Andy Warhol, the famous artist, film director, and producer, said in 1968 that “in the future, everyone would be famous for 15 minutes.” Ransomware attacks have stepped up and are commanding attention like never before. Unfortunately, this first 15 minutes of fame may be the first of many such periods that we’ll see over the coming years. Ransomware has become the threat actor’s weapon of choice. Ransomware attacks are being more frequently carried out by nation-states and organized crime and causing millions in dollars of reputational damage, recovery expense, extorted ransom payments, loss of revenue, inability to use critical infrastructure, and much more.
Just this month, top Justice Department officials cautioned U.S. business leaders to prepare for an increasing barrage of ransomware attacks. The Federal government’s efforts to organize a coordinated response have taken on an almost war-room effort as they seek to rally business to prepare for these increased attacks.
Lisa Monaco, the deputy attorney general, noted that “to the CEOs around the country, you’ve got to be on notice of the exponential increase of these (ransomware) attacks.” Monaco also recently issued a memorandum to the US’s federal prosecutors requiring the centralization of ransomware reporting. Monaco also wrote, “if you are not taking steps-today, right now-to understand how you can make your company more resilient, what is your plan?¹”
The attacks we see in the news are only the tip of an iceberg which is largely out of view of the public eye. Monaco has been on point for the DOJ’s efforts against ransomware threat actors, and noted that the massive attacks against Colonial Pipeline and JBS USA, the largest meat processing company in the world, were representative of the ransomware attacks taking place every day.
Just this past week it was announced that JBS paid an $11 million dollar ransom after a cyberattack that shut down its entire US beef processing operation. At this time, the US government believes the ransomware attack was done by the threat actors REvil, likely based in Russia or eastern Europe. REvil is a ransomware-as-a-service threat actor that has successfully taken money from many organizations over the past year. REvil has also been known as Sodinokibi and may be linked to another ransomware threat actor, GandCrab.
The Colonial Pipeline ransomware attack was also a very dangerous attack. In this attack, the threat actors deployed DarkSide ransomware against the pipeline company’s critical IT infrastructure, causing the company to take the precautionary measure of shutting down 5,550 miles of the pipeline, which left fuel stranded on the Gulf Coast.
DarkSide is a ransomware-as-a-service (RaaS), where the threat actors who deploy the ransomware share a percentage of the profits with the ransomware developers. Threat actors use DarkSide to encrypt and steal sensitive data, and have been known to target large, high-revenue organizations that can afford to pay large ransoms.
Once the DarkSide actors gain access to a victim’s network, they deploy the ransomware to encrypt and exfiltrate sensitive data. The actors then use a double extortion method where they threaten to publicly release this data to pressure the victims into paying the ransom demand, as well as demand another ransom for a digital key to decrypt their files.
DarkSide has not emerged from this attack unscathed. U.S. Law enforcement has placed a strong counter-punch and recovered $2.3 million in bitcoin paid in the Colonial Pipeline ransome. U.S. officials identified a virtual currency wallet used by the DarkSide threat actors that was used to collect payment from Colonial Pipeline².
Of course, the rabbit hole may go far deeper than that. Cryptocurrency may be the key to a strong counterpunch. The U.S. government has not revealed their ways and means or the full extent of the Federal agencies involved in recovering the $2.3 million and may now have far deeper visibility than we know into cryptocurrency transactions. In the final analysis the use of ransomware is almost wholly dependent on cryptocurrency. Without a secure and confidential cryptocurrency, ransomware threat actors might be driven out of business.
The US Government Decides to Step In
Given the increasing tide of ransomware attacks, and the threat of burgeoning investment by threat actors in ransomware-as-a-service platforms, the U.S. Government White House has also gone on record this month about the extreme dangers of ransomware. Earlier in May President Biden signed an Executive Order to improve the nation’s cybersecurity and protect Federal government networks. This Executive Order makes a significant contribution toward modernizing cybersecurity defenses by protecting federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the United States’ ability to respond to incidents when they occur.
Anne Neuberger, President Joe Biden’s deputy national security advisor for cyber and emerging technology has noted that, “The threats (ransomware) are serious and they are increasing.” Neuberger further wrote, “The private sector also has a critical responsibility to protect against these threats. All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location … to understand your risk, business executives should immediately convene their leadership teams to discuss the ransomware threat and review corporate security posture and business continuity plans to ensure you have the ability to continue or quickly restore operations,” Neuberger added.
This recent White House memo circulated internally in June has been cited by CNBC as listing five best practices for safeguarding against ransomware attacks:
- Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
- Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware, in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
- Test your incident response plan: There’s nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
- Check your security team’s work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
- Segment your networks: There’s been a recent shift in ransomware attacks – from stealing data to disrupting operations. It’s critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
DNS security as a first line of defense
DNS security must also be a critical part of your ransomware defense. Ransomware and most malware use DNS at one or more stages of the cyber kill chain. DNS may be used during the reconnaissance phase when it is a targeted attack. DNS is also used in the delivery phase as potential victims unknowingly make DNS queries for IP addresses involved in the attack. DNS will also be used in the email delivery process when the ransomware propagates via spam campaigns. The exploitation phase may involve DNS queries when the victim’s system is compromised and infected. DNS is also frequently used when an infected system checks in with the command and control (C&C) infrastructure. Using threat intelligence and analytics on your internal DNS can detect and block such nefarious activity early before ransomware spreads or downloads the encryption software.
BloxOne® Threat Defense from Infoblox operates at the DNS level to see threats that other solutions do not see and can stop ransomware and other attacks earlier in the attack cycle. BloxOne Threat Defense brings advanced automation and ecosystem integrations, increased efficiencies in SecOps, increased effectiveness of the existing security stack and secures digital and work-from-anywhere efforts. All of this can reduce the total cost for cybersecurity for any organization. To learn more about BloxOne Threat Defense: https://www.infoblox.com/products/bloxone-threat-defense/