The US’ largest fuel pipeline paid $4.4 million to a gang of ransomware operators who breached into its computer systems recently. After the 7 May ransomware attack, the company took its pipeline system offline and supplies tightened across the US. Prices started rising and a number of US states declared an emergency.
In March 2021, the London-based Harris Federation suffered a ransomware attack and was forced to “temporarily” disable the devices and email systems of all the 50 secondary and primary academies it manages, resulting in over 37,000 students being unable to access their coursework and correspondence.
Bombardier, the Canadian plane manufacturer, suffered a data breach in February 2021. The stolen data of suppliers, customers and around 130 employees located in Costa Rica was leaked on the site operated by the Clop ransomware gang.
The globally renowned computer giant Acer suffered a ransomware attack and was asked to pay a record ransom of $50 million, by a cyber criminal group called REvil.
On 20 March 2021, the multinational IoT device manufacturer Sierra Wireless was hit by a ransomware attack against its internal IT systems and had to halt production at its manufacturing sites and the company was able to resume production after a week.
THE STAGES OF RANSOMWARE
1. Infection: The victim’s machine is infected when/after a compromised website is accessed or when attachment is opened from a spam message.
2. Data encryption: The victim’s files or devices are locked down via cryptographic keys that utilise the Public Key Infrastructure on either the infected machine or Command and Control server.
3. Demand: A message demanding payment of a ransom for releasing the locked data or files is displayed by the ransomware software.
4. Outcome: Which is based on the actions taken by the victim. Such as: In event the victim does not pay the ransom but is able to eliminate the ransomware and recover the locked data or files; another event when the victim pays the ransom through anonymous channels such as Bitcoin and, hopefully, receives the key to unlock the data or devices (not recommended though). If not the above two, then the event of non-payment of the ransom and subsequent destruction of the data or files; without a backup, the victim will suffer permanent loss.
IMPACT ON BUSINESSES
The impact of ransomware to an organisation is many-fold: Reputational damage, theft, financial losses, fines, and below the surface costs.
1. Reputational damage: Taking a reputational hit may also affect the ability to attract the best talent, suppliers and investors. Losing trust of customers and stakeholders is one of the harmful impacts of the ransomware event as the overwhelming majority of people would not do business with a company that had been breached, especially in the event of failing to protect its customers’ data. This intangible loss will easily translate directly into a loss of business, as well as devaluation of the brand.
2. Theft: Apart from monetary losses, stolen data can be worth far more to hackers, especially when sold on the Dark Web. For example, the 2015 ‘Hidden Data Economy’ report by Kaspersky Labs puts the value of login credentials to hotel loyalty programmes or online auction accounts at up to $1,400. Not to forget the intellectual property theft which may be equally or more damaging, with companies losing years of effort and R&D investment in trade secrets or copyrighted material also their competitive advantage.
3. Financial losses: Ransomware costs businesses disproportionately when adjusted for organisational size. A casual stance on security could quite easily put you out of business.
4. Fines: As if direct financial losses weren’t punishment enough, there is the prospect of monetary penalties for businesses that fail to comply with data protection legislation. The example of GDPR which in case of privacy breach attracts a fine of 2% to 4% of global turnover. And such regulation is forming shape globally which would threaten many growing businesses with insolvency.
SOME FAMOUS CASES OF RANSOMWARE ATTACKS
1. Ryuk, 2019 and 2020
2. SamSam, 2018
3. WannaCry, 2017
4. Petya, 2016
5. TeslaCrypt, 2015
6. CryptoLocker, 2013
7. AIDS Trojan or PC Cyborg, 1989
WHAT TO DO WHEN IT HAPPENS
In the event of ransomware attack, the victim must immediately engage incident response teams to limit the damage. A passive approach to ransomware poses a huge risk given the potential losses that may be incurred with a ransomware attack; both organisations and users must proactively plan to prevent and respond to ransomware attacks. The teams should immediately notify users and turn off infected devices. Additionally, a backup device should be deployed to run the network; train users on how to respond to a ransomware attack; continuously backup IoT data to back-end servers; prepare a backup of application and device configuration files.
SHOULD WE PAY?
There cannot be a straight answer to whether to pay threat actors. It is pertinent that companies balance the potential near-term benefit of decrypting data, which is not always guaranteed, against the risk of legal and reputational exposure for making a payment to a prohibited person or entity, not to mention the risk of increased targeting by threat actors once a payment has been made. Waiting will only complicate the situation. Thus, the only simple answer to the question is that companies should have a plan in place before an attack ever occurs.
LESSONS LEARNT & WAY AHEAD
Data stolen and leaked on publicly available websites could provide targeting attackers with victim data that could inform or guide future disruptive attacks. Cyber security awareness plays an important role in preventing cyber-attacks. A tailored (ransomware threats) educational framework as well as a tool which mimicked ransomware attacks proved to be playing a pivotal role in reducing ransomware infections. Moreover, technical countermeasures of verifying applications’ trustworthiness when calling a crypto library or minimising attack surface by limiting end-users privilege has proved effective in preventing ransomware attacks.
CONCLUSIONS
Alarmed by the impunity with which ransomware operators are disrupting critical infrastructure world over, the US government has formed a Ransomware Task Force (RTF). It convened in early 2021 with participants from governments, software firms, cyber security vendors, non-profit and academic institutions from across the world.
The task force is synthesising best practices across sectors, identifying solutions in all steps of the ransomware kill chain, targeting gaps in solution applications, and engaging with stakeholders across industries to coalesce around a diverse set of ideas and solutions.
India too needs to develop a comprehensive anti-ransomware strategy post haste, otherwise coming days would see large-scale disruptions in various critical sectors ranging from manufacturing, public transport, power grids to healthcare and education. Many would pay exorbitant sums in ransom as the gangs have evolved their tactics to double and triple extortion by leveraging the data stolen in such attacks.
Brijesh Singh, IPS, is an author and IG Maharashtra. Khushbu Jain is an advocate practising before the Supreme Court and a founding partner of law firm Ark Legal. They can be contacted Twitter: @brijeshbsingh and @advocatekhushbu. The views expressed are personal.
Alarmed by the impunity with which ransomware operators are disrupting critical infrastructure world over, the US government has formed a Ransomware Task Force. It convened in early 2021 with participants from governments, software firms, cyber security vendors, non-profit and academic institutions from across the world. The task force is synthesising best practices across sectors, identifying solutions in all steps of the ransomware kill chain, targeting gaps in solution applications, and engaging with stakeholders across industries to coalesce around a diverse set of ideas and solutions.