The headlines around cybercrime continue to highlight the biggest and worst attacks ever. We went into the holiday season of 2020, learning that FireEye had their Red Team tools stolen (see: https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html). During their investigation, they determined that SolarWinds had been a victim of an attack that became one of the most concerning supply chain attacks, impacting clients of SolarWinds and organizations that connected to and communicated with clients of SolarWinds. Next, we learned that Microsoft had an attack against their infrastructure (see: https://www.npr.org/2021/04/16/985439655/a-worst-nightmare-cyberattack-the-untold-story-of-the-solarwinds-hack).
Late last week, we learned that Colonial Pipeline was hit with a ransomware attack.
Based upon helping Fortune 100 companies, private companies, and government organizations prepare for and respond to ransomware attacks, I wanted to pass along my perspective and expertise for the greater good.
I named ransomware in 2018 the carbon monoxide poisoning of our cyber resilience because it's stealthy, silent, and deadly to operations. Ransomware has been an international mess in the making for more than a decade, with cryptocurrency emboldening attackers as they want to be virtually untraceable. For a historical compilation of ransomware attacks over the years, dating back as far as 1989, go to: https://www.csoonline.com/article/3566886/a-history-of-ransomware-the-motives-and-methods-behind-these-evolving-attacks.html.
Additionally, we have seen while responding to incidents that victims frequently don't want to pay the ransom. Still, their cyber liability insurance companies may deem it cheaper to pay the extortionists versus paying for a recovery effort - that's problematic. If someone has to pay, I don't judge the victim organization or victim shame because that doesn't solve the issue. But when considering payment victims should know that payments, which averaged $170,000 per Sophos research, do not assure full data recovery. Sophos also found that 29% of affected companies couldn’t recover even half of their encrypted data, with only 8% achieving full data recovery (https://www.forbes.com/sites/daveywinder/2021/05/02/ransomware-reality-shock-92-who-pay-dont-get-their-data-back/?sh=671006c8e0c7).
After the SolarWinds and the Microsoft attacks, I rank this incident as one of the topmost concerning incidents in the last 24 months for the United States. It's perhaps one of the most disruptive ransomware incidents ever to hit a company in the United States' critical infrastructure.
What do we know about the Colonial Pipeline incident as of May 11, 2021?
Recommendations for Policy Makers and the White House:
The Fortalice Threat and Incident Response group has dealt with attacks attributed to the Ransomware-as-a-Service Darkside group recently, here are some of our findings:
If you don’t already have a threat hunt program in place within your organization, this is a good time to start. Review the Indicators of Compromise, such as the bulletins provided by FBI InfraGard, and conduct a threat hunt immediately. If you are uncertain how to get started, we can assist.
What can you do now?
Here are the Top 4 Most Effective Steps From Our Client Work:
The Next 7 Most Effective Steps:
There are more steps you can take to prepare for, thwart, and respond to a ransomware attack. If you would like a more in-depth best practices conversation and you are a customer of Fortalice Solutions, call our offices to ask for a free 30-minute best practices consult at 877.487.8160. If you are not a customer, contact us at 877.487.8160 or email us at Watchmen@FortaliceSolutions.com and ask for an introduction call to discuss how we provide boutique security and intel solutions to the world’s best companies and organizations.
If you are a victim of a ransomware crime or believe you might be, please report it to your local FBI field office or the FBI's 24/7 Cyber Watch (CyWatch). Unsure who your contact is? Fortalice can connect you, or go to www.fbi.gov/contact-us/field-offices. Want to chat with someone at FBI CyWatch? Call them at (855) 292-3937. You can also email them at CyWatch@fbi.gov.
During the course of our investigative work, Fortalice has observed an increasing and alarming trend: personal email compromise is leading to business email compromise. Threat actors will leverage weaknesses regarding executives’ or board members’ personal cybersecurity hygiene to gain access to their business accounts. Extortion also remains a top cybersecurity threat, with organized criminals overseas routinely targeting corporations and the people who support them.
Silicon Valley Bank (SVB) was shuttered early this month and had its deposits seized in the largest U.S. bank failure since the 2008 financial crisis. Although it may seem like SVB’s collapse will only impact its direct customers and depositors, it is far more complicated. Like vultures to roadkill, cyber scammers often wait to exploit and target victims after tragedy strikes, or bad news arises. A perfect storm of stress, uncertainty, and urgency for customers and vendors alike during this time can impair someone’s judgement when they click links and open emails they otherwise would ignore or delete. Fortalice has outlined a few different ways cybercriminals social engineer their victims during times of extreme distress and insecurity.