In the second edition of Cybersec Charcha, we are taking a deep dive into understanding the unregulated ransomware industry, what a ransomware attack means and the consequences it can have. Without further adieu, let’s dive into it:
The Big Story: Colonial Pipeline paid 75 Bitcoin or 5 Million USD in ransom to restore their services
The Colonial Pipeline is a company that operates a pipeline that carries gasoline, diesel fuel, and natural gas along a 5,500 mile path from Texas to New Jersey. In early May, they released a statement confirming reports that ransomware hackers had hit its network.
But first, what exactly is a Ransomware attack?
Ransomware attacks typically involve the infection of computers with malicious software, often downloaded by clicking on seemingly innocuous links in emails or other website pop-ups. Users are left locked out of their systems, with the demand that a ransom be paid to restore computer functions. If you are interested in learning more about Ransomware attacks and how they work, this is a good place to start.
The attack on the Colonial Pipeline has been attributed by many to the DarkSide Ransomware group. They attacked the company’s business networks rather than the more sensitive operational technology that controls the pipeline. However, the company shut down their operational networks in an attempt to control the damage. This led to disruptions in the fuel supply throughout the East Coast and led to mounting pressure to restore services. Not long after, reports emerged that the company had paid $5 Million in ransom to the hackers. Once the hackers received the amount, they provided the company with a decrypting tool to restore it’s disabled computer network.
This is not the first time that a company’s critical infrastructure has been disrupted due to a ransomware attack. In fact, these attacks are only increasing in numbers and moreover, in the potential to cause widespread damage. The most disruptive and devastating cyberattack that the world ever witnessed actually happened way back in 2017. Below is only one example of how things turned out for one of the companies who were at the receiving end of this attack:
History lesson: NotPetya
In June 2017, the shipping conglomerate Maersk, was hit by a ransomware attack, which later came to be known to the world as NotPetya. It is estimated that this cyberattack cost Maersk as much as $300 Million in lost revenue. With 76 ports and 800 vessels the multinational’s helplessness in the face of a total shutdown is a perfect example of the real-world disruption that cyberattacks can cause. Instantly and simultaneously, every internet-connected device of theirs was infiltrated. These included 45,000 workstations, 4,000 servers, routers, VoIP phones, physical access settings, and other infrastructure. All in all, it took 200 Maersk personnel and 400 of their Deloitte contractor counterparts 10 days, working 24/7, to rebuild the Maersk network. Months more were needed to bring about normal software functionality.
The NotPetya ransomware attack was so widespread and devastating that it’s been written about and covered over and over again. However, the goal of this detour into a cyberattack that happened 4 years ago is not to scare you but to bring us back to the age-old question:
What can we do?
In the previous (and first ever) edition of Cybersec Charcha, we explored why companies must nurture a security first culture. And this is precisely why. These ransomware attacks didn’t happen out of thin air. Someone, somewhere clicked on a malicious link without cross-checking it, or they inserted a foreign USB into their devices without being sure of its contents, or maybe their devices’ softwares weren’t up-to-date and so their systems didn’t have the latest security patches that could have probably kept their devices safe. The question we should ask ourselves is, How can we avoid these instances from happening again? And the short answer is: By prioritizing digital security.
Companies must conduct regular digital security assessments to ensure employees are up-to-date on the latest security measures they should be aware of. Moreover, organising digital security training with a focus on enabling a behavioural shift will also go a long way in protecting critical network infrastructure that, if compromised, can cause a lot of damage.
The continuing saga of Breach Pe Breach…
- Air India - SITA Breach: In early March, global aviation giant SITA announced that its systems had come under a cybersecurity attack. The breach had affected several airlines — American Airlines, Malaysia Airlines, Finnair, Singapore Airlines, Jeju Air, Cathay Pacific, Air New Zealand, and Lufthansa amongst others. Three months after SITA had first announced the breach, we are still learning about more victims of the attack, this time our very own struggling Indian airline, Air India. The attack compromised data of passengers who had registered with Air India over the past decade, between August 26, 2011 and February 3, 2021, Air India said in a statement. Air India is the latest Indian firm to report a data breach in the last quarter with companies like Mobikwik and BigBasket amongst others who also faced similar cybersecurity attacks exposing the personal data of millions of Indian users. You can read about the SITA Breach here and the corresponding Air India breach here.
- Domino’s Data Breach: More than 13 TB of data of Domino’s India users, including 10 Lakh Credit Cards were compromised. The leaked data also includes Personally Identifiable Information like phone numbers, name, email addresses and GPS location of users. The data breach was first flagged by cybersecurity researcher Rajshekhar Rajaharia. This leaked data can potentially be used to send targeted messages to customers and spy on them. Jubilant Foodworks, Domino’s parent company, released a statement stating that no financial information was leaked in the breach and that they have taken the necessary steps to “contain the incident”. You can read more about it here.
- Ireland’s Health Service hit by a serious ransomware attack: Earlier in May, Ireland’s Health Service Operator shut down all their IT systems in an attempt to protect their technical infrastructure from a “very sophisticated” ransomware attack. Whereas the country’s COVID-19 vaccination program wasn’t affected, the attack did affect all other local and national health provisions. However, the Irish Health Service is not alone and this is in fact part of a deeply disturbing trend. Ransomware attacks on the healthcare sector have been skyrocketing! Here’s an important report documenting the spike in these ransomware attacks. You can read more about the Irish Health Service attack here.
So, how can we secure ourselves?
- If you find that you are one of the victims of the data breaches mentioned above, please change your passwords everywhere and enable Two-Step Verification wherever possible.
- Moreover, we must be careful that we don’t give away our data unintentionally. Avoid giving out your phone numbers, address and other sensitive information to places that don’t need it.
- Read the privacy policies of the apps you download and avoid sharing location data with third parties.
- Check the default settings of all your apps to understand the kind of data they have access to and limit their data storage as much as possible.
The list goes on and I will continue to cover bits of digital security measures with each edition of this newsletter! If you haven’t had a chance to read the first edition of Cybersec Charcha, click here. Last, but definitely not the least, if you like the work IFF does, please consider becoming a member. It is your support that keeps us going!