Ransomware Ecosystem: Big Changes Since Colonial PipelineAlso: Revisiting Ryuk's Rampage; Zero Trust Blockers Anna Delaney (annamadeline) • May 19, 2022 16 Minutes
The latest edition of the ISMG Security Report analyzes the changes in the ransomware landscape one year after the attack on Colonial Pipeline. It also revisits the Ryuk ransomware attack on a school district in Illinois and examines common culprits hindering effective Zero Trust adoption.
In this report, you'll hear (click on player beneath image to listen):
- ISMG's Mathew Schwartz consider how the ransomware landscape has changed following the attack on Colonial Pipeline one year ago;
- ISMG's Jeremy Kirk share a preview of episode 7 of The Ransomware Files, which revisits the Ryuk ransomware attack that struck a school district in Illinois;
- Creator of Zero Trust John Kindervag discuss common culprits hampering effective Zero Trust implementation.
The ISMG Security Report appears weekly on this and other ISMG websites. Don't miss the May 5 and May 12 editions, which respectively discuss whether the tide is finally turning on ransomware and lessons for cybersecurity leaders from the Russia-Ukraine war.
Anna Delaney: When ransomware got serious; revisiting Colonial Pipeline and Ryuk's rampage. These stories and more on this week's ISMG Security Report.
Hello, I'm Anna Delaney. One year ago, the ransomware landscape changed dramatically following an attack on Colonial Pipeline in the United States. Joining me to discuss the attack and what's changed since then is Mathew Swartz, executive editor for DataBreachToday and Europe. Matt, a lot has happened in the past year on the ransomware front.
Mathew Schwartz: Very much so. May 7, 2021, is a notable date for ransomware watchers. That's when the Colonial Pipeline got hit by Darkside ransomware. As you may remember, a political firestorm ensued. This didn't just happen because of Darkside or Colonial Pipeline. We also saw a number of major attacks around the same time. Conti, for example, hit Ireland's Health Service Executive, causing months of disruptions and delays for patients of the country's National Health Service. The government even mobilized the army to help wipe and restore affected systems. Last year, the world's biggest meat processor, JBS, got hit by REvil, also known as Sodinokibi ransomware. A lot of people had never heard of JBS, but as food prices started to go up, they certainly learned the name. Colonial Pipeline took its pipeline offline after it got attacked last May, with the distributing 45% of the fuel on the east coast of the United States. That was a big deal and panic-buying ensued. All of these attacks and more led many Western governments to treat ransomware not as a nuisance, or some niche IT concern, but rather as a threat to national security.
Delaney: One year after Colonial Pipeline, where do things stand?
Schwartz: Great question. And I'm always a little wary of anniversaries about things. But so much continues to happen with ransomware. So I thought it would be a great question to put to Jen Ellis, the vice president of Community and Public Affairs at security firm Rapid7. Jen is also co-chair of the Ransomware Task Force that was stood up by the Institute for Security and Technology in 2020. The Task Force had the good timing, I suppose you can say, of issuing a number of recommendations, just one week ahead of the Colonial Pipeline attack.
Jen Ellis: One of the things that governments were looking at doing or have looked at doing align really well with TOSS was not necessarily because they read the report and said we should do all these things. It might be that they were already thinking about them. But certainly, because we had recommendations around them, they've been able to then come to us and say, let's talk about how this would work in real life, right, and what it would look like. So I think, first and foremost, like, we are happy to say that we feel like we've been able to be useful, which I think is really good. And of the main recommendations we put out, we had five real calls to action, really strong ones, which were international collaboration to tackle the international challenges the safe havens, which were seeing. The White House hosted a summit last year of 30 different nations, the G7 had a ransomware-specific event in December. There are work streams that have come out of both of those. And so there is an ongoing government collaboration effort to address ransomware, which is great; international collaboration. We wanted to see it treated as a national security threat. And we wanted to see a whole of government response. And we are seeing that. Like if you look at the US, you've got treasury DOJ, CISA, and DHS, and you’ve got regulatory authorities for specific sectors in the critical infrastructure world. You've got the White House and Congress. And you've got this huge span of people paying attention or working with the State Department. I think we've seen some progress on that. We certainly have more visibility of some nations and others. And we would like to see it being picked up by other nations. And I think that's good. We recommended more of a focus on cryptocurrency. And that is one of the biggest areas that governments are focusing on. We've seen sanctions brought in the US against specific currency exchanges. We'll have to wait and see how that plays out. But I think there is a focus on also how you drive know-your-customer adoption internationally, and what other things can be done without imperiling the completely bonafide use of cryptocurrency. So I think there's some good stuff that's happening there.
