On Thursday, May 6, 2021, national news broke that Colonial Pipeline, a privately-held pipeline operator headquartered in Alpharetta, GA, fell victim to a ransomware attack that ultimately left them with suspended operations for eight days. Since they provide an estimated 45% of fuel products to the East Coast of the United States, this shutdown caused fears of gas shortages on the heels of ongoing supply chain disruptions and other pandemic-related shortages. In order to get operations back up and running relatively quickly, Colonial Pipeline paid a $4.4 million ransom to their attackers.
Shortly thereafter, news of another ransomware attack flooded headlines, this time about JBS USA, an American meat processing plant headquartered in Greeley, CO. To recover their data, they paid their attacker an $11 million ransom. And then, a Florida-based software company, Kaseya, was attacked by cybercriminals soon after that in early July 2021.
News of ransomware attacks continues to this day, but it was perhaps these three events that prompted companies across the world to seriously consider their cybersecurity operations and to seek safeguards against nefarious cyberattacks.
Recap: What is ransomware?
According to CISA, “Ransomware is a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption.”
Concerns About a Growing Trend
The U.S. Government did not issue any hard-hitting sanctions against the attackers mentioned above or their countries of origin, mainly because it’s really hard to do so--these cybercriminals remain elusive despite the amount of havoc they wreak. Companies impacted by ransomware attacks are left with no choice, in many cases, but to pay the ransom in order to resume operations. Therefore, cyber attackers understand that there are no real consequences for their actions and will likely continue to carry out attacks.
However, in September 2021, The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued guidance to U.S. businesses, saying, “The U.S. government strongly discourages all private companies and citizens from paying ransom or extortion demands and recommends focusing on strengthening defensive and resilience measures to prevent and protect against ransomware attacks.”
So, What Can You Do?
We asked our developers for some of their best tips for tech teams in guarding against ransomware attacks. Brian Morin, DevOps at Exclamation Labs said, “Don't trust your antivirus software to save you or protect you from current or "zero-day" vulnerabilities.” Instead, use versioned backups like Crashplan or Backblaze. If you use Time Machine to back up your Mac, consider not leaving your time machine device attached at all times. If your host becomes corrupted and your time machine isn't hooked up, then it can't wipe your backups.
Nathan Dorsey, from our DevOps team replied, “Use a filesystem that supports snapshots like zfs (or btrfs). Snapshots are read-only, incremental, and versioned so, in the event of ransomware encryption, you have an unencrypted archive of your data at the ready.” Snapshots can (and should) be sent off site easily as well. As long as you correct the initial source problem of the ransomware, your data can be back to normal simply with a "zfs rollback."
Use an Identity Management Solution
Identity access management (IAM) gives organizations an automated and secure way to control who has access to their systems, which house the most critical information that attackers seek. When provisioning and deprovisioning of user access is administered manually, the possibility of human error creates vulnerabilities surrounding compromised credentials. IAM solutions add an extra layer of security which makes it more difficult for hackers to access your organization’s data.
The Road Ahead
Ransomware will continue to evolve. For example, REvil, the group responsible for the Kaseya attack, has developed a ransomware as a service (RaaS) product, which will further perpetuate the accelerated rate of cybercrime incidents that have been happening. More recently, the FBI warned US businesses of an increase in ransomware attacks via mailed flash drives.
The best thing companies can do is be prepared. From considering backup plans to making plans to implement an identity management solution, organizations need to explore all options for securing their data and preparing as if an attack were imminent.