Why U.S. Manufacturers Need a Ransomware Defense Program
By: Anna Mumford
Cyber threats and attacks continue to evolve with the use of more sophisticated techniques, making it necessary to understand the latest threat landscape and how it impacts your business. U.S. manufacturers are increasingly at risk due to the current geopolitical situation and the escalating cyber warfare between nation-states.
The supply chain for the Department of Defense and other critical U.S. manufacturing is especially vulnerable to attacks by nation-states who seek to compromise or hinder manufacturing operations.
A Shift in Ransomware Targets
The manufacturing sector has now surpassed the finance and healthcare industries in experiencing the highest number of ransomware attacks. Notably, the attackers have shifted their attention to targeting small and medium-sized manufacturers (SMMs) that are often unprepared to defend against ransomware events.
A recent surge in cyber attacks targeting industrial control systems (ICS) and operational technology (OT) networks has accounted for more than half of all ransomware attacks. Unless they need to comply with government contract requirements, many small business owners brush off the need for cybersecurity since it is not a revenue-generating investment. The statistics are sobering when it comes to the likelihood that SMMs will be breached and attacked with ransomware.
What’s at Stake
The impact of a cyber attack on an SMM can be devastating, both in terms of financial loss and operational downtime, leading to far-reaching disruptions. There are also intangible consequences such as damage to the company’s reputation and image.
It’s critical for organizations to secure their business proprietary data and intellectual property, without which the company wouldn’t be able to continue operating and be competitive. Many SMMs have contractual and legal requirements to protect federal and classified data. Exposure of this sensitive information must be reported to authorities and could lead to further investigations and even loss of contracts.
Adopting an industry-recognized cybersecurity framework, such as NIST SP 800-171, will protect organizations from punitive damage assessment for cybersecurity negligence in tort-based data breach legal cases in the state of Connecticut.
Ransomware Evolution – Understanding the New Threats
Nation-states’ ransomware attacks increase
Typical cyber criminals will do everything they can to ensure the victim can decrypt their business data after the payment is made. Otherwise, nobody will pay their ransom again and the attackers will be out of business. More recent ransomware attacks, however, are taking on more complex and alarming forms:
- Before the ransomware is deployed encrypting all files on the network, the attackers search for sensitive information which they steal by downloading a copy of the data. The stolen data is usually then published to the underground web extortion sites with the demand for a second ransom. If the extra extortion is not paid, the criminal threatens to contact the company’s customers and expose or sell the stolen information on the dark web.
- An increase in cyber attacks is coming from adversary nation-states, such as Iran, China, and Russia, with the intention of inflicting maximum damage on the company. Once the ransomware attackers receive the ransom and extortion payments, they stop responding and never provide the key to decrypt the victim’s data.
The ransomware business model
The latest developments in ransomware events reflect the complexity of the cyber crime environment which has adopted a more strategic business model. The hacker industry is growing dramatically with many newly launched Ransomware-as-a-Service (RaaS) portals hosted predominantly in Russian-speaking forums on the Dark Web.
The RaaS business model promotes partner program opportunities for any individual with computer skills to become a ransomware distributor earning a lucrative percentage of the decryption fee payout made in Bitcoin on the RaaS payment portal. Although many of the ransomware groups are located in Russia, their affiliates are spread out all over the world.
There are, on the other hand, some encouraging developments. Law enforcement is increasingly taking actions to bring down ransomware groups. For example, there are more extortion site seizures and sanctions against cryptocurrency exchanges that have been used to launder ransom money. Unfortunately, all those concerted law enforcement efforts are not slowing cyber criminals down yet.
Actions to Take Now
Below are some basic protections you can apply right now at your business to defend against four key ways ransomware actors try to gain initial access to your systems:
- Phishing attacks: Implement solid email security and train your employees to recognize phishing emails.
- Credential compromise and reuse: Deploy multi-factor authentication (MFA), especially on external facing systems. Remove employees’ old or unused accounts from all systems, require regular password changes, and monitor for compromised or leaked login credentials.
- Third-party access: As many companies rely on managed service providers (MSP) or managed security service providers (MSSP), more interconnected networks are created. Ransom actors take advantage of it by breaching the MSP or other third-party vendors, then wait to gain access through them to other networks for the purpose of deploying the ransomware there. Demand that your third-party providers and supply chain vendors use MFA, especially if they have a direct connection to your systems.
- Exploitation: Ransom actors continually scan for vulnerabilities in order to gain access and exploit your information systems. Perform scans of your infrastructure regularly ensuring up-to-date patching while looking for exposed systems and any vulnerabilities that can be exploited.
In addition, conduct tabletop exercises with your internal team to analyze how well you can detect and respond to a security event and look for improvements. You should include in this exercise all the relevant groups: your internal security team, leadership, IT resources, backup team, helpdesk, HR, legal, marketing, and others.
For more information and guidance go to CONNSTEP’s Cybersecurity webpage (https://www.connstep.org/service/cybersecurity/) or contact us with any questions.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages all organizations to be extra vigilant and report incidents and unusual activity to its website: https://www.cisa.gov/uscert/report.
Visit the CISA Shields Up (https://www.cisa.gov/shields-up) webpage for recommendations and resources to protect your most critical business assets.
You can also access a free online Cybersecurity Planning Toolkit (https://www.connstep.org/services/cybersecurity-planning-toolkit/) from CONNSTEP (https://www.connstep.org/) to view training material and tools, including interactive lessons, videos, and templates you can start using immediately to help you towards cybersecurity framework compliance.