Schwartz: Some of the other things that Ellis highlighted in her interview with me were mandatory incident reporting, and we are seeing more moves towards that in the US, Europe, and the UK. And this is going to help law enforcement, policymakers and others get a better handle on just how many ransomware attacks there are, as well as gather better threat intelligence on the groups and the tactics they're using. This will help for combating them. Finally, amongst the shortlist of things that Ellis shared, she called out the collaboration that's been happening between the public and private sectors. She says that is perhaps the standout recommendation of the Task Force and has the potential to deliver the greatest impact on ransomware.
Delaney: Ransomware continues to be a problem, what more needs to be done?
Schwartz: Ransomware is a problem. And if you were to ask, have attacks gone up or have attacks gone down, there's a huge caveat there. Because we don't know about so many attacks, a lot of times victims will pay very quickly to try to keep their name out of the limelight. This is what attackers want. They like it to be a secret that way it's more difficult to disrupt them. On the positive front, though, Rob Joyce, who's in charge of cybersecurity at the National Security Agency, last week speaking at a conference, says the number of ransomware attacks seems to have declined in the last few months, thanks to the Russia-Ukraine war. There's a lot happening that nobody had predicted. A lot of people had thought maybe ransomware groups would be acting as proxies for Russia if it invaded Ukraine. We haven't seen that happen. Unfortunately, we do see the business continuing. And it's not clear what the long-term impact of the war might be, in terms of driving down the number of ransomware attacks. That's a big open question. But all of the moves detailed by Ellis are among the pieces governments are getting in place to help battle ransomware. As with anything involving bureaucracy, it's never a fast process. But it's good to hear from Ellis, that the right moves are happening, the recommendations they have made, in which they're now helping many governments implement because governments have come to them asking how to do it, this is happening. And in the long term, this should help us better crack down on ransomware. Will we ever drive it to the ground and to nothing? Probably not. But if we can bring these big picture counter ransomware tactics to bear, definitely I think we can take a big bite out of this scourge.
Delaney: Let's hope so. Matt, always great speaking with you, and thank you so much for sharing your insight.
Schwartz: Always the time for ransomware! Thanks, Anna.
(You are listening to the ISMG Security Report on ISMG Radio. ISMG - Your number one source for information security news.)
Delaney: Continuing the ransomware theme, have you listened to the seventh episode of The Ransomware Files yet? Well, it's certainly worth a play. Series creator ISMG's Jeremy Kirk takes us back to one of the real ransomware attacks which took place in 2019. Its victim: Rockford Public Schools in Rockford, Illinois. It's a story of both defiance and resilience. And here's a preview.
Jeremy Kirk: Rockford Public Schools in Illinois had a thought for the Russia-based cybercriminals who infected the district with the Ryuk ransomware: Screw them! The school was infected in September 2019, just days after the school year started. Ryuk encrypted upwards of six million files and wrecked applications. But the district kept classes going during a truly mighty recovery effort. Jason Barthel is chief information officer for the school district. He just finished watching the Chicago Bears football team lose their first game of the season when he began to get text alerts around 10 p.m. that the district servers were going offline. Upwards of 300 servers were encrypted. Several weeks of its backups were also encrypted. Some 5000 Windows machines were infected, all of which needed to be re-imaged. Phones and email did not work. Here's Jason:
Jason Barthel: We took a step back in time, that's the way I say it and describe it to a lot of people. We went back to pen and paper.
