June 25, 2019
After Florida’s Riviera Beach was crippled by a ransomware attack that took down the city’s services, leaders authorized a payment of 65 Bitcoin to the perpetrators, worth nearly $600,000. The news came less than a week after one of the world’s most important suppliers of airplane parts, ASCO, ceased production in factories across four countries after suffering a ransomware infection.
The Riviera Beach attack began after a police department employee opened an infected email attachment, which then shut down all of the city’s online systems including email, phones, and some water utility pump stations.
ASCO, whose clients include Boeing, Airbus, Lockheed Martin and Bombardier among other military and commercial aircraft companies, sent home 1,000 of its 1,400 workers. Days later, the company shared a public statement acknowledging that the attack, “caused a serious disruption on all of our activities and impacted our available communication means. As a precautionary measure, all systems have been quarantined and the activities at all of our sites in Belgium, Canada, the United States and Germany were stopped.”
The airplane parts manufacturer is not alone. On June 17, Pennsylvania trucking company, A. Duie Pyle, was also hit with a ransomware attack that, “impacted our network communication systems. Our Pyle core operating systems and backups were not invaded or compromised, and there was no data extracted from these systems.”
Norsk Hyrdo refused to pay the ransom demand that took 22,000 computers offline at 170 of its worldwide locations. The company is still trying to recover from the attack. Cybercriminals understand the gravity of an attack on critical infrastructure and municipalities, organizations that service thousands or even millions of people each day. There’s money to be made, and desperation sometimes drives companies to pay.
With these attacks coming on the heels of one in Baltimore, municipalities and businesses are increasingly trying to understand how to prevent these types of hacks.
“Municipalities across the U.S. and around the globe have been favorite targets of ransomware attackers in the past 18 months since IT and information security departments in town, city, and county government offices tend to be underfunded, seriously overworked, and optimal targets for these campaigns,” said Bob Rudis, chief data scientist, Rapid7.
Attackers also have targeted operational technology (OT) environments. Financially motivated cybercriminals are focusing their efforts on industry and manufacturing as their targets because they know how costly a shutdown can be for a business, according to Elisa Costante, senior director of industrial and OT research for Forescout.
Because previously air-gapped OT devices from PLCs to sensors are now connected to networks, “this convergence of IT with OT networks is providing cyber attackers a greater opportunity to affect the physical world and impact the bottom line of the business and safety of operations and employees,” Costante said.
Why Some Organizations Have to Pay
Ransomware attacks have devastated organizations, in part because there was no backup/continuity/disaster recovery (BCDR) plan in-place. Even with a BCDR, the plan needs to be tested regularly so that organizations are prepared for these types of attacks.
“Making the decision to pay a ransom or not is a difficult and unenviable choice for any organization to make,” Rudis said. “If there is no backup at all of the data that has been obfuscated, an organization may have little choice but to pay the ransom, regardless of the precedent that paying may set.”
Certainly, no organization wants to serve as the “win” for attackers. Paying the ransom can encourage attackers to broaden their campaigns, but Rudis said it’s too easy to pontificate and say “never pay” when you’re not the one that has to try to recover from a devastating attack that could affect the safety of employees, customers or the public.
“Before you make that decision you should reach out to local law enforcement, FBI (or the equivalent resource in your region), and qualified incident response firms that have demonstrated radically effective capability in handling these types of incidents to ensure that making the payment is the last resort,” Rudis said.
Ready. Set. Don’t Pay!
Shutting a factory down for days to deal with ransomware can add up quickly and cause more than just a headache. The first step every manufacturer needs to take is knowing what is actually connected on the shop floor and then segmenting the networks so malware can’t move laterally to sensitive equipment.
Having good backup and recovery is essential to counter ransomware. Organizations need to have robust backup and regularly validate its effectiveness. If malware slips through a company’s defenses, they need the ability to revert to a recent backup and avoid the pain that municipalities and industrial organizations are encountering, according to Sam McLane, chief technology services officer at Arctic Wolf Networks.
“Organizations also need to have detection technology, like network monitoring via intrusion detection or endpoint detection and response, to see when something slips through.
And third, organizations must monitor the entire environment to detect and respond when something slips through,” McLane said.
Prevention requires back ups and on-going testing of disaster recovery plans, but David Barzilai at Karamba Security said that the systems in an organization’s OT, in addition to machineries and IoT devices, can also be locked so that even if an attacker finds a vulnerability and is able to exploit it, no changes can be made the factory settings.
“Unfortunately, there are always vulnerabilities somewhere. Developers make mistakes. They are human. Hackers know that, and they are looking to exploit those bugs, but there are ways to automatically create a security policy that keeps running in the background so that the system checks itself all the time,” Barziliai said.
Prevention is also about employees and making sure they’re aware of the risks and how to prevent them, according to Grant McCracken, director solutions architecture at Bugcrowd.
“The ransomware attack that plagued Atlanta last year ended up costing the city $2.6 million in remediation. If we want to avoid this, it’s important to invest in proper security measures like anti-phishing software, education, as well as deploying modern security approaches such as a crowdsourced security program,” McCracken said.