Ransomware Gone Wild: Q&A Session

In the world of cyber attacks, ransomware is certainly having its moment. This type of malware is characterized by bad actors threatening to either publish sensitive data or block access to data belonging to the victim, if a specific ransom amount is not paid. The recent Colonial Pipeline hack that left the US east coast short on fuel, and the attack on JBS USA Holdings Inc., culminated in both companies making multi-million dollar payouts to the criminals responsible to avoid the prolonged shutdown of critical business operations. The SolarWinds hack last December, while not a ransomware attack, affected the information technology firm’s customers and went undetected for months, and started a worrying trend of the supply chain attack. A supply chain attack is a method of hacking in which a bad actor injects malicious code into the victim’s software or hardware, which then directly spreads to the victim’s customers. In simple terms, the modern trend of supply chain attacks means that there’s an added incentive for the victim to pay the ransom that bad actors eventually demand because of the impact on customers.

Just this month, an enormous data breach became the largest known supply chain attack on the airline industry, as SITA, an international IT provider for 90% of the global airline industry, fell victim to the hack. The flurry of ransomware attacks and supply chain attacks together culminate in a very real danger for eCommerce businesses. In today’s Q&A session, we take a closer look at the current events around ransomware, what they mean for eCommerce, and how to prevent them in the first place.

Is it a reasonable option to pay the ransom?

It’s not recommended to pay a ransom, because there’s absolutely no guarantee that the attackers will hold up their end of the deal once the funds are paid. However, when business critical functions are affected, and you lack the appropriate backup for your data, it may leave few other options apart from paying the bad actors.

Unfortunately, paying ransoms is fueling the ransomware trend, and it drives bad actors to try innovative measures and demand larger ransom amounts. In response to the Colonial Pipeline attack, US Deputy National Security Advisor Anne Neuberger shared that “Individual companies feel under pressure - particularly if they haven’t done the cybersecurity work - to pay off the ransom and move on. But in the long-term, that’s what drives the ongoing ransom attacks. The more folks get paid the more it drives bigger and bigger ransoms and more and more potential disruption.”

In fact, another issue is that nowadays, some insurance companies provide coverage for ransom payments, and this not only makes it more likely that the victims will pay, but it also inspires more attacks, and bad actors may even seek out companies with appropriate insurance for ransomware attacks. The hackers might then adjust their ransom demands to meet the coverage offered by the insurance provider. If companies collectively did not give in to ransom demands, it would make the scheme much less attractive to online criminal groups.

The FBI recovered millions in cryptocurrency after Colonial Pipeline paid the ransom. Does this discourage bad actors from continuing this trend?

The issue with such attacks is that bad actors are often using custom malware that is available for purchase on the black market. A code of ethics does exist between some high level attackers, such as avoiding attacking critical systems that may cause harm to civilians (hospitals, nuclear plants, etc.), or attacking businesses in their home countries. However, with malware as a service, anyone can purchase it, and use it against any system. Often, the perps behind the attacks don’t realize their purchased malware has targeted a hospital or a military base until after the attack is complete. The malware spots a weakness, the bad actors attack, and then they deal with the aftereffects. These inexperienced hackers are called “script kiddies” - they are individuals who do not necessarily understand how the malware software works; they simply try to use it to achieve a successful exploitation for monetary gain. In this way, anyone can become a “successful hacker.”

Unfortunately, these attacks can have deadly consequences. A German hospital patient died while ransomware interrupted the emergency care unit; initially it was believed that the death was a result of the disruptions to the hospital’s system. The latest report does confirm the patient’s poor health was to blame; however, attacks on hospitals are extremely dangerous, and it’s entirely probable that a patient could die because of malware infiltrating critical tools or systems. In May 2021, a ransomware attack on Ireland’s health system crippled Irish health services for a week, with unaccessible health records, and delays in both Covid-19 testing and patient appointments.

