That’s how much ransom Colonial Pipeline paid recently after a ransomware attack crippled the company’s computers, forcing it to shut down 5,500 miles of its gas pipeline, sending the Southeast into an almost overnight gas shortage.
Joseph Blount, Colonial CEO, told The Wall Street Journal the company decided to pay the ransom because it needed to restore services as quickly as possible.
The company first learned of the attack, later attributed to the hacker group DarkSide, on May 7, when it spotted a ransom note on a computer in its control room. Within less than a day, according to the WSJ report, Blount had resigned himself to paying.
Because Blount said the company didn’t know at the time just how bad the breach was or how long the pipeline would be forced out of service—a single source that facilitated the movement of about 45% of fuel supplies on the East Coast.
While Colonial’s ransomware attack is one of the most notable in recent weeks, it’s not an anomaly. In fact, we’re seeing increases in phishing schemes and ransomware attacks globally, across all industries.
What is Ransomware?
Ransomware is a type of malware that affects computers and other devices.
When an attacker successfully breaches a system, for example, by stealing credentials through a successful phishing scheme, the attacker can install ransomware on the affected computer and often across interconnected devices through your network.
Ransomware gives attackers the ability to shut down your access to these devices, databases and other data streams.
To get access back or to get your data returned to you, you often need a decryption key, which most attackers agree to provide if the targeted organization pays a ransom. Or your organization may decide to not pay the ransom and instead restore your systems from your most recent back-ups or by starting all over with new systems and manual data input and restoration.
Generally, ransom payments are paid in digital currency such as Bitcoin. Organizations that choose not to pay ransom can anticipate thousands (or more) dollars in response, investigations, and recovery fees. On top of that, depending on the nature of the breach, the organization can also be subject to a range of legal, regulatory, or compliance penalties and sometimes civil court litigation with hefty penalties.
The Rise of Ransomware
Just a few months ago, a report in Forbes noted 2020 as a record-breaking year for the volume of lost data caused by breaches, as well as the total number of cybersecurity attacks, not just against organizations, but individuals and governments (local, state and federal) as well.
According to a report from Statista, there were 304 million worldwide ransomware attacks in 2020, up from almost 188 million in 2019. This is an increase for every year since 2017. Interestingly, however, the year noted with the most ransomware attacks was 2016, where it reached a staggering 638 million attacks.
That same report demonstrates that the most common attack vector for ransomware continues to be through spam/phishing attempts, encompassing more than half of the ransomware delivery methods at 54%, followed by bad user practices at 27%, and a lack of cybersecurity training rounding at the top three at 26%.
It’s Not If, But When
The reality for most organizations is no longer about if you might experience a ransomware attack, but when.
In Mimecast’s The State of Email Security Report, six out of 10 organizations surveyed indicated they had become a victim of a ransomware attack in the past year, resulting in an average of six days of downtime, double the length of ransomware-related downtime in 2019. For about 37%, that downtime lasted a week or longer.
As we mentioned earlier related to increased phishing attempts, the report also reflected similar results showing a 64% increase in email threats during 2020. There doesn’t appear to be much relief in sight with as much as 70% of respondents indicating they may be affected by email attacks in the next year.
While no industry is immune from potential ransomware attacks, CISO Magazine recently delved into last year’s attacks finding these industries among the top targets: education, information technology, healthcare, and retail.
U.S. Government Takes Heed
In late 2020, the U.S. government announced the SolarWinds breach had affected several federal agencies, including the Department of Energy, Department of Homeland Security, State Department, the Treasury, and the National Nuclear Security Administration. The breach was attributed to hackers working on behalf of a foreign government believed to be a Russian intelligence agency.
The attack was first noted in December 2020 when FireEye, investigating a nation-state attack, noted that attackers had successfully launched a supply chain attack to get access to software called SolarWinds, which is used by a variety of organizations and agencies to manage information technology, networks, and other systems.
By gaining access into SolarWind’s Orion system, hackers had access to customer data, including the aforementioned federal agencies, as well as large companies including Intel and Microsoft. While the attack became public at the end of 2020, some reports indicate that because of the breach, SolarWinds could have sent out software updates with hacked code as early as March 2020.
Once in the customer systems, attackers installed malware that facilitated movement and access. As many as 18,000 customers could have been exposed.
The U.S. government indicated email accounts, for example within the Treasury Department, were compromised but said the access should have been limited to unclassified information.
But the real problem is the uncertainty that lingers today about whether or not affected government systems are secure, something that could take years to truly understand.
While SolarWinds has gotten a lot of coverage, it’s certainly not the first, and unlikely the last, such type of attack on federal agencies.
Earlier this year, President Biden issued an executive order in an effort to shore up cybersecurity practices for providers that work directly with federal agencies, including new language for government contract approvals that would require partner organizations to share breach data with federal agencies and follow new and streamlined federal guidelines to secure government data.
