The headlines around cybercrime continue to highlight the biggest and worst attacks ever. We went into the holiday season of 2020, learning that FireEye had their Red Team tools stolen (see: https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html). During their investigation, they determined that SolarWinds had been a victim of an attack that became one of the most concerning supply chain attacks, impacting clients of SolarWinds and organizations that connected to and communicated with clients of SolarWinds. Next, we learned that Microsoft had an attack against their infrastructure (see: https://www.npr.org/2021/04/16/985439655/a-worst-nightmare-cyberattack-the-untold-story-of-the-solarwinds-hack).
Late last week, we learned that Colonial Pipeline was hit with a ransomware attack.
Based upon helping Fortune 100 companies, private companies, and government organizations prepare for and respond to ransomware attacks, I wanted to pass along my perspective and expertise for the greater good.
I named ransomware in 2018 the carbon monoxide poisoning of our cyber resilience because it's stealthy, silent, and deadly to operations. Ransomware has been an international mess in the making for more than a decade, with cryptocurrency emboldening attackers as they want to be virtually untraceable. For a historical compilation of ransomware attacks over the years, dating back as far as 1989, go to: https://www.csoonline.com/article/3566886/a-history-of-ransomware-the-motives-and-methods-behind-these-evolving-attacks.html.
Additionally, we have seen while responding to incidents that victims frequently don't want to pay the ransom. Still, their cyber liability insurance companies may deem it cheaper to pay the extortionists versus paying for a recovery effort - that's problematic. If someone has to pay, I don't judge the victim organization or victim shame because that doesn't solve the issue. But when considering payment victims should know that payments, which averaged $170,000 per Sophos research, do not assure full data recovery. Sophos also found that 29% of affected companies couldn’t recover even half of their encrypted data, with only 8% achieving full data recovery (https://www.forbes.com/sites/daveywinder/2021/05/02/ransomware-reality-shock-92-who-pay-dont-get-their-data-back/?sh=671006c8e0c7).
After the SolarWinds and the Microsoft attacks, I rank this incident as one of the topmost concerning incidents in the last 24 months for the United States. It's perhaps one of the most disruptive ransomware incidents ever to hit a company in the United States' critical infrastructure.
What do we know about the Colonial Pipeline incident as of May 11, 2021?
Recommendations for Policy Makers and the White House:
The Fortalice Threat and Incident Response group has dealt with attacks attributed to the Ransomware-as-a-Service Darkside group recently, here are some of our findings:
If you don’t already have a threat hunt program in place within your organization, this is a good time to start. Review the Indicators of Compromise, such as the bulletins provided by FBI InfraGard, and conduct a threat hunt immediately. If you are uncertain how to get started, we can assist.
What can you do now?
Here are the Top 4 Most Effective Steps From Our Client Work:
The Next 7 Most Effective Steps:
There are more steps you can take to prepare for, thwart, and respond to a ransomware attack. If you would like a more in-depth best practices conversation and you are a customer of Fortalice Solutions, call our offices to ask for a free 30-minute best practices consult at 877.487.8160. If you are not a customer, contact us at 877.487.8160 or email us at Watchmen@FortaliceSolutions.com and ask for an introduction call to discuss how we provide boutique security and intel solutions to the world’s best companies and organizations.
If you are a victim of a ransomware crime or believe you might be, please report it to your local FBI field office or the FBI's 24/7 Cyber Watch (CyWatch). Unsure who your contact is? Fortalice can connect you, or go to www.fbi.gov/contact-us/field-offices. Want to chat with someone at FBI CyWatch? Call them at (855) 292-3937. You can also email them at CyWatch@fbi.gov.
With the holiday season upon us and Black Friday right around the corner, retailers are trying to understand why some customers abandon their online shopping carts before pressing “proceed to checkout” or “place your order.” The marketing teams at these online retailers are furiously trying to figure out why some sales webpages are more effective than others. To solve these riddles, retailers are increasingly turning to web tracking services and fine-tuning their targeting efforts. But it is not just the retailers, nearly every industry and most companies with an online presence will increase their web and mobile app customer tracking during this busy holiday season. Corporations and organizations need to be aware of the ramifications of how they are using internet trackers.