Ransomware prevention measures such as securing your applications can help you avoid becoming the next target.
Ransomware isn’t a new problem—not even close. It’s been around for more than 30 years. But like every element of technology, it has evolved. Instead of being an occasional expensive nuisance, it’s now a plague with existential implications for critical infrastructure—energy, transportation, food supply, water and sewer services, healthcare, and more.
And recent headlines have been a constant reminder of how vulnerable the owners and operators of that infrastructure—most of them private companies—are to ransomware attacks.
The May 2021 attack that prompted Colonial Pipeline to shut down its 5,500-mile pipeline, cutting off nearly half the fuel supply to the U.S. east coast for the better part of a week, is just one ominous example. Because as modern ransomware attacks go, this one was fairly standard.
DarkSide, a ransomware-as-a-service group reportedly operating in Russia, didn’t just encrypt data. They stole it as well, which puts more pressure on victims to pay since there’s a threat of intellectual property and private customer information going public.
But the group attacked the company’s IT network rather than the more sensitive operational technology (OT) networks that control the pipeline. That gave a measure of credibility to DarkSide’s claim a few days later that, as Reuters put it, they were out for “cash, not chaos.” In a statement posted on its website, the group said, “our goal is to make money, and not creating [sic] problems for society.”
They added that the group is “apolitical” and should not be linked with any government.
Still, the attack created problems well beyond the ransom Colonial ended up paying—a reported US$4.4 million—although the Department of Justice announced June 7 that it had been able to recover about US$2.3 million of that by tracing and seizing the bitcoin wallet used by the hackers.
But at the time, the company shut down the pipeline “out of an abundance of caution” since it didn’t know if the attackers had penetrated its OT systems.
The impact of the Colonial attack was anything but standard. It cut off multiple fuel supplies—gasoline, diesel, jet fuel, and heating oil—which led to panic buying and major price spikes. And it demonstrated yet again what multiple experts have warned for decades: Criminals or hostile nation states don’t need bombs, missiles, or bullets to damage an adversary. They can do it with keystrokes on a computer.
Past illustrations of that reality include the Aurora demonstration in 2007 at Idaho National Laboratories, which destroyed a large diesel generator; Stuxnet, which destroyed a significant portion of Iran’s nuclear facilities in 2010; and Industroyer, which brought down a portion of the energy grid in Ukraine in 2016.
But the Colonial attack was at an entirely new level, at least in the U.S. Robert Lee, CEO of the cyber security firm Dragos, told Wired magazine that “this is the largest impact on the energy system in the United States we’ve seen from a cyber attack, full stop.”
So why aren’t governments and the private sector organizations that are the targets of these attacks going on what would amount to a wartime footing to fight back?
Well, they are—sort of. The White House issued a memo this past week urging business leaders to act immediately to improve their resistance to ransomware attacks.
“The threats are serious and they are increasing,” wrote Anne Neuberger, President Biden’s deputy national security advisor for cyber and emerging technology.
Biden has also promised to confront Russian President Vladimir Putin when they meet later this month about that country being a safe haven for ransomware criminals.
But if there’s any good news, it’s that the ways to resist ransomware attacks are well established. And while nothing will make an organization entirely bulletproof from skilled, determined attackers, there are ways to make a successful attack much more difficult.
The following list includes the recommendations in the White House memo:
Rehan Bashir, managing consultant with the Synopsys Software Integrity Group, said it takes “a holistic security approach—network, host, and application development. Organizations must adopt secure development processes that will produce secure software products and applications.”
That requires a secure software development life cycle (SDLC) where “security is an inline function of the development pipeline rather than an out-of-band activity,” he said.
An SDLC should start with architecture risk analysis to find and fix design flaws, and threat modeling to identify the ways malicious hackers might attack.
Next, use application security and quality analysis tools. Throughout initial software development and updates, automated application security tools for static, dynamic, and interactive application security testing along with software composition analysis will help developers find and fix known vulnerabilities and potential licensing conflicts in open source software components.
At the end of development, penetration testing can mimic hackers to find weaknesses that remain before software products are deployed. If an organization needs more expertise or capacity, managed services providers can guide it through the process.
For years, many organizations have complained that they have neither the time nor the money to implement those protections, and that hackers wouldn’t be interested in them anyway.
That is, demonstrably, a very risky strategy. “Security by obscurity” doesn’t work. And the cost of paying cyber criminals and recovering from a ransomware attack will be greater, by orders of magnitude, than any “savings” from failing to implement good security.
Better security is an investment. It starts with a strong software foundation, continues with careful thought about firewalls and network design, and is maintained with constant vigilance, including monitors and secure software updates.
You may never know the ROI from all this, but that’s the point—you don’t want to know.
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.