On May 7th, Colonial Pipeline fell victim to ransomware. After the hackers encrypted the business network, Colonial shut down their operational technology (OT) network as a protective step. However, this caused oil to stop flowing through the largest refined petroleum products pipeline in the United States. As a result of the shutdown and the panic buying by the public, there were gas shortages across the southern and eastern United States. The shortages are improving, and supplies are normalizing.
Colonial called in a well-respected third-party incident responder to assist with recovery efforts. Together, they worked to eliminate the presence of the criminals from their network and restore from backups. They also paid approximately $5 million in ransom to the attackers. There are indications the decryption tool was slow and ineffective. The recovery was made primarily through the restoration of backups.
In the aftermath of this attack, President Biden signed an executive order to mandate increased controls for all federal agencies and IT service providers that contract with the federal government. It also increases reporting requirements for those doing business with the federal government.
The criminals behind the Colonial Pipeline attack, and others like them, are highly motivated and skilled. According to the Ransomware Task Force, more than $350 million was paid in ransom in 2020.
Ransomware has evolved significantly since Cryptolocker in 2013. The initial waves of ransomware were largely untargeted, opportunistic attacks. Spam emails with malicious attachments sent to thousands of users, drive-by downloads, and malvertising were primary means of distribution. Criminals have shifted their focus to more targeted attacks that provide higher payouts. Initial compromise is often through a VPN server or exposed services such as RDP. Spear-phishing to gather credentials is also common. Once they have breached the environment, the criminals move laterally within the environment and perform reconnaissance to identify critical systems. At this point, exfiltrating sensitive data will apply more pressure to the targeted organization. If possible, the criminals will often delete backups to impede recovery. The attackers deploy the ransomware once they exfiltrate the information they desire.
There is a significant amount of fear, uncertainty, and doubt regarding ransomware. Businesses often believe they will not be a target or if they are, there is nothing they can do to prevent it.
Neither of these is true. By being a revenue-generating business, you are a target. According to Sophos, 51% of organizations were hit by ransomware in 2020.
Being a small business does not protect you– this affects nearly 47% of organizations with between 100 and 1000 employees.
We have established that ransomware is pervasive and professional, but the answer is not to despair.
There are concrete steps that will reduce the risk of a successful ransomware attack and allow for more rapid recovery when one occurs. The following list is not comprehensive, but it is a good starting point.
For more guidance and information, please review the MS-ISAC Ransomware Guide.
Intivix recommendations include:
- Maintain offline, encrypted backups of data
- Regularly test these backups to ensure the backups are valid and meet the defined objectives for recovery point and recovery time
- Establish a basic incident response and communication plan
- Make sure to review and practice the plans regularly
- Patch OS and other software regularly
- Establish a risk-based vulnerability management program
- Run regular vulnerability scans to identify vulnerabilities
- Classify the vulnerabilities
- Prioritize the vulnerabilities
- Remediate and mitigate the vulnerabilities
- Identify all public-facing assets and ensure they are appropriately configured
- Do not publicly expose services unless necessary, for example, RDP, SQL, management interface for HVAC systems, etc.
- Regularly patch all publicly exposed assets
- Require multifactor authentication (MFA)
- Remove old versions of SMB and block all external access to SMB
- Ensure the use of a quality email filter.
- Enable Endpoint Detection and Response solutions (next– generation antivirus and antimalware protection) on all endpoints
- Consider the use of allowing lists instead of blocklists for software
- Review the practices of third parties that have access to your internal systems
- MSPs and third parties are a common attack vector
- Implement the principle of least privilege across the environment
- Restrict access to PowerShell and Group Policy to only administrators who require access.
- Set up centralized logging for computers and network devices
- SIEM (Security Incident Event Monitoring) products can help with log storage, correlation, and analysis
Taking the above steps will significantly improve the security posture of your organization. And can reduce the likelihood of a successful ransomware attack. However, there is no panacea. When your organization has a breach, it is important to implement the incident response plans you practice.
Ransomware is an international scourge, and we need coordinated action to address it. Fortunately, the need for collective action is being recognized – the Ransomware Task Force recently published a framework for combatting ransomware and the Biden Administration is trying to address security shortcomings within the federal government. The steps above will take time to implement. Many of them will require international cooperation. The outlook is not particularly rosy.
Until then, despair is neither productive nor necessary, and there are concrete steps businesses – even small businesses – can take to reduce their risk. Review the recommendations to mitigate the threat of ransomware, make sure you have a realistic incident response plan, and drill that plan.
If you would like any assistance reviewing your current state or guidance on how to evolve your security practices, Intivix is here to help, and we are happy to schedule a meeting to discuss your needs.