The world of Ransomware trends, recent issues & awareness

07TH July 2021

 

Modern day threats to organizations, states and individuals are now consistently driven through the digital world. Cybersecurity and digital threat intelligence is an ever growing topic that can be covered over a series of articles and research studies. In this blogpost, we do things a little differently with some candid but detailed conversations with Ludovic Petit, a leading expert in Cybersecurity.

Ludovic PETIT is Chief Executive Officer at JADE, a cybersecurity and business strategy consultancy. He assists companies to create a unifying and value-creating culture of digital security through consulting missions related to cybersecurity and business strategy, legal compliance on information security and through audits. Being a well-respected authority on cybersecurity and data protection, Ludovic PETIT also serves as Associate Researcher at the Research Center of the National Gendarmerie Officers Academy, Commander, Defence and Security Citizen Reserve Gendarmerie, Auditor of the High Studies Centre of the Cyberspace, member of the Board of Directors of Cyberlex, the Law and New Technologies Association and was Global Chief Information Security Officer at Altran.

We have split our conversations with Mr. Petit  into two sections. In the first part, we cover the topic of Ransomware, right from the basics to recent attacks caused by ransomware.

To empower our readers with the basics, what is Ransomware?

Mr Petit: An indication for our readers, before diving further into the subject; there are many reports presenting cybersecurity trends from all angles, but if there is one that I recommend reading it is The Global Risk Report 2021 from the World Economic Forum.

The Global Risks Landscape ranks Cyber-attacks as the 3rd most important risk… just behind pandemic and climate change risks! All is (almost) said.

Most expert firms (financial, economic, technical) around the world agree that, if it were a country, the economic weight represented by Cyber Risk would make it the third largest economy in the world, behind the United States and China.

Well, in short, Ransomware is a type of malicious software (a Malware) that is designed to hold your files or computer hostage, demanding payment for you to regain access.

Although the phenomenon of ransomware is not new, it has never been as widespread as it is today. As companies’ activities are increasingly based on connected services, the fight against ransomware and more generally against malware is becoming a priority. Indeed, for a few years now, most security trend reports in the world rank Ransomware as the most frequent and impactful type of cyber-attack.

Sources:

X-Force Threat Intelligence Index 2021: https://www.securityhq.com/reports/ibm-x-force-threat-intelligence-index-2021/

ENISA Threat Landscape 2020: https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends

 

Why should individuals and organizations be concerned about it now  and what does the future entail?

Mr Petit: We now live in a digital world, a cyberspace that, unlike the geography of the countries we all know, has no borders. And whatever we think, daily news shows us every day that this cyberspace has unfortunately become dangerous. Cyber-attacks are shutting down companies, with disastrous economic impacts, sometimes even in terms of jobs when a company has no choice but to file for bankruptcy following a cyber-attack, impact individuals and cities, and even countries (remember the 2007 cyber-attacks on Estonia?).

Jerome Powell, the president of the US central bank, recently said he was more concerned about the risk of a large-scale cyber-attack than a global financial crisis.

“The world is changing. And so are the risks. And I would say that the risk we are watching most is the cyber risk,” he said, adding that it is a concern shared by many governments, large private companies, especially financial companies.

The COVID pandemic increased this risk of cyber-attacks, simply because companies had to react very quickly to put in place remote working solutions, most of the time not compliant with their own information systems security policy, because the imperative of business continuity took precedence over security of use.

Many employees have also had to use their own computers at home to connect to their company’s information system, and in such circumstances, the level of information security and the one of their computers’ security is most of the time not the same as that of a mastered corporate computer.

As we can see, all of us are concerned by Cybersecurity.

 

What are the good practices to limit or avoid the risks of encountering Ransomware?

Mr Petit: There is no 100% security. On the other hand, compliance with your company’s information systems security policy is obviously a fundamental step.

