Want to Ward Off Ransomware Attackers? Take Away Their Key

Recently, I had the opportunity to present to a group of 25+ IT leaders representing manufacturing and distribution companies of various business sectors, some of them global, about cybersecurity. They were interested in hearing the latest about ransomware attacks at JBS and Colonial Pipeline, which continue to generate headlines because of the havoc they caused, and the huge ransoms demanded by bad actors that were paid (at least in part) by these companies.

As is the case with any big news story, details continue to emerge and what we’re learning now is that JBS and Colonial — considered “big-game” targets by their attackers — were successfully breached not because the ransomware these attackers use is so genius. It’s because their victims appear to be weak prey.

It’s all about getting credentials.

It’s all about getting credentials. One popular method is prompting them through phishing attacks. The other avenues are brute force attacks or password spray attacks. Cybersecurity experts have been saying this all along, and key takeaways from the 2021 Verizon Data Breach Investigations Report (DBIR) corroborate this. Here is the case I made for the audience of IT leaders that I think is worth sharing more broadly …

JBS and Colonial Pipeline

First, a rundown of the JBS and Colonial ransomware attacks and what we’ve learned as of late:

JBS

A ransomware attack May 30 on JBS, the world’s largest meat and poultry producer, shut down processing facilities in North America and Australia, including nine locations here in the United States. While operations were restored by June 3, the USDA was unable to release wholesale prices for beef and pork on June 1, affecting thousands throughout the industry.

JBS negotiated and paid $11 million of the $22.5 million demanded by REvil, a Russian-East European gang first identified in April 2019 as a next generation of GrandCrab ransomware. An RaaS (ransomware as a service) partnership program, REvil exfiltrates data first, then encrypts it — in effect, doubling the extortion. It’s a highly lucrative “business” — GrandCrab purportedly pocketed $2 billion in ransom payments, and its successor, REvil is already boasting $100 million in ransom earned. JBS paid the ransom for two reasons — decryption of two databases and the prevention of the stolen data being published. Exactly how the company was breached is still unknown.

Colonial Pipeline

A ransomware attack on Colonial Pipeline, an American energy system that provides nearly half of the East Coast’s fuel supply, caused one of the largest disruptions of critical infrastructure in history.

DarkSide, a ransomware service created by a highly skilled criminal group called Carbon Spider, gained entry on April 29 through a remote VPN account that was no longer in use but still enabled and had access to internal resources. The account did not require multifactor authentication. Ransomware began May 7, when the breach was made public, and Colonial Pipeline paid $4.4 million (75 bitcoin) in ransom. Authorities later recovered $2.3 million (63.7 bitcoin) of the initially paid ransom. While it’s still unknown how the credentials were compromised, the same password was found in leaks on the dark web.

2021 Verizon Data Breach Investigations Report

Now let’s explore how what happened at JBS and Colonial Pipeline stacks up against what Verizon shows in its 2021 DBIR, just released in May.

First, the bad news:

79,635 incidents were analyzed from November 2019 to November 2020 across 88 countries. Of these, 29,207 incidents met Verizon’s quality standard and 5,258 were confirmed breaches. (It’s worth explaining the difference between an incident, which Verizon defines as compromising the integrity, confidentiality or availability of an information asset, and a breach, which is an incident that results in the confirmed disclosure — not just potential exposure — of data to an unauthorized party.)

With regard to breaches specifically, Verizon reports that:

80% of attacks are from external actors.
Bad actors are motivated by financial gains and mostly associated with organized crime.
Espionage is low in occurrence but has a very wide and long impact.

In terms of how these bad actors operate, Verizon reports that:

Social, e.g., phishing or spearhead phishing, overwhelmingly was the means for successful infiltration of a company.
Malware is used to exploit a company’s vulnerabilities, expand laterally to other servers and infrastructures, and then drop a second-stage payload — what we mean by “land and expand.” Data exfiltration then occurs through permitted access.
Credentials remain the most sought-after data, with personal data coming in as a close second. The personal data has two purposes: resale value on the dark web and it’s use toward financial fraud.

Now, the good news:

According to Verizon, even though the pool of companies that are targets is widening and ransomware attacks are increasing, breaches are being identified more quickly. We can attribute this endpoint detection and response (EDR) platforms such as CrowdStrike, along with better tools in general like SIEMs and data security products, which companies increasingly are adopting. Where it once required all hands on deck and took months to identify and respond to an incident or breach, it now only takes a few people one or two days, if not less than that.

In addition, a large percentage of the incidents Verizon looked at did not result in huge losses. Broken down, the DBIR shows:

Business Email Compromise Loss (BEC):

Low: $250
High: $985,000
Median: $30,000

Computer Data Breach (CDB):

Low: $148
High: $1.6M
Median: $30,000

Ransomware:

Low: $70
High: $1.2M
Median: $11,150

Further, the FBI’s Internet Crime Complaint Center (IC3) shows that 42% of BECs reported to the bureau had no financial loss, 76% of CDBs had no financial loss, and 90% of ransomwares had no financial loss.

What’s Key

What we can take from Colonial Pipeline attack especially and the Verizon DBIR is that user credentials remain the key to access by ransomware attackers, and with companies willing to pay ransoms (particularly those insured), bad actors have every reason to stay motivated. Which is why I can’t say enough that companies must continue to strengthen security for user identities, eliminating the excess of access that attackers exploit.

Companies must continue to strengthen security for user identities, eliminating the excess of access that attackers exploit.

Like I said in my conversation with our VP of Marketing on our blog a couple weeks ago, it’s all about doing the basic things first:

Enable MFA.
Provide user training on the proper use of passwords and to discourage reusing them.
Use password management software.
Have a proper identity and access management (IAM) framework.
Establish a solid user offboarding process.
Audit and validate all user accounts.

In the meantime, I encourage you to take the time to read the full Verizon report. As Benjamin Franklin said, “An investment in knowledge always pays the best interest.”

Featured photo credit: Adam Mulligan via Flickr