How does a ransomware attack work?

Imagine you’re sitting at a computer. Perhaps you’re managing a fleet of trucks. Or ships. Or perhaps tendering a load of cargo, or sending customs clearance documentation. And then suddenly, things stop working. Every file has a strange extension. You can’t open anything. Then you notice a text file. It kindly explains that you’ve been the victim of a ransomware attack.

Ransomware attacks are pretty straightforward at their core. They involve a piece of software called malware that encrypts files on a victim’s computer or across a network. The cybercriminals who launch them then extort their victims by demanding a payment in exchange for providing a digital key to restore access. Often, the criminals also steal data for additional leverage.

The recent ransomware attacks on the Colonial Pipeline and JBS Meat offer a sobering reminder of what cybercriminals can do: Shut down operations, steal sensitive data and create a nightmare disrupting international supply chains.

How hackers get in

Phishing is one of the most common methods. That involves an email with either a malicious link or a file containing malware. Hackers use plenty of other methods as well. Exploiting vulnerabilities in networks or software is a big one. A less common, and generally more sophisticated, approach is called a supply chain attack. This has nothing to do with the movement of goods. Instead, it refers to exploiting a trusted third party — often a supplier of software — and sneaking in malware.

But in the case of Colonial Pipeline, it was reportedly painfully simple. The hackers exploited an unused virtual-private network (VPN) account with a password they had obtained, according to a recent Bloomberg interview with cybersecurity consultant involved in the response. VPNs are a common method companies use for remote access. How the hackers obtained the password isn’t clear, but apparently, it had been reused multiple times.

The serious damage from these attacks comes from the ability of attackers to leverage their access to their target’s system. They can become, in effect, an invisible administrator that can move freely through complex networks, monitoring activities, distributing malware and quietly stealing data. In the trucking and logistics sector, they’ve breached transportation management systems. When they’re not detected, they activate the ransomware and bring down networks in a relatively short period.

While successful attacks can utilize an incredible amount of skill to pull off, cybersecurity experts say they generally are preventable — or can be mitigated to a large degree. There isn’t a simple answer to effect prevention. But it generally requires having multiple layers of defense, and importantly, the ability to remain operational.

So-called ransomware gangs make millions

When attacks succeed in bringing down or seriously compromising networks, they can have devastating effects on a company’s ability to operate. Recent attacks that have made the headlines were carried out by organized groups that rake in millions of dollars through ransomware.

Restoring systems can be a time-consuming and expensive process. Sometimes paying the ransom can be cheaper than not. And even in cases in which companies can get themselves back up and running, they often pay to avert a public release of data. Multiple ransomware gangs maintain leak sites on the dark web — a corner of the internet not readily accessible though standard web browsers.

Feds turn up the heat

The U.S. government generally discourages ransomware payments — publicly at least — arguing that they enable the criminals. But for companies effectively against the wall, paying the criminals can be the least bad option — particularly if they’re insured. A whole industry has emerged around helping companies respond to these attacks, including firms that specialize in negotiating with the criminals.

The U.S. is taking an increasingly aggressive posture in response to attacks, including naming and shaming the criminal groups behind them. DarkSide, the group behind the Colonial attack, “headed for the hills when they realized the seriousness of the attack,” as Brett Callow, a threat analyst with the cybersecurity firm Emsisoft, told FreightWaves recently. On Monday, the Department of Justice announced it had seized most of the payments made by Colonial.

In another encouraging sign, a ransomware gang called Avaddon shut itself down and even released the keys to unlock corrupted files, to the cybersecurity news site BleepingComputer. Callow’s company released a free tool to allow victims to encrypt their data. Avaddon was responsible for multiple attacks on transportation and logistics companies. It claimed to have attacked Greatwide Truckload Management, leaking stoves of stolen data. (The company did not respond to FreightWaves’ request for comment about the claimed attack.)

by Nate Tabak @ Freightwaves