Ransomware has changed over and over again over time. How much shows the Colonial Pipeline ransomware attack, which is only part of a new wave of attacks against high-ranking victims. A comment from Jon Clay, Director of Global Threat Communications, Trend Micro.
After the cyber attack on one of the largest gasoline pipelines in the United States, its operation was temporarily suspended. The malicious actors aim to extort the highest possible amounts of money and therefore target organizations that are more willing to pay if they disrupt their business operations. This has been seen in the past with victims from government and education. The more suffering criminals can inflict on an organization, the more likely it is that the victim will pay. What can companies do?
Ransomware attacks have gone through many stations and we are now observing phase 4:
1st phase: Simply ransomware, files are encrypted and then the ransom note is submitted ... and then wait for payment in Bitcoin.
2st phase: Double extortion. Phase 1 + data exfiltration and threat of publication. Maze was the first blackmail software to do this, and the other groups of actors followed suit.
3st phase: Triple blackmail. Phase 1 + Phase 2 and threat of DDoS. Avaddon was the first documented case.
4st phase: Quadruple extortion. Phase 1 + (possibly Phase 2 or Phase 3) + direct mailing to the victim's customer base. Cl0p was first used in this way, said Brian Krebs.
Most of the time it's double blackmail today, but we're seeing a shift towards targeting critical business systems. In this recent US case, no OT systems appear to be affected, but the IT systems connected to the network were likely the target. That could change, however, as many organizations have an OT network that is critical to their operations and therefore could become a target. We have already shown how manufacturing companies are attacked with modern ransomware and what effects this has.
Consequences for companies
The failure of systems that control the day-to-day operations of a company can cause financial and reputational damage. But if you seek too prominent victims, an attack could also have unintended consequences, and the Colonial Pipeline attack could be an example. The destruction of an important part of a nation's critical infrastructure, even if the motive is “only” financial gain, could lead to severe action against the actors behind this attack. So in the future, malicious actors may need to assess the potential impact of the attack on their target and decide whether it makes business sense to begin an attack.
The right countermeasures
Ransomware will continue to be used in the future. As a result, companies need to take the time to create an incident response plan that is geared towards the new model of ransomware attacks. A few things should be considered when doing this:
- Accept that your company can become a victim. Any organization may be on the radar of malicious actors, but those operating on critical infrastructure must now assess the likelihood of being attacked.
- Access-as-a-Service is now used regularly. Usually another group carries out the first access and sells it to another group. Determined attackers will always find a way into your network, be it through phishing, a vulnerable system accessible to the Internet, or an attack through the supply chain.
- Malicious use of legitimate tools is one of the most popular tactics across the attack cycle.
- The account access data of your important administrators and applications are targeted.
- Ransomware actors attempt to extract data that appears suitable for double blackmail.
- The ransomware component will be the last option in the malicious activity as it is the most visible part of an attack cycle and shows the victim that a system has been compromised.
Organizations that operate OT networks should think about the following:
- Understand the risks in the event your OT network goes down.
- Establish a security model for the devices on the OT network, especially those that do not support a security agent.
- Network segmentation is critical.
- If your OT network has to be shut down because the IT network has been compromised, you should consider how you can overcome this limitation.
This latest attack is another wake-up call for all organizations to harden their networks against attacks and to improve their awareness when malicious actors are on their network. With Trend Micro Vision One, we have a layered cybersecurity platform that can help improve detection and response to the latest ransomware attacks and increase visibility.