From a more generic point of view, common sense applies:

  • Apply system and software updates to your computer on a regular and systematic basis,
  • Update your antivirus and antimalware software, and configure your firewall to allow only legitimate applications, services, and machines,
  • Do not read emails, their attachments or click on links from chain messages, unknown senders or from a known sender, but with an unusual or empty message structure,
  • Do not install any ‘hacked’ application or program, or of dubious origin or reputation,
  • Avoid browsing unsafe or illegal sites (most of these sites contain malware),
  • Make regular backups of your data and system so that you can reinstall it in its original state, if necessary,
  • Do not use a user account with ‘Administrator’ rights/credentials (an information security classic) to check your emails or browse the internet,
  • Use sufficiently complex passwords and change them regularly.

Adherence to these few rules can already prevent many problems.

I highly recommend to browse the ANSSI website in France, as well as our German counterparts the BSI and the UK with the National Cyber Security Centre, who provide a lot of valuable advice and guidance about cybersecurity and information systems security.

 

It should also be noted that hacker groups are starting to build real business models of organized cybercrime. This is one of the aspects on which specialised international police and gendarmerie units are working together, in relation with InterPol (International Criminal Police Organization, https://www.interpol.int/) and other international bodies, with, it must be said, great success and increasing efficiency.

Through Ransomware-as-a-Service (RaaS) there exists a business model that supports ‘partners’ to carry out attacks against victims, and to share the profits with the developers of the malware. In return for this arrangement, such partners or affiliates are offered a sizeable share of profits, in a relationship that appears to suit both parties based on the rise in use of such a model.

As can be seen, the world of cybercrime also has its parallel economy.

These Ransomware attacks can also be dramatic. Some hackers have no scruples.

Last September 2020 in Germany, a woman who needed urgent medical care, died after being re-routed to a hospital in the city of Wuppertal, more than 30 km away from her initial intended destination, the Düsseldorf University Hospital.

The Düsseldorf hospital was unable to receive her as it was amid dealing with a ransomware attack that hit its network and infected more than 30 internal servers on September 10.

The incident marks the first-ever reported human death indirectly caused by a ransomware attack.

The patient’s death is currently being investigated by German authorities. If the ransomware attack and the hospital downtime are found to have been directly at fault for the woman’s death, German police said it plans to turn their investigation into a murder case.

 

Recently, the Colonial Pipeline cyber-attack affected gasoline supply in the East and Southeast of the United States. What is the appraisal and cost of these attacks? 

Mr Petit: An analysis of the cyberattack on Colonial Pipeline found that the hackers were able to access the company’s network using a compromised (weak) VPN password.

The VPN login – which did not have multi-factor protections on – was unused but active at the time of the attack. So, we can see that 2 essential security rules have not been respected: low level of authentication, and weak authentication process not disabled. Unfortunately, a classic in cybersecurity.

The breach occurred April 29th, according to Mandiant, and was discovered on May 7th by a control room employee who saw the ransomware note. That prompted the company to take the pipeline offline to contain the potential threat.

About the only thing that hasn’t been hurt by the hacking attack that shut down the Colonial Pipeline? The company’s market value. Unbelievable, and yet true.

Indeed, if it were publicly traded, the Colonial’s stock would undoubtedly have tumbled. But the 59-year-old firm is privately held, with its ownership split among five owners spread across five countries on four continents.

That said, the attack on Colonial Pipeline has had, and will have, an undeniable cost, if only to the company itself, because of the huge economic impact that resulted. Indeed, about 45% of all fuel consumed on the East Coast of the United States arrives via the Colonial Pipeline system.

The Colonial Pipeline is a strategically important pipeline system of approximately 5,500 miles in length – nearly 8,850 km – carrying petroleum products from refineries on the Gulf Coast to the north-eastern United States in the New York area. In total, the pipeline crosses 17 US states, accounting for almost 40% of the national population and about 30% of US oil consumption.

One of the first impacts was that gas stations ran out of gas. The direct economic result is therefore a loss of business for the entire network of gas stations concerned.

In direct cost terms, the hack led to a ransomware payout of $4.4 million and resulted in gas prices around $3 per gallon for the first time in several years at US gas stations. To avoid a shortage and a spike in prices at the pump, several East Coast governors have declared a state of emergency to facilitate supply.

