Authored by: Taylor Armerding, Security Advocate, at Synopsys Software Integrity Group
Ransomware isn’t a new problem — not even close. It’s been around for more than 30 years. But like every element of technology, it has evolved. Instead of being an occasional expensive nuisance, it’s now a plague with existential implications for critical infrastructure — energy, transportation, food supply, water and sewer services, healthcare, and more.
And recent headlines have been a constant reminder of how vulnerable the owners and operators of that infrastructure — most of them private companies — are to ransomware attacks.
The state of ransomware attacks
The May 2021 attack that prompted Colonial Pipeline to shut down its 5,500-mile pipeline, cutting off nearly half the fuel supply to the U.S. east coast for the better part of a week, is just one ominous example. Because as modern ransomware attacks go, this one was fairly standard.
DarkSide, a ransomware-as-a-service group reportedly operating in Russia, didn’t just encrypt data. They stole it as well, which puts more pressure on victims to pay since there’s a threat of intellectual property and private customer information going public.
But the group attacked the company’s IT network rather than the more sensitive operational technology (OT) networks that control the pipeline. That gave a measure of credibility to DarkSide’s claim a few days later that, as Reuters put it, they were out for “cash, not chaos.” In a statement posted on its website, the group said, “our goal is to make money, and not creating [sic] problems for society.”
They added that the group is “apolitical” and should not be linked with any government.
Still, the attack created problems well beyond the ransom Colonial ended up paying — a reported USD4.4 million — although the Department of Justice announced June 7 that it had been able to recover about USD2.3 million of that by tracing and seizing the bitcoin wallet used by the hackers.
But at the time, the company shut down the pipeline “out of an abundance of caution” since it didn’t know if the attackers had penetrated its OT systems.
Ransomware impact on critical infrastructures
The impact of the Colonial attack was anything but standard. It cut off multiple fuel supplies — gasoline, diesel, jet fuel, and heating oil — which led to panic buying and major price spikes. And it demonstrated yet again what multiple experts have warned for decades: Criminals or hostile nation-states don’t need bombs, missiles, or bullets to damage an adversary. They can do it with keystrokes on a computer.
Past illustrations of that reality include the Aurora demonstration in 2007 at Idaho National Laboratories, which destroyed a large diesel generator; Stuxnet, which destroyed a significant portion of Iran’s nuclear facilities in 2010; and Industroyer, which brought down a portion of the energy grid in Ukraine in 2016.
But the Colonial attack was at an entirely new level, at least in the U.S. Robert Lee, CEO of the cybersecurity firm Dragos, told Wired magazine that “this is the largest impact on the energy system in the United States we’ve seen from a cyber attack, full stop.”
Government response to ransomware
So why aren’t governments and the private sector organisations that are the targets of these attacks going on what would amount to a wartime footing to fight back?
Well, they are — sort of. The White House issued a memo this past week urging business leaders to act immediately to improve their resistance to ransomware attacks.
“The threats are serious and they are increasing,” wrote Anne Neuberger, President Biden’s deputy national security advisor for cyber and emerging technology.
Biden has also promised to confront Russian President Vladimir Putin when they meet later this month about that country being a safe haven for ransomware criminals.
But if there’s any good news, it’s that the ways to resist ransomware attacks are well established. And while nothing will make an organisation entirely bulletproof from skilled, determined attackers, there are ways to make a successful attack much more difficult.
Ransomware security best practices
The following list includes the recommendations in the White House memo:
Build, maintain, and distribute secure software: While the Colonial attack was enabled by the theft of a password, better software security is still the most effective defence against hackers. That means all the software — what an organisation builds itself and what it acquires from other vendors or from the open-source community. Rehan Bashir, managing consultant with the Synopsys Software Integrity Group, said it takes “a holistic security approach — network, host, and application development. Organisations must adopt secure development processes that will produce secure software products and applications.” That requires a secure software development life cycle (SDLC) where “security is an inline function of the development pipeline rather than an out-of-band activity,” he said. An SDLC should start with architecture risk analysis to find and fix design flaws, and threat modelling to identify the ways malicious hackers might attack. Next, use application security and quality analysis tools. Throughout initial software development and updates, automated application security tools for static, dynamic, and interactive application security testing along with software composition analysis will help developers find and fix known vulnerabilities and potential licensing conflicts in open source software components. At the end of development, penetration testing can mimic hackers to find weaknesses that remain before software products are deployed. If an organisation needs more expertise or capacity, managed services providers can guide it through the process.
Back up data regularly: Also, keep backups offline and not connected to the network. If backups are isolated and protected, an organisation can rebuild its system quickly at minimal expense. However, isolated backups won’t protect an organisation from the modern ransomware attack that not only encrypts data but steals it as well, and then threatens to make it public if the ransom is not paid.
Build and maintain an inventory: Identify all your assets. As the saying goes, you can’t protect what you don’t know you have.
Update and patch: Failing to install an available patch for a known vulnerability is like leaving the door to a vault wide open.
Segment networks: Ransomware attackers don’t just steal and encrypt data. They also disrupt operations, which gives them more leverage with their targets. So organisations should separate their business functions from manufacturing/production operations, and limit internet access to operational networks. Especially with industrial control systems, it’s crucial to isolate those networks so they can continue operating if the corporate network is compromised.
Train workers: Most employees want to protect the organisation’s assets. But if they fall for a phishing email, reuse passwords, or don’t create complex ones, the best technology in the world can’t protect against those failures.
Limit access: While organisations should value all their employees, the reality is that the more people who have access to sensitive data, the greater the risk. Network segregation is the way to limit access to only what employees need to do their jobs.
Limit plugins: They can be an entry point. Either disable them or make sure they are updated regularly.
Verify, then trust: All documents should have viewable file extensions from trusted sources. Don’t let your system download irrelevant documents that may be coming from malicious sources.
Make application security a priority
For years, many organisations have complained that they have neither the time nor the money to implement those protections, and that hackers wouldn’t be interested in them anyway.
That is, demonstrably, a very risky strategy. “Security by obscurity” doesn’t work. And the cost of paying cybercriminals and recovering from a ransomware attack will be greater, by orders of magnitude, than any “savings” from failing to implement good security.
Better security is an investment. It starts with a strong software foundation, continues with careful thought about firewalls and network design, and is maintained with constant vigilance, including monitors and secure software updates.
You may never know the ROI from all this, but that’s the point — you don’t want to know.