The National Security Council is sending a memo to U.S. companies urging them to take the ransomware threat more seriously as the Biden Administration ramps up its responses following recent attacks linked to Russia-based hacker groups on two major corporations.
In the open letter dated June 3, Anne Neuberger, the NSC’s cybersecurity adviser, said that while the federal government is doing what it can to combat the accelerating threat, private sector organizations also play a crucial role.
“All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location,” Neuberger wrote. “But there are immediate steps you can take to protect yourself, as well as your customers and the broader economy. Much as our homes have locks and alarm systems and our office buildings have guards and security to meet the threat of theft, we urge you to take ransomware crime seriously and ensure your corporate cyber defenses match the threat.”
JBS Foods Part of Escalating Problem
The three-page memo comes days after JBS Foods, the world’s largest meat processing company based in Brazil but with a subsidiary in the United States, was hit with a cybersecurity attack that shut down processing plants and threatened the global meat supply. The FBI attributed the attack to REvil, a high-profile cybercriminal group believed to be based in Russia. That attack followed a dramatic ransomware attack on Colonial Pipeline that nearly ground the East Coast of the U.S. to a halt.
REvil hasn’t taken credit for the JBS attack, but according to an NPR report, a representative of the group said in an interview in October 2020 that it was turning its attention to the agricultural sector. The ransomware attack impacted servers connected to JBS’ operations in the United States and Australia. Company officials said late Wednesday that they expected to have most operations back up by Thursday.
Ransomware groups attack companies by seizing their data and encrypting it, then demanding a ransom be paid before they release the key for decrypting the data. More recently, many groups have increased pressure on their victims, threatening to release the data on the web if the ransom isn’t paid.
It was unclear whether JBS paid a ransom.
Ransomware Attacks Accelerating
Early last month, Colonial Pipeline, the largest U.S. fuel pipeline, was hit by a ransomware attack that shut down operations for almost a week, sharply reducing fuel supplies to Southeastern states and resulting in long lines at gas stations. Company officials later admitted that the company paid a $4.4 million ransom – in about 75 Bitcoin – to the attackers to get the decryption key. U.S. officials have said that the hacking group DarkSide, which has links to Russia, was responsible for the breach.
Data breaches, including ransomware, continue to increase, according to a report last month by Verizon Business. The company found that the number of breaches in 2020 jumped to 5,258, a third more than the year before, and that phishing scams increased 11 percent year-over-year. The number of ransomware attacks rose 6 percent. The COVID-19 pandemic and remote work played a significant role in fueling the increases, the company found.
The White House and government agencies are stepping up their responses as the number of ransomware incidents not only increase but also continue to target critical infrastructure. Industries like healthcare and education have also been high-profile ransomware targets during the pandemic.
Smaller public and private organizations also are being targeted by bad actors. The Metropolitan Transportation Authority, which operates New York City’s subway system, said this week that its operations were hacked in April by cybercriminals suspected of being sponsored by the Chinese government. The Massachusetts Steamship Authority, which operates ferry services between Cape Cod and the islands of Martha’s Vineyard and Nantucket, was hit by a ransomware attack this week that affected operations. The FBI is investigating the breach.
During a press conference June 2, White House Press Secretary Jen Psaki said that the Biden Administration was “raising this through the highest levels of the U.S. government. The president certainly believes that [Russian] President [Vladmir] Putin has a role to play in stopping and preventing these attacks.”
Biden is scheduled to meet with Putin in Europe in two weeks and has said he will bring up Russia’s relationships with cybercriminals when they speak.
Just after the Colonial Pipeline attack became public, the U.S. Cybersecurity and Infrastructure Agency (CISA) and FBI issued an alert outlining guidance based on the MITRE ATT&CK framework for protecting critical infrastructure from ransomware. Soon afterward the Biden Administration issued an executive order aimed at reviewing and improving the federal government’s cybersecurity preparedness and response, and the Department of Homeland Security followed last week with cybersecurity requirements for critical pipeline owners and operators.
Steps Companies Should Take
In her memo to U.S. companies, the NSC’s Neuberger laid out steps that organizations should take, including implementing the five steps laid out in Biden’s executive order (including using multi-factor authentication, endpoint detection and response (EDR) technologies and encryption techniques), backing up data, system images and configurations, and promptly updating and patching systems. She also urged them to test incident response strategies, check the work of security teams and segment networks.
“The most important takeaway from the recent spate of ransomware attacks on U.S., Irish, German and other organizations around the world is that companies that view ransomware as a threat to their core business operations rather than a simple risk of data theft will react and recover more effectively,” she wrote.
What Can the Government Do?
That said, there are differing opinions in the cybersecurity sector about where the government’s efforts would be most effective. John Bambenek, threat intelligence advisor for cybersecurity firm Netenrich, told eSecurity Planet that more than any other threat, non-technical executives are most familiar with ransomware and already are looking for solutions.
“A letter from a White House official isn’t going to change the game in the slightest,” Bambenek said.
However, what the administration can do is pressure and punish both governments that ignore the ransomware activities in their countries as well as the perpetrators themselves, he said, adding that the “government needs to focus on their pieces of the solution and the things only they can do.”
Others were happy to see the Biden Administration taking steps to address the threat, including sending the memo. Vectra President and CEO Hitesh Sheth told eSecurity Planet he pictures the government working with private companies to develop effective strategies and that it was good to see the White House underscore the urgency, even though ransomware has been a problem for 15 years.
“The difference in 2021 is the more ambitious choice of targets: critical food and fuel supply lines and transport systems,” Sheth said. “When our enemies set their sights higher, so must we.”
Putting Plans in Place
Setu Kulkarni, vice president of strategy at application security vendor WhiteHat Security, said the advice in the White House memo is important, particularly testing incident response plans and penetration testing.
“Often organizations treat their incident response plan like they treat their business continuity plan – it is there and documented for compliance,” Kulkarni told eSecurity Planet. “We need to make a change here to treat the incident response plan much like a fire drill or an earthquake drill, so that when the inevitable breach happens, the entire organization is clear on the first few steps and that will give them the time they need to counter the threat effectively rather than scrambling at the nth minute.”
There are other steps businesses can take. Traditional security measures won’t always work against these fast-evolving modern threats, and right now the core issue at most organizations is unauthorized access, particularly given the high level of remote work, according to Lookout CEO Jim Dolce. Given that, instituting zero-trust frameworks will be key, as will implementing practices and tools on all corporate endpoints to mitigate the risk of attacks.
In addition, security teams shouldn’t “use ransomware as a ‘fear, uncertainty, and doubt’ strategy to bend your business to your will,” said Rick Holland, chief information security officer and vice president of strategy at Digital Shadows. “The FUD approach is destined to fail. Instead, take a measured, non-hyperbolic approach in explaining the threat and risks to your executive leadership.”
Holland said “the current state of enterprise networks is analogous to patients with chronic illnesses like heart disease; it has taken years to get to this state. There isn’t a magical intervention that will mitigate the risk overnight. We have to address the root causes of the illness, not just the symptoms. The White House’s suggestions aren’t cheap and will take time to implement; there is a very long tail to addressing the extortion threat.”