As Americans rushed to the pumps to stock up, authorities had to take emergency measures to facilitate supply and avoid panic, but also restrictions on road transport.

According to Gasbuddy.com, which tracks fuel prices and outages at gas stations, more than 9,500 gas stations were out of stock, half of them in Washington and 40% in North Carolina.

Taking such emergency measures has a cost in terms of organisation, just as seeing people rush to gas stations impacts on the business of the companies that employ them, not to mention the resulting traffic jams that have had an impact on the local economy as well.

Although we do not have precise figures, we can therefore estimate an enormous indirect cost perspective for the local economy.

Now, 2 facts which, in such circumstances, are likely to weigh heavily in the Cybersecurity balance of Colonial Pipeline:

Colonial Pipeline will have to completely overhaul the cybersecurity of its national infrastructures, which has a definite direct cost on the scale of such a company (audit, consultancy firms, equipment, and solutions, but also staff training, etc.). This will therefore have a serious impact on its financial business plan.

The second fact is perhaps even more serious: The hackers, who are part of a cybercrime gang called DarkSide, have stolen nearly 100 Gb of data out of the Alpharetta, Georgia-based company’s network ahead of shutdown.

It is not yet known what exactly the stolen data contained, but as Colonial Pipeline provides an infrastructure-based service considered critical to the nation, it is highly likely that hackers focused on sensitive information such as, for instance, the company’s internal operations and infrastructures.

We can consider that hackers have knowledge of the company’s internal processes, which now makes the task of securing the infrastructure much more complex than it seems.

The associated costs for Colonial Pipeline will therefore have to be commensurate both with the challenges, and the stakes… and at this scale of criticality, the costs are likely to be very high.

The attack against Colonial Pipeline demonstrates the fragility of Uncle Sam about cyber-attacks. It is in this context, that the President of the United States, Joe Biden, signed on Wednesday 12 May 2021, an executive order intended to reinforce the country’s security against computer attacks.

The White House wrote an open letter where it reminded the need for companies to adopt better standards of security. Thus, this will have a direct impact on the way risks are managed in companies.

Consequently, the attack on Colonial Pipeline is taking on a significant national dimension, with an impact far beyond the scope of Colonial Pipeline.

 

Are these attacks coming from specific regions?

Mr Petit: A complex subject which certainly deserves special attention.

Several groups of hackers which have made cyber-attacks one of their specialities, are linked or purposely used by certain nation-states that I will not name for the sake of decency.

There is a whole parallel economy in the cybercrime sphere, that’s reality, and it is important to know that some of the patterns of fraud, cybercrime and attacks of all kinds carried out on a large scale, can sometimes represent the GDP of a developing country.

This is one of the reasons why it is important that the subject of Threat Intelligence is taken very seriously in companies and is an integral part of any corporate Cyber Security strategy.

There is one constant in the Underground community: the very high level of technical skills. Indeed, hackers use powerful technologies to carry out their attacks.

Therefore, it is always very complicated to have precise facts that can directly incriminate such or such attacker, or a country from where the attack could have originated, because technologies are such nowadays that it is easy to make believe in the origin of an attack. I would add that it is also easy for hackers to design malware in such a way as to make it appear that the technical ‘signature’ is of a known origin. This is a common practice in the underground and hacking ecosystem.

One of the rules in hacking is to erase or cover one’s tracks, and to make sure that one appears for what one is not in reality. This is the cyber security expert speaking, but from a technical point of view, the rule is to never take for granted what you see or discover. You must always ‘triangulate’ and corroborate the facts. Say, the output remains facts, but rarely the reality of the facts.

————————————————————————————————————-

We now wrap up part-1 of this two-part series of our cybersecurity discussions with Mr. Petit. We thank Mr. Petit for his valuable inputs to help us better understand Ransomware and the recent issues pertaining to the same. Please check out the second part of these discussions covering human and regulatory impact on  Cybersecurity Breaches.