Ransomware Attack Examples
During a review of the SolarWinds attack, Microsoft determined attackers used both the Sunburst backdoor and Teardrop malware, but also three new malware strains: Sibot, GoldMax, and GoldFinder.
These malware types enabled hackers to get backdoor access, make lateral movements, hide malicious activities, and avoid detection.
While researchers are continuously seeking out new malware types, they’re also busy learning from previous malware infections, issuing alerts, and offering best practice advice for defense. Some of the more notable malware used during other attacks last year include Ryuk, Tycoon, NetWalker, REvil, WannaCry, and Maze, also known as ChaCha.
While Colonial Pipeline’s ransom payment was significant, it’s not unique.
According to Palo Alto Networks’ Ransomware Threat Report 2021, in 2020, organizations in the U.S., Canada, and Europe paid more than $312,000 on average in ransom, which was nearly triple the payments of $115,000 from 2019.
The highest value ransom paid in 2020 was about $10 million, up from half that at $5 million the previous year, with extortion demands also increasing from $15 million to $30 million.
As staggering as these numbers are, they pale in comparison to the recent report that a large U.S. insurance company, CNA Financial, paid $40 million following a ransomware attack earlier this year.
According to a report in Bloomberg, CNA paid the ransom in March two weeks after hackers stole company data and locked them out of their network.
That same report points out that it’s actually difficult to ascertain exactly how much organizations have paid in ransomware because most payments go unreported, but estimates indicate ransomware victims paid attackers about $350 million in ransom in 2020, more than a 300% increase from 2019.
Last year was particularly brutal for ransomware attacks, likely fueled by how the pandemic altered the way many organizations do business, including a sudden and rapid adoption of work-from-home opportunities, often for employees who had little or no advanced training on cybersecurity protocols, and in many cases were allowed to use their own devices to access sensitive data.
|Last year was particularly brutal for ransomware attacks, likely fueled by how the pandemic altered the way many organizations do business, including a sudden and rapid adoption of work-from-home opportunities, often for employees who had little or no advanced training on cybersecurity protocols, and in many cases were allowed to use their own devices to access sensitive data.|
Attackers took full advantage, not only in successfully deploying malware but by also doubling down on extortion tactics, for example, threatening to expose compromised data to the internet or Dark Web.
Attackers are also getting better at targeting networks with shared data or multiple clients, for example, cloud services providers, hoping a single breach will facilitate lateral, undetected movement so they can encrypt and exfiltrate as much data as possible with the least amount of effort.
While large corporations and government agencies are in attackers’ crosshairs because they have the potential to yield big payouts, small and mid-sized businesses (SMBs) are not immune to ransomware risks.
A survey commissioned by the National Cybersecurity Alliance reveals that almost 90% of decision-makers within small businesses believe they’re targets for cybercriminals, and about 25% of respondents indicated that they’ve had a data breach in the past 12 months, with about 33% saying those breaches resulted in financial losses. About 10% of those affected went out of business and about 25% filed bankruptcy.
Reduce Risk with NIST CSF
While all organizations may be susceptible to ransomware risks, not every organization, especially SMBs, believes they have the skills, tools, resources, or financial support to build strong ransomware protections into their security programs.
But there are solutions you can implement right away without over-extending your existing resources or investing in new ones.
Consider employing a cybersecurity framework that includes email and related risks as part of your program. The NIST Cybersecurity Framework, for example, is a free, voluntary framework you can use to help you better understand, manage, and reduce your cybersecurity risks like phishing and ransomware attacks.
There are 23 control areas within the framework designed to help your organization identify, protect, detect, respond to, and recover from related risks. The framework has four tiers you can choose from to implement the standards and improve your security posture over time:
- Tier 1: Partial
- Tier 2: Risk-informed
- Tier 3: Repeatable
- Tier 4: Adaptive
To learn more about the NIST CSF, download Apptega’s Compliance Guide, which dives into the core security functions and other details at: https://www.apptega.com/compliance-guides/nist-csf-compliance-guide
New Ransomware Framework Actions
In addition to the CSF framework, a new task force consisting of 60 industry experts, government representatives, law enforcement officials, and other organizations have recently developed a Comprehensive Framework for Actions that can disrupt the ransomware market.
The full report outlines 48 recommendations to address ransomware centered around four goals:
- Deter attacks through a nationally and internationally coordinated strategy
- Disrupt the ransomware business model and reduce criminal profits
- Help organizations prepare for attacks
- Respond to attacks more effectively
You can read more about the framework, including all 48 recommendations here: https://securityandtechnology.org/ransomwaretaskforce/report.
Do you need help strengthening your ransomware defenses? Check out our newest webinar, Addressing Vulnerabilities Used in Ransomware Attacks, to learn more about the top vulnerabilities used in most successful ransomware attacks, including those within Microsoft’s Remote Desktop Protocol (RDP), and explore steps your organization can take to minimize risks and eliminate vulnerabilities, including overcoming common mistakes that may leave you vulnerable to an attack.