Protecting Manufacturers from Ransomware Attacks

Authored by Dave Hatter, CISSP, CCSP, CSSLP, Security+ and Network+

There has been a surge in ransomware attacks in recent years and an even greater acceleration in the first half of 2021. For example, researchers at Barracuda have identified and analyzed 121 ransomware incidents, a 64% increase in attacks, year over year.  Check Point Software reported a 93% increase in ransomware attacks year over year and SonicWall reported a 63% increase in ransomware attacks from Q1 to Q2 2021. Cybersecurity Ventures has predicted that businesses worldwide will become a ransomware victim every 11 seconds in 2021!

Source: SonicWall

Maya Horowitz, vice-president of research at Check Point Software, said “In the first half of 2021, cyber criminals have continued to adapt their working practices to exploit the shift to hybrid working, targeting organizations’ supply chains and network links to partners to achieve maximum disruption.”

Virtually every type of business is at risk, especially key links in the manufacturing supply chain as cybercriminals target a wide variety of industry sectors including municipalities, health care, and education. Unfortunately, manufacturing is not exempt. In fact, software company Varonis reported that manufacturers account for nearly a quarter of all ransomware attacks, more than any other industry. Furthermore, cybersecurity researchers at Dragos called ransomware the “biggest threat” to manufacturing operations and, in November of 2020, ZDNet reported “Manufacturing is becoming a major target for ransomware attacks”.

Since then, several high profile, high-impact attacks have occurred. In May 2021, an attack temporarily shut down operations of the largest gas pipeline in the United States. The owners of the pipeline paid nearly $5 million in ransom to regain access to their servers.

The owners were eventually able to recover much of the Bitcoin (cryptocurrency) paid as ransom to the attackers, but the lessons are loud and clear: Watch out for similar attacks on your company and take preventive measures to foil prospective attackers before you are the next victim.

Another devastating attack occurred over Independence Day weekend in 2021 when threat actors compromised Kaseya’s remote management software and used it to deliver ransomware to over 1,000 Kaseya customers. This is the largest attack of its kind to date. More than 36,000 customers were impacted as all Kaseya services were temporarily suspended to prevent the spread of the ransomware and to remediate the threat. It’s worth noting that the initial ransom demand was $70 million dollars. Do you have a spare $70 million in your budget?

What Is Ransomware?

Ransomware is malware (malicious software) designed to prevent access to a computer system or files until the victim pays the attacker’s ransom demand. Essentially, your computer network is “held for ransom” until you make a payment to unlock your data.

When ransomware first hit the scene decades ago, attacks typically targeted individuals, and payment was made through the regular U.S. mail. Today, high-tech criminals typically attack corporations because they have more at risk as well as deeper pockets and ransom demands require payment via cryptocurrency such as Bitcoin or Ethereum.

Unfortunately, it doesn’t take much to be infected, and there are several attack vectors commonly used to deliver ransomware. The most common is an email containing an infected file attachment or a link to a website that downloads a malicious payload when clicked. To add an air of legitimacy, the email may be spoofed so that it appears to originate from a legitimate company your firm deals with or someone you know. In other cases, attackers may pose as law enforcement officials or representatives of federal agencies, such as the FBI, IRS or U.S. Department of Labor.

Attackers may also scan the Internet for networks with open ports that allow ingress. In some cases, these open ports can be exploited and provide a conduit for attackers to deliver ransomware into your environment.

Once ransomware has been deployed, it will attempt to encrypt as much data as possible and will generally attempt to spread across as many devices as possible. As more data is encrypted, more systems become dysfunctional. This increases the likelihood of paying the ransom to get the key needed to decrypt the encrypted data and bring impacted systems back online.

Recent innovations have made ransomware attacks even more devastating because of the so called “triple extortion” technique. While encrypting data, the ransomware also steals the victim’s data which the attackers threaten to release publicly to increase the leverage for paying a ransom. Attackers also use the exfiltrated data to target the organization’s customers, vendors or business partners, thus the triple threat.

How Can You Prevent an Attack?

While there is no magic bullet to stop all ransomware attacks, there are concrete steps you can take to make your environment a more difficult target and to reduce the impact of an attack. Consider the following practices:

1. Train users to recognize red flags. Your workforce is your first line of defense against many cyberattacks. Employees and other network users — including suppliers and vendors that can access your system — should understand how ransomware attacks happen. Instruct them to exercise caution when opening unsolicited emails and clicking links. For example, they should know to report any suspicious emails to your IT department and to verify the legitimacy of an email before clicking a link or opening a file.  One way to do that is to go “out-of-band” and call the individual or organization that purportedly sent the email.