Kirk: While Ryuk managed to delete some backups, others were intact. A vendor helped restore the application used for its financial system, and the data for that system was also backed up. One copy of its Active Directory also escaped encryption, which served as a foundation for recovering that system. The district was also very upfront about its attack, even doing a podcast episode about the incident, just two months later. The district refused to pay the ransom. Earl Dotson Jr. is chief communications officer for Rockford Public Schools. Here Earl describes the district's attitude to the thought of paying ransom.
Earl Dotson Jr.: Hopefully, this is okay for the podcast but we were like, 'Screw them! We're not giving them nothing.' Like you know we were defying. We were like, how dare you do this to children? People who are in our educational system are trying to learn. So yeah, at one point, it was a shot shock to the system. And you don't know what to do but then you know how that goes those go through those phases. I think then we just got angry like, 'Nah, we ain't doing it [paying].'
Kirk: School districts have taken the brunt of hundreds of ransomware attacks. And there's even a new concept: the Cyber Snow Day, where a cyber incident means school is canceled. Snow days are generally rare events reserved for bad winter weather. Doug Levin is the national director of the K-12 Security Information Exchange, which helps schools improve their cybersecurity. He says 2021 appeared to be a high watermark for just how disruptive ransomware was becoming to schools. Here's Doug:
Doug Levin: But what started happening at the beginning of last school year was that in having to respond to school cybersecurity incident, schools had to cease operations. And even if they were in-person, they sent students home, they couldn't route their buses, and they couldn't operate the point of sale in the cafeteria. Their phone systems are IP-based, so they went down. A lot of the physical security systems in school districts are also IP-based. And so door locks and video camera systems weren't working. And so they couldn't guarantee the safety of students. So much of the teaching and learning that happens is taking advantage of devices and the Internet and they couldn't use those. So we have seen now in response to school cybersecurity incidents, schools having to close for days or weeks. And in the case where a school district is trying to recover on their own from these sorts of incidents, it can be months and months before they're fully operational again.
Kirk: Doug says that some school districts have paid very high ransoms.
Levin: Way back in 2015-2016, maybe a ransom demand might be in the order of $5,000 or $10,000 to be paid in cryptocurrency. Today, it wouldn't be unusual for that figure to be well over a million dollars. Rather publicly, school districts have been reported to have paid ransoms in the hundreds of thousands of dollars. I'm aware of instances where school districts or their insurance providers may have paid $1 million, $2 million, or more.
Kirk: There's much more in this episode of The Ransomware Files, which is called Ryuk's Rampage. You can check it out on Apple, Spotify, and other podcasting platforms as well as on ISMG's websites. For Information Security Media Group, I'm Jeremy Kirk.
Delaney: And finally, zero trust has become fundamental for the security and growth of organizations to meet the ever-shifting threat landscape. Indeed, it plays a key role in President Biden's cybersecurity executive order issued last year, which stipulates that by the end of the fiscal year 2024, the federal government must adopt security best practices and advance toward zero trust architecture. But why do so many companies fail to implement their zero-trust strategies effectively? During a recent ISMG Editors' Panel, executive editor Mathew Schwartz asked the creator of zero trust, John Kindervag, what are some common culprits of causes that stymie zero trust implementation?
John Kindervag: The first culprit is Linux, right? If you think about it, Linus Torvalds should be the richest person in the world. Because we don't have cloud, we don't have most of the things that we have without Linux. Linux has, what people pretend is a firewall called IP tables, which is really just a way to turn on an ACL—an access control list—that doesn't even maintain state. So we go back to the pre-CheckPoint days. When CheckPoint invented the stateful firewall, it was because hackers could bypass access control lists easily. Now we're saying, ‘Hey, hackers, we're going back to the early 90s, so have at it, compromise every cloud environment. Because it's easy.’ Secondly, we have a new generation of people who haven't been trained in some of the basics of what is TCP/IP? What is the OSI model? What is a network? How does a packet flow? What are the basics of our industry, and they get into the higher level stuff, agile versus waterfall versus DevSecOps, and all of the things that sound sexy without understanding the basics. Buildings fall down if you don't deal with the basics. You can have great modern architectures but if the foundation isn't there, they're going to fall down.
Delaney: That's it from the ISMG Security Report. Theme music is by Ithaca Audio. I'm Anna Delaney. Until next time!