Security experts have warned of ransomware attacks for years. But again and again, bean-counters look at suggested budgets for cybersecurity and see nothing but red ink. It's the perennial IT problem: no one thinks about it when it's working, but there's a typhoon of activity if things go wrong.
And things went wrong at the U.S.’s Colonial Pipeline earlier this month. A ransomware attack forced the company to take its operations offline. Predictable responses included long waiting lines at gasoline stations and hoarding of precious fuel. Less predictable: online entrepreneurs who've watched too many Mad Max movies advertising sales of gasoline stored in clear plastic bags.
Ripple effects included fistfights in said waiting lines and Uber drivers bemoaning their fate. And thunderous rhetoric from U.S. government officials. The Department of Transportation issued a regional emergency declaration relaxing hours-of-service regulations for “drivers carrying gasoline, diesel, jet fuel, and other refined petroleum products in 17 states and the District of Columbia.”
The incident also prompted US President Biden to issue the important-sounding “Executive Order on Improving the Nation’s Cybersecurity.”
Security experts like Handshake Networking's managing director Richard Stagg must suffer from Cassandra Complex. For years, security consultants have warned of ransomware and other malware — often delivered as email attachments. But now we have geopolitical insight, and it's not heartening.
Big payoff, low risk
“The Colonial Pipeline ransomware attack used a 'ransomware-as-a-service' that checks its location and opts out of doing anything bad if it finds itself in Russia or the CIS,” says Stagg. “We always assumed these things came from behind the Iron Curtain, but it's amusing to have it confirmed so emphatically.”
Stagg notes that while media coverage on this attack is widespread because it targeted critical infrastructure: “ransomware attacks are widespread and common because they give the bad guys the biggest potential payoff while also being the lowest effort and risk to kick off, so it was inevitable that some high-profile target would get hit eventually.”
Ransomware attacks are typically carried out using a Trojan disguised as a legitimate file that the user is tricked into downloading or opening when it arrives as an email attachment. Some are blatantly phony, others sophisticated.
“We don't know how this particular attack was kicked off, but the ransomware attacks I've seen have basic root causes — either an Internet-facing administrative service with a weak password, or else a document containing a malicious payload opened on an unpatched workstation,” says Stagg. “And we continue to receive emails every single day with dodgy files attached.”
“I'm sure some ransomware has infiltrated using cunning, sophistication, persistence, innovation, and skill, the vast majority is still getting in because of those staunch old retainers: too much attack surface, crappy passwords, inadequate endpoint protection, and not patching enough,” says the security expert.
Stagg says one of his clients “had [endpoint security managers] installed on all their workstations. This is high-end endpoint protection, costly, centrally managed, and integrated.” Yet despite this: “it failed to spot a basic ransomware infiltration that subsequently ruined a few peoples' weekends. It turns out that accepting the EULA means that you have zero recourse against your vendor when it turns out that the software you bought to do one single job fails to do that job. Doesn't really incentivize the vendors to make an effort, does it?”
The calculus of liability is beyond the scope of this article. Still, it will become increasingly important as now we have a benchmark for this level of cyberlarceny — according to Bloomberg, “Colonial Pipeline Co. paid nearly USD 5 million to Eastern European hackers on Friday, contradicting reports earlier this week that the company had no intention of paying an extortion fee...the company paid the hefty ransom in difficult-to-trace cryptocurrency within hours after the attack.”
According to a blog post by vendor TitanHQ: “Chainalysis recently released a report that suggests more than USD 350 million has been transferred to cybercriminals in 2020 alone, based on a review of the transactions to blockchain addresses known to be deployed by ransomware threat groups. Obviously, that figure is likely to be much lower than the true total, as many businesses do not share that they have suffered ransomware attacks.” TitanHQ notes that “a similar review in 2019 estimated the losses to be around USD 90 million.”
These figures are estimated as such ransoms are typically paid using cryptocurrency. But cybercriminals aren't much concerned with the spot rate of BTC. Increasingly, they're focused on devising more sophisticated means of delivering malicious payloads and collecting from victims who see no other option.
Stefan Hammond is a contributing editor to CDOTrends. Best practices, the IOT, payment gateways, robotics and the ongoing battle against cyberpirates pique his interest. You can reach him at [email protected].
Image credit: iStockphoto/kaptnali