Negligent companies are quickly punished threefold: first ransomware extortion, then data loss, and last but not least, the penalty fee for a poor recovery plan. This is how complex ransomware can invade company resources.
Last year, ransomware brought a US company that produces fuel to its knees. Behind this were criminal "partner companies" of the notorious DarkSide group. A typical example of a RaaS (ransomware as a service) attack: a small core team of criminals develops malware, makes it available to other bad guys, and handles victims' ransoms. However, they do not perform the actual attack on the network that delivers the malware. Their "partners in crime" take care of that, so to speak, the field staff. As a rule, in return they receive the lion's share of the money extorted from the victims.
RaaS: Partners in crime with ransomware
The core group, meanwhile, lurks invisibly in the background, running a kind of franchise operation where they typically pocket 30 percent (by their own admission) of every payment.
The front line team usually does this
- Conduct research to find potential targets to break into.
- Break into selected companies with known vulnerabilities.
- Scan the network until they get administrative rights to get to the level of official administrators.
- Map the entire network to find each individual desktop PC and the server systems.
- Locate and often neutralize existing backups.
- Exfiltrate confidential company data for extra leverage in blackmail.
- Prepare network backdoors for a quick retreat if the attackers are caught.
- Carefully examine existing malware defenses, looking for weak or vulnerable spots.
- Turn off or at least reduce the security settings that get in the way.
- Selection of a particularly "uncomfortable" time of day for the company, i.e. at the weekend or at night.
And then the cybercriminals unleash the ransomware code provided by the mastermind behind the scenes. The encryption of (almost) all computers in the network then takes only a few minutes.
Ransomware: Please checkout!
The idea behind this type of attack is that the computers are not completely wiped. In fact, after most ransomware attacks, the operating systems keep booting up and loading the primary applications on the computers to keep the appearance that everything is normal.
The victim can boot up their laptop, load Word, see all the documents in the directories, even try to open them, but will then see the digital equivalent of a shredded cabbage. The data is encrypted and there is only one copy of the decryption key – and the attackers have it. This is when the “negotiations” usually begin. The criminals rely on the fact that the victim's IT infrastructure is so severely affected by the encrypted data that it is no longer functional, and the victim is therefore willing to pay a ransom.
“Pay us a 'recovery fee' and we'll provide you with the decryption tools to make any computer usable again - and we'll save you the time it takes to restore from backups. As long as you have working backups at all.” The demands sound something like this, as they came in at the US company about 12 months ago, for example.
Only 4 percent of payers get all data back!
Although law enforcement around the world is admonishing ransomware victims not to pay (and we now know that today's ransomware payments fund tomorrow's ransomware attacks), in this example, the company decided to spend the roughly $4,4 million requested in to transfer bitcoins.
This year's Sophos Ransomware Report State of Ransomware 2022 reveals that only 4% of payers worldwide get all data back. On average you only get two thirds (exactly: 60,56%). In Germany, the proportion is 64%. From a global perspective, this value is only slightly higher for energy supply companies at 62% (exactly: 61,59%). This means that if a company pays the ransom, it still has to accept very high data losses. In no way does the case end there.
After the ransom came the fine
Sophos State of Ransomware 2022 (Image: Sophos).
An official appeal was also made to the pipeline operator: the US Department of Transportation imposed a civil penalty of almost 1 million US dollars on the company, the result of an investigation by the Pipeline and Hazardous Materials Safety Administration (PHMSA). The check ran between January and November 2020, i.e. in the year BEFORE the ransomware attack took place. So the problems that the institute identified existed and were known. The PHMSA stated that the primary operational deficiencies responsible for more than 85 percent of the charge ($846,300) "are a likely failure to adequately plan and prepare for the manual shutdown and restart of its pipeline system." And she claims those omissions "contributed to the national fallout when the pipeline remained inoperative following the May 2021 cyberattack."
Individual case or recommended course of action for everyone?
At first glance, that sounds like an unusual case, because who actually operates a pipeline, and then also in this dimension. Nonetheless, the official PHMSA notice of a Probable Breach identifies a few related issues for all to learn from:
For the pipeline operator, the problems lay in internal areas of the company, such as supervisory control and data acquisition, industrial control systems and operational technology, the so-called SCADA (Supervisory Control and Data Acquisition): computer system that automatically monitors and controls technical processes and from energy suppliers to is in use at airports. ICS (an acronym for Industrial Control Systems) and OT (Operational Technology) were also lacking. OT can be understood as an industrial counterpart to IT, but the SecOps (Security Operations) are a similar challenge for both types.
Consequences of SecOps errors
Even though the operational technology and IT functions appear like two separate networks, the possible consequences of SecOps failures in one area can directly and even dangerously affect the other area.
More importantly, especially for many smaller companies, even if there is no pipeline, power grid, or power plant operating, there is most likely still some kind of operational engineering network operating, made up of IoT devices like security cameras, door locks, motion sensors, and maybe even a soothing, computer-controlled aquarium in the reception area.
And these are usually operated in the same network in which the entire IT system is located. The cyber security measures of both types of devices are thus inextricably intertwined.
Five points that every company should take seriously
The PHMSA report lists issues that all fall under the umbrella term control room management, which can be thought of as the operational technology equivalent of an IT department's network operations center (or simply "the IT team" in a small business).
In summary, these five problems are at stake
- Failure to keep a proper record of passed operational tests.
- Failure to test and verify the operation of alarm and anomaly detectors.
- No contingency plan for manual recovery and operation in case of system failure.
- Failing to test backup processes and procedures.
- Poor reporting of missing or temporarily suppressed security controls.
What can we learn from this for our IT security?
Any of the above omissions may occur accidentally. According to the Sophos Ransomware Report 2022, two-thirds (exactly: 66%) of those surveyed said they had been the victim of a ransomware attack in the past year. The energy supply sector was even well above average at 75%. About two thirds of them had their data encrypted and half of them negotiated with the criminals.
This suggests that a significant proportion (just over one in five) of IT or SecOps teams have lost track of one or more of the above categories.
These include items 1 and 2 (Are you sure the backup actually worked? Have you recorded this formally?), Item 3 (What is your plan B if the criminals delete your primary backup?), Item 4 (Have you practiced restoring as carefully as you practiced backup?) and point 5 (Are you sure you didn't miss anything that you should have pointed out at the time?).
For many IT teams or especially for smaller companies that do IT "on the side", a specialized SecOps team is a luxury and simply not affordable, so that the strategy there is often tantamount to an "install and then forget" principle. Anyone in this situation should seek the support of external MTR experts and see them as an investment in a safer future.
Cybersecurity is a process, not a destination. A successful attack always leaves damage and has after-effects on resources and operability. The strength of the impact depends heavily on the speed of reaction, precautions and the safety process in place.
More at Sophos.com