We Are Being Schooled on Pretty Hard Cybersecurity Lessons

Image credit: iStockphoto/grinvalds

Many recall the “419” scams of yesteryear. The name comes from the Nigerian criminal code for advanced fee fraud: 419. A scam attempt usually started with a ludicrous email from a “Nigerian prince” who claimed a vast sum of cash that only you could help access, and of course, riches would come rolling in, they promised.

As ever, if it sounds too good to be true, it probably is. 419 scammers stole money from people who believed their stories and were suckered into fraudulent schemes. A few vigilante Netizens turned to “scambaiting”: playing along with the scammers with equally absurd counter-schemes to tie up scammers' time and resources. Some of the scambait stories are hilarious: check 419eater.com for some amusing tales.

The 419 scammers portray themselves as heroic princes when they're actually villains. Which is not unlike the “Robin Hood” image some ransomware operators would like us to believe. Both are false: these guys are criminals, but unlike the 419ers, the ransomware groups are evolved and dedicated.

Which makes them more dangerous.

Honor among thieves?

An AP story from last month quoted “two people close to the investigation” as saying that the criminal gang behind DarkSide ― who successfully cyberextorted Colonial Pipeline after infiltrating them with ransomware ― cultivates “a Robin Hood image of stealing from corporations and giving a cut to charity.”

According to the AP story, DarkSide claims that it does not attack hospitals and nursing homes, educational or government targets, and donates a portion of its take to charity. But that isn't the case. AP: “Cyberextortion attempts in the U.S. have become a death-by-a-thousand-cuts phenomenon...with attacks forcing delays in cancer treatment at hospitals, interrupting schooling and paralyzing police and city governments.”

No random philanthropy was cited when JBS, the world's largest meat processing company, suffered a ransomware attack last month that disrupted meat production in North America and Australia.

Watching it crumble

According to a BBC article, a recent survey by Veritas Technologies found that 66% of victims admitted to paying part or all of the ransom. The FBI and other law enforcement groups discourage ransomware victims from paying but tell that to the chief executive officer of a company watching their online business seize up as remote attackers deploy their encryption.

The BBC article quotes Martin Kelterborn, chief executive of Offix Group in Aarburg, Switzerland, a ransomware attack victim in May 2019. "I went into my IT department, and the manager was pale and clearly shocked,” said Kelterborn. “We watched live as all our product pictures for our websites were encrypted one after the other...At one point me and my boss actually wrote a press release declaring that the company was dead and out of business. They were the worst three weeks of my life.”

Kelterborn said the ransomware demanded 45 Bitcoin, worth about half a million dollars at the time. "Yes, we did consider paying, but in the end, they actually destroyed so much of our system that we needed to rebuild anyway,” he said. “Recovering has cost us about the same: half a million dollars."

Although this particular victim didn't cough up the BTC, average ransoms paid in the U.S. jumped nearly threefold to more than USD 310,000 last year. These sums are sure to rise in the wake of the heavily publicized Colonial and JBS attacks.

Executive action

The U.S. government's executive branch responded with an executive order, as described on the White House website: “Recent cybersecurity incidents such as SolarWinds, Microsoft Exchange, and the Colonial Pipeline incident are a sobering reminder that U.S. public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cybercriminals. These incidents share commonalities, including insufficient cybersecurity defenses that leave public and private sector entities more vulnerable to incidents.”

“This Executive Order makes a significant contribution toward modernizing cybersecurity defenses by protecting federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the United States’ ability to respond to incidents when they occur,” said the White House statement. “It is the first of many ambitious steps the Administration is taking to modernize national cyber defenses.”

White House press secretary Jen Psaki said in a briefing that the JBS hack was expected to be discussed at President Joe Biden's mid-June summit with Russian President Vladimir Putin.

"We're not taking any options off the table in terms of how we may respond, but of course, there's an internal policy review process to consider that. We're in direct touch with the Russians, as well, to convey our concerns about these reports," she said. "President Biden certainly thinks that President Putin and the Russian government has a role to play in stopping and preventing these attacks."

The White House also called on the private sector to shore up its defenses against ransomware attacks.

The weakest link

In early June, Bloomberg reported that “The hack that took down the largest fuel pipeline in the U.S. and led to shortages across the East Coast was the result of a single compromised password, according to a cybersecurity consultant who responded to the attack.”

“Hackers gained entry into the networks of Colonial Pipeline on April 29 through a virtual private network account, which allowed employees to remotely access the company’s computer network, said Charles Carmakal, senior vice president at cybersecurity firm Mandiant.”

A single unsecured VPN connection was all it took for cyberbaddies to walk away with millions in BTC. As ever, a security chain is as strong as its weakest link.

So, what can chief digital officers and chief information security officers do to harden their security profile? The Cybersecurity and Infrastructure Security Agency (CISA) has a comprehensive guide on its website. And firms should consider adopting a Zero Trust stance which assumes every device is unsafe.

There are lessons to be learned from the recent spate of ransomware incidents. They are hard lessons and require time and effort to unpack and implement. But they are essential.

Stefan Hammond is a contributing editor to CDOTrends. Best practices, the IoT, payment gateways, robotics, and the ongoing battle against cyberpirates pique his interest. You can reach him at [email protected].

Image credit: iStockphoto/grinvalds