teach them how to spot and avoid the phishing emails that can lead to a ransomware attack. Strong endpoint security software can help spot and intervene against malware like ransomware. You can also encourage employees to work in-office rather than remotely so that their devices are protected by your office’s central cybersecurity measures. And, of course, to avoid a breach like Colonial Pipeline’s, you should use MFA on all of your accounts and never use the same password twice.
Because ransomware is always evolving, you need to prepare for the event in which your prevention efforts fail. The best way to prepare for a ransomware attack is to create and execute a BCDR, or Business Continuity and Disaster Recovery, plan. Part of this plan should involve continuous backups for every machine on your network so that after an attack, you have every file and application you had before the attack, without having to pay a ransom. Companies with good BCDR plans can resume business-as-usual in a matter of hours after a ransomware attack.
If you’re worried about ransomware, then you need to take concrete steps to secure your business’ critical data and systems. Consult with your Digital Agent about improving your cybersecurity and setting up your company’s BCDR plan.
Follow Us:
