Responding to Ransomware Attacks
The manufacturing industry is one of the most innovative, expansive, and evolving fields in the world, and that’s part of the reason why it’s such a lucrative target for ransomware attacks. Cyber criminals realize that there’s value in manufacturer’s data, and are looking to exploit that value for their monetary gain. That’s why it’s so important for manufacturers to secure their data and protect it using the best practices supported by cybersecurity experts and well as to take the right steps when responding to ransomware attacks.
The danger in ransomware attacks isn’t just in the data that gets encrypted, it’s in the lasting consequences. If a manufacturer’s data were to be encrypted, even if they paid the ransom, there’s no guarantee that they’d get the data back. To make matters worse, if they didn’t get their data back, they probably won’t get their money back either. What about that business’s reputation? Or the data of their clients that was stored on the compromised system? When a company falls to a ransomware attack, they aren’t the only victim.
Ransomware Attacks in 2021
The most well-covered ransomware attack in 2021 has been the breach of Colonial Pipeline back in April. This breach disrupted a piece of critical infrastructure that led to volatile gas pricing along the east coast of the United States. The attack caused a certain amount of chaos and panic, which is exactly the type of result the cyber criminals were looking for. The threat actors demanded $4.4 million dollars as a ransom, and continued to attack the firm’s billing system to apply additional pressure.
Another devastating ransomware attack occurred recently on Kaseya, a management service provider (MSP) who serves thousands of organizations. The attack was distributed through the MSP services into its client’s systems. It still isn’t known exactly how many different businesses were affected, however there are over a thousand reported impacts, including many larger businesses such as supermarket chains, retail, and professional services. This attack has spread across world borders, and multiple industries. The demanded ransom is $70 million dollars.
Responding to Ransomware Attacks
When a manufacturer realizes that they’ve had a breach and are victims of a cyber-attack, they need to decide how they want to respond. If an Incident Response, Disaster Recovery, and Business Continuity plan have been created, they should follow those plans. This includes assigning response roles, following specific compliance guidelines, and notifying the proper authorities and other parties.
The IT department of the business should determine exactly which systems were compromised and determine how widespread the infection is. If the attack is isolated to a few systems, immediately separate them from the rest of the network. It is important to collect as much evidence as possible from the infected system before it is wiped. That evidence will be needed to pinpoint the perpetrator(s), if possible.
If it’s not possible to separate the infected systems from the network, then the entire network needs to be taken offline in order to slow or stop further infection. It’s possible that after the initial compromise, threat actors are staying hidden in the background monitoring system activity. Disconnecting the infected systems, or communicating separate from the infected network can make it harder for the cyber criminals to monitor mitigation efforts.
It is very important that the infected systems are not turned off. It is a common misconception that turning off the machines will slow the infection, but this is false. All that turning off the systems does is delete the forensic evidence needed by law enforcement agencies. The FBI uses a tool called FTK Suite that collects evidence from the effected systems and provides a full image of the computer. This would be impossible to do if the machine had been turned off and back on.
Once all the evidence has been contained and collected, the eradication process of the infected data should begin. The most critical systems need to be identified, and then those systems can slowly be reestablished. At this point, it’s critical to ensure that the systems being brought back online are not being exposed to any compromised system or network. After that, the system(s) should be patched and monitored to ensure that there is no other virus or malware operating behind the scenes.
It’s important to note that some attacks may be too large or widespread for any individual or small IT team to handle. There are situations where it is important to ask for help from the proper authorities, such as the Federal Bureau of Investigation, other law enforcement, or CISA and MS-ISAC. It is also important to control the stream of information both internally and externally. Depending on the specific compliances, manufacturers may have to disclose certain information to specific parties, or the public.
What is the Cost of a Ransomware Attack?
A ransomware attack has no exact cost, but there are many examples. From thousands to millions of dollars, there is no limit to the ransom cost. However, there are unmentioned consequences to these types of attacks as well. In many of the larger breaches, companies have lost valuable data that belonged to clients and customers, which can result in more victims. Many consumers are anxious to trust a company that has already experienced an attack, especially if it resulted in their customers losing money or data.
These consequences can be much longer lasting than the upfront ransom, and this assumes that a company gets their data back after paying the ransom. It’s incredibly important that manufacturers get it right the first time, and do their best to employ smart strategies to mitigate the risk of ransomware so that they can avoid the worst parts of ransomware attacks.
Who’s Lurking In Your System?
Recently, cybersecurity professionals have been noticing new behaviors with cyber-criminals spending larger amounts of time within systems they’ve breached before they launch a ransomware attack. They use this time to monitor vulnerabilities and prioritize what they want to attack. They map out the environment inside the system and attempt to locate data backups. On top of that, cyber criminals have begun encrypting data for a ransomware attack, and then threatening to release the data to the public if they don’t get paid. They use this tactic as leverage to force the targeted company into making rash decisions.
To make matters worse, larger data breaches that more infamous hackers are responsible for tend to have more expensive ransoms. Over the past two years, the amounts that companies have paid these cyber criminals has grown by 300%. The average payment amount from the major data breaches this April was $24 million, and while this amount may not be the same as what cyber criminals demand from smaller businesses, it does show a disturbing trend.
What Else Should Manufacturers Stay on the Lookout for?
Cyber criminals have begun to employ new infection tactics as well, such as vishing, which is a form of audio phishing which can be done through a phone call. It is a riskier strategy for the threat actor, but it has also proven effective. The aforementioned Kaseya attack was launched through the company’s VSA product, which is a remote monitoring tool. The actors used a known vulnerability in the software when it was connected to the internet to gain access, and used this medium to spread their ransomware.
TechSolve Works to Protect Manufacturers
With the growing frequency of ransomware attacks and data breaches, it’s no wonder why many businesses are moving towards a stronger cybersecurity presence. It is necessary for manufacturers to protect themselves and their clients from cyber-attacks, regardless of the size of the company.
TechSolve wants to help you with that. With decades of experience in the manufacturing field, our experts can identify the vulnerabilities in your framework, or they can help build a security system from scratch. Regardless of the task, TechSolve’s cybersecurity experts have the tools and the know-how to help secure your data.
Don’t wait until it’s too late. Contact TechSolve for a free cybersecurity consult.