People are starting to really talk a lot about it, especially in the news media. If you read the headlines it may feel like the problem is out of control. But is it? And, what can you do about it?
Today we'll show you six examples of major ransomware hacks, talk about the global state of ransomware, and offer tips on how to talk to your C-Suite to secure the necessary budget to shore up your defences against such an attack.
Want to learn more broadly about cyber attack vectors? Read about some of the most common here.
Who was it? Colonial Pipeline is a major US organization that operates one of the country's largest refined product pipelines. This network is responsible for moving millions of barrels per day worth of petrol, diesel and jet fuel from the Gulf Coast to the East Coast.
Who was behind the attack? The attack has been linked to DarkSide Group, a Russia-linked cybercrime organization known for ransomware and extortion techniques, as well as its highly professionalised service (it sells software, operates with a code of conduct, and even offers a victim hotline). The actual hackers, though, may have only been affiliates (given anyone can get access to DarkSide software).
What happened during the attack? A password to Colonial's VPN was thought to have been picked up in a separate cyber breach - possibly it was the password of a different service that was the same as this user's Colonial account. While the account wasn't active at the time, this password could still grant access to Colonial's IT network. Not long after, a ransom note was discovered on one of the company's computers and, within an hour, the operations team had shut down the pipeline.
How much was the ransom demand? Colonial paid out a ransom of US$4.4 million. Additionally, hackers also stole nearly 100GB of data.
What was the outcome? This case is still ongoing at time of writing. The shutdown of the pipeline caused chaos and panic buying in the US, and significant reputational harm for Colonial. The US government had, as of June 2021, recovered a "majority" of the ransom payment.
Download now to learn more: "Implementing measures to counter cyber terrorism in business"
Who was it? KIA Motors America (KMA) was the victim here, headquartered in California. It operates nearly 800 dealers across the US, manufacturing cars in the state of Georgia.
Who was behind the attack? This is an interesting case study because KMA denies that it was struck by a ransom demand, which supposedly caused major system outages. That said, BleepingComputer obtained a copy of the alleged ransom note that claims the group DoppelPaymer attacked Hyundai Motors America (which owns KMA), and that it had stolen a considerable amount of data from KMA.
What happened during the attack? Details of the attack are unknown, given KMA denies the event took place. But, it did report an "extended systems outage" to its Kia Owners Portal, UVO Mobile Apps and Consumer Affairs Web portal. Some Hyundai systems were also down.
DoppelPaymer operators are typically known to use Emotet malware, a particularly harmful (and difficult to stop) trojan virus which was probably downloaded via a phishing attack. Again, this is not confirmed, just suspected.
How much was the ransom demand? DoppelPaymer demanded 404 bitcoins, worth about US$20 million. Any delay in payment past their deadline would increase the cost to 600 bitcoins ($30 million).
What was the outcome? Some Hyundai logistics data was leaked on the web by the DoppelPaymer gang. Other details are not known at time of writing.
Who was it? Brazilian company JBS Foods is one of the biggest meat producers in the world: number one in poultry, two in pork, and leading in beef and lamb as well. It has a wide variety of subsidiary brands, operating out of North America, Mexico, Europe, the UK and Australia/New Zealand.
Who was behind the attack? The FBI stated that it believed REvil, a prolific Russian-linked ransomware group, was behind this attack. The group is also known as Sodinokibi, and its software has been involved in a number of very high-profile attacks including on Kaseya and previous US president Donald Trump.
What happened during the attack? The intrusion vector is not currently known, although there are theories REvil may have gained access to JBS Australia through stolen credentials (which were discovered leaked on the dark web). SecurityScorecard also observedthe use of TeamViewer remote desktop protocols in JBS systems as well as data exfiltration operations - in the realm of over 5TB of data. The attack shut down some operations in JBS US, Canada and Australia. Although underground chatter indicates JBS Brazil was the prime target.
How much was the ransom demand? Initially the group demanded a payment of US$22.5 million, but negotiations between JBS and REvil seemed to bring that price down to $11 million, which was paid.
What was the outcome? JBS resumed full operations within a few days of the attack taking place, after paying the ransom. While many companies do not ever get their data back after paying up, it appears REvil did send JBS a decoder to retrieve the encrypted files.
Who was it? Brenntag is a global leader in chemicals and ingredient distribution, with more than 670 sites in 77 countries.
Who was behind the attack? This was another DarkSide-affiliated attack, and even occurred at a similar time of the year to Colonial Pipeline.
What happened during the attack? In May 2021 Brenntag's North American division announced that it had suffered a "limited information security incident" but stopped short of calling it a ransomware attack. Operators disconnected affected systems from their network and hired forensics specialists to help clean out the malware. The affiliate using DarkSide ransomware claimed to have gotten access to the company's system through purchased credentials, which were leaked from an unknown source online.
How much was the ransom demand? DarkSide's initial ransom demand was about US$7.5 million, to be paid in bitcoin. However, negotiations led to a decrease in the ransom to $4.4 million - which was paid.
What was the outcome? A significant amount of Brenntag data was stolen during the attack, to the tune of over 150GB. This included medical records, driver's licence numbers, social security numbers and dates of birth of its customers.
Who was it? The Waikato District Health Board (DHB) is one of 20 DHBs in New Zealand, covering 21,000 square-kilometres of the country's North Island and providing public health care for over 425,000 people.
Who was behind the attack? The group behind this attack - known as the largest cyber attack in the country's history - is still unknown. While the attackers did reach out to various media outlets to claim responsibility, their efforts have not been linked to any known group nor have they named themselves.