Require your staff to participate in regular cybersecurity awareness training sessions. This includes assembly line workers, as well as those in the back office and managers.  Anyone that has access to organizational systems could enable a ransomware attack by clicking an infected attachment or bogus link. Consider testing methods that simulate actual ransomware attacks to help improve awareness and establish whether your training program is effective.

2. Keep your systems updated. Ensure that all operating systems and applications are updated with the latest patches from the vendor. Automate this process when possible. Criminals launching ransomware attacks are known to prey on those with older, more vulnerable systems and applications.

3. Utilize the latest security products. Take advantage of tools, such as antivirus (end point protection) software, firewalls, DNS filters and email filters. Give your IT department the authority and resources to implement and maintain a comprehensive cybersecurity plan.

4. Close unnecessary ports and control remote access. Conduct a vulnerability assessment to find any open ports and close any that are not mission critical for your business. Additionally, tightly monitor and control remote access, use a Virtual Private Network (VPN) and only allow access to trusted devices.

Note: Cybersecurity is a continuous improvement process, threats are constantly evolving and risks continuously change. An effective program should try to stay one step ahead of the hackers. To do so, IT personnel may need additional training on an ongoing basis. For example, staff may need training if your company has transitioned to remote work as remote sites can be more challenging to secure.

5. Back up files. Perform frequent backups of your system and other important files. You can use a recent back up to restore your systems and data in the event of ransomware attack or a natural disaster such as a fire or flood. You should follow the “3-2-1” backup rule which states there should be 3 copies of data on 2 different storage media with 1 copy stored securely off site.

Using the 3-2-1 rule and storing backup copies both locally and offsite, ideally encrypted in the cloud, essentially doubles your protection in the event or a ransomware attack or other disaster.

Frequent backups are important to minimize data loss and downtime. To determine a backup schedule, you must know the amount of data that can be lost without catastrophic impact on the organization. This is known as the Recovery Point Objective (RPO).  Additionally, it is critical to test your backups to ensure that you can successfully restore from them.

6. Obtain cyber insurance. Professional and general business liability insurance policies generally don’t cover losses related to a hacking incident. Cyber liability insurance can cover a variety of risks, depending on the scope of the policy. Typically, it protects against liability or losses that come from unauthorized access to your company’s electronic data and software. Certain modifications or addendums may be available based on the nature of your operations. For example, there may be policies customized for manufacturers in the health care industry.

Instead of purchasing a standalone cyber liability policy, you might add a cyber liability endorsement to your errors and omissions policy. Note that coverage through an endorsement isn’t as extensive as coverage in a standalone policy.

You should carefully read your cyber policies to understand what types of incidents are specifically excluded from coverage. Reminder: Cyber liability insurance is not a replacement for sound cyber security policies and procedures. As cyber-attacks rise and the frequency and cost of cyber-claims increase, these polices are becoming more expensive and more difficult to acquire. A well-defined cybersecurity plan, especially one based on a framework like NIST 800-171, the Center for Internet Security Critical Controls, or ISO 27001, will not only help improve your cybersecurity posture, it can help to reduce your cyber insurance premiums.

7. Devise and follow a formal plan. If your company is hit with a ransomware attack, will you pay the ransom? This is a high-level decision that requires a comprehensive analysis. First, there is no guarantee that you will get the key to decrypt your data, or that the attackers won’t release your data to the public. Second, the FBI has advised against paying a ransom and the U.S. Treasury department advised ransomware victims last fall that they may be subject to sanctions and legal liability if they pay a ransom. So, discuss your response plan with in-house IT personnel and outside financial, legal and insurance professionals before you make a ransomware payment. Even after taking these precautions, only do so as a last resort.

Lesson Learned

Manufacturers can’t afford to ignore the ever-growing threat of ransomware. Your professional advisors can help find cost-effective ways to minimize your risk and safeguard your data.

For any questions or guidance related to cyber security threats and/or protection, contact Dave Hatter, Cybersecurity Consultant, at 513-824-6850 or dave.hatter@intrust-it.com.