InfoSec Insider

Takeaways from the Colonial Pipeline Ransomware Attack

Hank Schless, senior manager of security solutions at Lookout, notes basic steps that organizations can take to protect themselves as ransomware gangs get smarter.

If you feel like you’ve read a lot about ransomware in recent months, it’s because these attacks have indeed intensified. In 2020, ransomware attacks surged by 150 percent, with the average payment size increasing by more than 170 percent. Some of the notable victims include United Health Services, Orange and Acer.

Infamously for this year, Colonial Pipeline, the largest pipeline operator in the United States, was compromised. Finer details are still being uncovered, but early reports indicate that this incident exemplifies many of the reasons why ransomware attacks have increased.

So why are ransomware attacks increasing? The gist of it is that the digital-first environment has created the perfect setting for ransomware operators, which themselves have evolved and matured overtime.

Ransomware Business Models and Tactics Have Evolved

Ransomware is nothing new. But in recent years this has changed as ransomware operators developed scalable and repeatable campaigns with defined targets. Just like any other enterprise, many of them are even reinvesting their profits back into new tools that enable greater likelihood of a successful attack.

Before they announced their intent to disband, at least in name, DarkSide, the Russian-speaking group behind the Colonial Pipeline attack, was clear about who they targeted. They claimed that they only victimize organizations that could afford it, seeming to think it was some sort of modern day Robin Hood.

It’s not just the business model that has changed. Many ransomware operators have also become smarter. While the basic principles of gaining access, locking up or encrypting data, and demanding funds to restore access haven’t changed, groups are getting smarter about how they do it. It used to be that, while costly, you could avoid paying ransoms by ensuring your data is backed up to an offline location. Attackers are now limiting the strength of that defense mechanism by threatening to publish your data, even if you manage to restore your systems.

The Remote-Work Environment is Perfect for Ransomware

Ransomware attacks require access to an organization’s infrastructure. Unfortunately, the remote-work environment has made it easier for ransomware attackers.

With employees working anywhere, security teams don’t have the same visibility they had when employees worked in the office. The attack surface has increased as employees work from anywhere, using devices and networks that their employers don’t control. To secure remote and hybrid work experiences, security teams face the challenge of having very little insight into what their users are doing and whether a device or access credentials are compromised or not.

The most discreet way attackers can enter an infrastructure is by stealing credentials. The easiest way to do so is through mobile phishing. Because smartphones and tablets are used for both work and personal reasons, employees can be socially engineered and targeted through multiple apps such as SMS, social-media platforms, and third-party messaging apps. The simplified user interfaces of a phone or tablet hides signs of phishing, making them ripe targets for socially engineered phishing campaigns.

Once the attacker has obtained compromised credentials, the next step is to log in and locate valuable data. If the targeted organization still relies on a traditional VPN, the attacker won’t have much difficulty getting in. While a VPN provides access for your remote employees, it doesn’t check the unique context under which the user or the device is connecting.  In most cases, the VPN provides the employee unlimited access to the corporate network, and both cloud and on-premises apps and data.

Access to On-Prem Infrastructure Creates Additional Risks

Another issue that can create an opening for ransomware operators to deploy ransomware is on-premise infrastructure access. While this wasn’t the reason it was compromised by ransomware, Colonial Pipeline was reportedly running an outdated version of Microsoft Exchange.

This put the company in the same boat as tens of thousands of other organizations, many of them were compromised due to several zero-day vulnerabilities discovered in March (known as ProxyLogon). From a security perspective, on-premise software will always lag behind software-as-a-service (SaaS) because it requires manual patching by the user that a team of security staff proactively perform for SaaS customers. Cloud-delivered solutions in contrast are constantly updated and maintained by the provider.

Combat Ransomware with Zero Trust

While there is no one security strategy that can ransomware-proof an organization, there are steps to mitigate the risk. As organizations continue to support a hybrid workforce that works from anywhere, they need to strategize a way to regain the visibility and control they once had inside their perimeter.

Organizations need to ensure they deploy cloud-delivered solutions that provide insights into everything from the user and the endpoint they’re on all the way up to cloud. They also need to align their access control with zero-trust, ensuring only trustworthy users have access to their infrastructure.

Hank Schless is senior manager of security solutions at Lookout.

Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.

Suggested articles