What happened during the attack? The current theory is that the attackers in this case gained access to the DHB's system after someone opened an attachment in a phishing email. Once inside, they were able to steal personal information on staff and patients from a number of hospitals, and they also claimed to have deleted some of the DHB's backups.
Most damagingly, hundreds of servers were shut down - effectively forcing the affected hospitals to revert to an entirely paper-based system for medical treatment and record keeping.
How much was the ransom demand? It is not known how significant the ransomware demand was. The New Zealand government, in conjunction with the Waikato DHB, refused to pay. DHB chief executive Kevin Snee claimed at the time that they didn't want to feed the extortion business model of the hackers, and that they would have to restore from backups anyway so the encryption key would not have quickened the restoration process.
What was the outcome? Hospitals around the Waikato suffered a severe disruption to their ability to treat patients, leading to seriously ill patients being moved to other regions and many more simply turned away. In addition, personally identifying and sensitive data was leaked online by the hackers.
Who was it? ACER is a well-known electronics company famous for its computers and related peripherals. The company is global, although originally based out of Taiwan.
Who was behind the attack? This was another REvil attack.
What happened during the attack? Advanced Intel's Andariel platform detected a Microsoft Exchange server attack on ACER's domain. This infamous vulnerability is notable for allowing remote code execution for attackers, letting them take over a device. BleepingComputer noted that, if this exploit was indeed utilized here, it would be the biggest attack ever to use this method.
How much was the ransom demand? This was the largest ransom demand ever declared - US$50 million. However, that $50 million was a discount price. REvil warned ACER that if it did not pay by the deadline, that price would increase to about $100 million.
What was the outcome? It is not confirmed if ACER paid its ransom, as the company - like others on this list - did not admit that it had even come under a ransomware attack. REvil claimed on its data leak site that it had stolen a number of data files, including financial spreadsheets, bank balances and bank communications.
So those are some big news stories. But on a global scale, what's happening with ransomware?
If you look at the data, some of which we've collected below, you'll see clearly that ransomware is not a problem isolated to these big case study organizations. Governments and private companies alike are waging a major cyber security war right now and the vast majority of people simply have no idea.
According to the European Union Agency for Cybersecurity (ENISA)'s Ransomware ETL2020 report:
Interestingly, there were actually fewer ransomware attacks in the first quarters of 2019 than the previous three years. This would suggest to some that the problem is being dealt with, but unfortunately that's not the reality.
This is because ransomware attacks on EU businesses dropped in frequency as they became more targeted - aiming for higher-value victims. ENISA's writers noted that, “The sophistication of threat capabilities increased in 2019, with many adversaries using exploits, credential stealing and multistage attacks.”
These statistics are from Sophos, and reflect the state of the issue across the world.
Sophos also spotted a drop in the total number of ransomware attacks during 2020. Again, the writers suggested this is likely due to attacks becoming more targeted instead of more widespread.
When it comes to pitching cybersecurity measures to directors and executives in your company, we hope that the statistics above help. Acquiring the necessary budget and people-power to audit, patch and monitor your cyber defences will be critical to your company's ongoing ability to mitigate the risk that it too will become a victim to ransomware.
However, we won't leave you with just some numbers. Below, we've tried to explain the business case for patching against ransomware and offered tips on how you could discuss these issues with your C-Suite.
Given that ransomware is a worsening problem, the probability of a company being hacked - especially large organisations in the 1,000+ staff bracket (which Sophos found to be particularly at risk) - is now incredibly high. This is even more true for healthcare organizations.
One of the major issues with ransomware is it's quite easy for criminals to implement
You've heard of Software as a Service (SaaS), but have you heard of Ransomware as a Service?
It's essentially the same thing, where ransomware developers essentially sell their software on the dark web as a product, and offer instructions on how to utilize it. Many of these groups even deliver customer service, to both users and victims! DarkSide is a good example.
Learn more: "Ransomware Has Gone Corporate—and Gotten More Cruel" (Wired)
This means just about anybody can pick up ransomware and throw it against a company they don't like, or which they think is vulnerable.
And, most companies are vulnerable. So many IT systems around the world are sufficiently outdated that all it takes is a simple phishing attack to get access to the entire system.
Colonial Pipeline is a great example of this. Hackers just needed one password to access everything, because there was no multi-factor authentication in place - and as mentioned, it is believed the user's password was the same across multiple services, not just Colonial's VPN (read more on Bloomberg).
Why are businesses so vulnerable?
The reality is that cyber awareness as an issue is extremely low outside of IT teams, and often even within.
Stolen credentials and basic phishing attacks make it easy to access company systems because staff can be manipulated and socially engineered if they haven't received the correct training. Indeed, phishing is the most common cyber attack method in the US, and has only gotten worse (FBI).
Download now to learn more: "Identity and access management: A guide to best practices"
We know it isn't always easy turning IT jargon and cyber statistics into a business case that will secure the budget you need - especially if cyber security is going to cost a lot of money (i.e. if your company has a lot of work to do).
To make your case, you must be able to communicate clearly to your company's budget owners to help them understand why the money is needed. Here are some tips:
If at any point you're not sure, don't go it alone.
At dig8ital, we're experts in the modern cybersecurity and digital transformation landscapes. We've worked with some of Europe's largest companies, and know what it takes to deliver a high-quality, tailored service.
To talk to us about your unique needs, contact us for a free maturity consultation today.