Following the FBI intervention in the Colonial Pipeline ransomware case, hackers may change their ransom mechanism, use another type of cryptocurrency that isn’t traceable, or utilize a different marketplace for their illegal software. They certainly will up their game now that their current methods were foiled by authorities.

How can I prevent ransomware attacks?

It’s essential to understand what you want to protect - understand your current security perimeters and your assets. Then establish HOW you want to protect those things. Once you establish the methods by which you will up your security game, you’ve already taken several steps ahead of the bad guys.

Fortify Your Passwords

The CEO of Colonial Pipeline, Joseph Blount, revealed that a single compromised password was used to login to a legacy Virtual Private Network (VPN) system, which did not have two factor authentication in place. Which leads us to our second point - change your passwords every 3 months, use strong passwords, and use two factor or multi factor authentication. This is a relatively simple measure to undertake, and can actually prevent a massive attack potentially. We wrote on this topic extensively in blog posts about password hygiene and two factor authentication.

Arm Your Employees (with knowledge)

We recommend carrying out a security virus training for personnel routinely, as many attacks happen because of simple human errors. Criminals utilizing ransomware often put social engineering to use when trying to infiltrate a company - with the help of spam and spear phishing in emails sent to employees. Train your employees to watch out for links and email attachments from unknown or suspicious sources, as they are common ways to infect a system with ransomware.

Institute a Strong Security Protocol

Go over your protocols - for example, the guest wifi does not need to be in the same network as the rest of your company.

Create Backups, Create Backups, and then, Create Backups

Generate backups of your store and your customer data by utilizing the 3-2-1 rule, which stipulates that you create three copies in two different formats with one copy being off-site. This article discusses the 3-2-1 rule, and how to optimize it for the modern company.

Chuck Your Legacy Software

Legacy software is often outdated, with publicly available exploits. Be very vigilant about keeping it up to date if possible, and adding in additional layers of security. Make sure every employee has unique login credentials, and insist on multi factor authentication. Better yet, work on moving to a newer, safer solution.

Install a Firewall

A firewall is so simple, yet so effective. We like Cloudflare’s comprehensive solution that can encompass all of your systems.

Become Best Friends with Penetration Testing

Penetration tests are your best friend - they expose weak points in your system and infrastructure where attackers can exploit your weaknesses and gain entry. Systems must be patched and updated regularly to address weaknesses that bad actors can use against you. After ransomware enters your system, it can be used for lateral movement across your network, which means a bad actor can use a single machine to enter and then move to other systems and devices. Patching bugs is especially important for eCommerce businesses, considering that WannaCry, a notorious crypto ransomware, exploits vulnerabilities automatically. WannaCry was used in a global ransomware attack in May 2017, that targeted companies using Microsoft Windows.

Lokte’s Penetration Test is designed with eCommerce merchants in mind, to help you understand how your system would react to real-world attacks. Our Pen Test helps you understand where your weak points are located, and how to patch them before a bad actor swoops in. Lokte’s Penetration Pest features a safe, simulated attack on your web application to analyze the security level of your infrastructure, and expose database weaknesses, a lack of tools and controls, missing patches, and more. Find out more about our Penetration Test here!

In Closing

Blue Oyster Cult advised us long ago not to Fear the Reaper, and similarly, we should not fear ransomware. Instead, eCommerce merchants should plan for them, and make it hard for bad actors to gain a foothold in your system. If you preemptively take steps to fortify your systems and your employees, you should be better prepared than most of your fellow merchants. Keep in mind that the size of your business is not always relevant, as malware does not discriminate. Curtis Simpson, Chief Information Security Officer at Armis, was quoted as saying "Smaller organizations can be used as a conduit to target our downstream customers as part of a larger attack." While you review and bolster your security standpoint, don’t forget your annual Security Audit. Our specialists examine your infrastructure inside and out to determine the weak points, and make recommendations for safer fixes and methods. Still have questions? Don’t fear - get in touch with us today!