Are you on top of your digital risks?
On May 10, the business week kicked off by assessing the impact – and threat horizon – of a cyberattack on a major fuel pipeline operator, Colonial Pipeline, which had to shut down operations on Friday as a precaution following a ransomware attack. The energy system infrastructure attack is being called one of the most disruptive digital ransom operations, and the U.S. government, FBI and private cybersecurity companies teamed up to actively disrupt the cyberattack, recover some stolen data and coordinate their response.
On May 6, hackers stole nearly 100 gigabytes of data from Colonial Pipeline’s cloud computing systems, then locked up its IT systems and demanded payment. Colonial shut down the pipeline Friday as a precaution. The “double-extortion” scheme is a hallmark of the criminal group DarkSide, which experts consider the prime suspect in this hack. DarkSide is one of many threat actors that attack by gaining access to private networks, encrypting files, stealing data, and demanding a ransom to return operations or not publish stolen content.
Bloomberg News reported that the May 6 DarkSide ransomware hack also targeted more than two dozen unidentified organizations across a range of industries.
DarkSide's method, according to the KrebsOnSecurity blog, is to target organizations with the financial means to pay for ransomware decryption tools — and even offers their capabilities to affiliates as “ransomware-as-a-service”.
Whether or not DarkSide's intent in targeting Colonial Pipeline was solely financial, its ransomware action has resulted in panic buying of gasoline in the southeastern U.S., which Colonial Pipeline serves, and several states declared states-of-emergency to manage shortages as the U.S. government uses another emergency order to ensure continued gas transportation and distribution.
As cyberattacks increase, a coalition of leading companies and countries are taking notice
In recent weeks, cybercriminals have launched ransomware attacks on everything from Washington, D.C.’s city police department – one of up to a dozen law enforcement agencies affected by ransomware since the beginning of 2020 – to a May 1 cyberattack of Scripps Health in San Diego that impacted email services at the health care system and forced medical staff to use paper records.
Last week, Department of Homeland Security Secretary Alejandro Mayorkas called ransomware one of his “most significant priorities right now,” and the administration has launched an initiative to help critical infrastructure like electric utilities and water districts protect against attacks. The Biden Administration is expected to issue a broad-ranging executive order that would bolster the security of federal and private systems on the heels of major cyberattacks.
A global coalition of technology companies and law enforcement bodies is calling for “aggressive and urgent” action against ransomware. Microsoft, Amazon, the FBI and the UK's National Crime Agency have joined a Ransomware Task Force (RTF) in giving governments nearly 50 recommendations, stating that cyberattacks have more than financial ransom costs — becoming national security threats and public health and safety concerns.
Colonial Pipeline is the fifth major metro Atlanta-based company known to be hit by ransomware attacks in the past year. Carrollton, Georgia-based cable manufacturing giant Southwire Co. was attacked in December 2019. SiteOne Landscape Supply was hit last July. Then in November 2020, cold-storage giant Americold Realty Trust reported it was hit with a cybersecurity incident without specifying it was ransomware. Container giant WestRock Co. was hit in January.
Attacks on critical infrastructure have been a major concern, but they have accelerated in recent months after two significant breaches — the SolarWinds attack by Russia’s main intelligence service, and another against some types of Microsoft-designed systems that has been attributed to Chinese hackers — underscored the vulnerability of the networks on which the government and corporations rely.
What’s the cost to companies under digital attack?
On May 13, reports came out that Colonial Pipeline paid $5 million in cryptocurrency soon after the attack and the hackers provided a decrypting tool to restore its network. Bloomberg noted that the FBI discourages organizations from paying ransom since there's no guarantee that hackers will follow through on promises to unlock files.
Last year, average cyberattack ransoms paid in the US increased more than 3X. In its quarterly ransomware report, Coveware, an aggregator of global ransomware and cyber extortion data, put the average ransom payment at over $220,000, up 43% from 2020. In addition to a financial payout, Coveware also puts the impact of a ransomware attack at an average 23 days of business downtime. The impact of ransomware attacks varies, and most major companies carry insurance to help pay the costs of attacks.
The BBC retold the eye-opening details of cyberattacks experienced by the London city of Hackney and the Offix Group in Switzerland – which faced a data ransom of 45 bitcoin, about a half-million dollars at the time of its 2019 attack, and then decided to rebuild its IT systems, instead, for about the same cost.
According to the Official Cybercrime Report published by Cybersecurity Ventures, cybercrime will cost the world US$6 trillion annually by 2021, up from US$3 trillion in 2015. The FBI says that nearly 2,400 US companies, local governments, healthcare facilities and schools were victims of ransomware in the last year.
Paying ransomware is up to private companies, presidential advisor Anne Neuberger said in a White House briefing about Colonial Pipeline on May 10. “Companies are often in a difficult position if their data is encrypted, and they do not have backups and cannot recover the data. They just have to balance, often, the cost-benefit.”
“Ransomware attacks still disproportionately affect small businesses. These small companies rarely end up in the headlines and often don’t have the financial or technical expertise to properly handle the incident or perform the proper remediation required to prevent a repeat attack,” Coveware stated.
A risk-based approach to cybersecurity is key to resilience
Following workplace closures in 2020 due to the onset of the pandemic, business continuity planning was put in the spotlight as a gauge of organizational resilience. Many companies, including financial institutions large and small, are required to include a BCM program as part of an audit. In fact, the recent UK requirement for greater operational resiliency has global implications for all of financial services, whether a disruption stems from a pandemic-driven shutdown or a cyber attack.
What many organizations quickly realized as they moved to remote working was the compounded effect of the pandemic’s business continuity challenges and cybersecurity threats. What BCM and IT leaders don’t know is just as important when working to ensure continuous operations. Management may understand risks for audited areas of their business, but operational aspects where standard protocols aren’t audited may still be areas of risk exposure since cyberthreats and ransomware can emanate from remote desktop protocol connections, software vulnerability or direct attacks on cloud systems, to a phishing attempt with individual employees.
Skilled and determined hackers may in time be able to penetrate any system but the reality is that a lot of companies unintentionally make it easy for them to do so.
In this light, compliance and testing of IT Security controls and frameworks as part of a digital risk management program are today a business imperative to manage vulnerabilities and threats or incidents that can disrupt business operations. So, too, is the need to reinforce cybersecurity awareness among employees, whether they are back in the office or working remotely.
- Learn the best practices in keeping employees informed and compliant with data privacy and protection in our recent webinar.
- More info: Information security compliance training
- Risk management software for managing IT risk and cybersecurity
- Blog: Putting the Cyber in Operational Resilience
- Blog: The importance of integrating cybersecurity, business continuity and vendor risk
Learn more about our integrated risk management solutions, which can provide a holistic view of IT risk and cybersecurity, business continuity, and operational and enterprise risks.
Or, contact us to see how SAI Global has helped organizations like yours.